Malware Analysis Report

2024-12-07 17:10

Sample ID 241112-xw9zcsyhpm
Target RNSM00316.7z
SHA256 d233e6ce1a8b032074889e47871003f4b0afe4ca10484a79b970e750172d1370
Tags
bootkit credential_access discovery persistence ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d233e6ce1a8b032074889e47871003f4b0afe4ca10484a79b970e750172d1370

Threat Level: Known bad

The file RNSM00316.7z was found to be: Known bad.

Malicious Activity Summary

bootkit credential_access discovery persistence ransomware spyware stealer upx

Renames multiple (804) files with added filename extension

Renames multiple (233) files with added filename extension

Renames multiple (728) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Credentials from Password Stores: Windows Credential Manager

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Drops desktop.ini file(s)

UPX packed file

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Runs ping.exe

Runs net.exe

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 19:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 19:13

Reported

2024-11-12 19:15

Platform

win7-20240903-en

Max time kernel

77s

Max time network

92s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00316.7z"

Signatures

Renames multiple (233) files with added filename extension

ransomware

Renames multiple (728) files with added filename extension

ransomware

Renames multiple (804) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\00316\HEUR-Trojan-Ransom.Win32.Generic-208cca124ddafe35a122f6bdd36191151a2730b4e1051804d5f68d0cb4b44145.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.MSIL.Blocker.ah-c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.NSIS.MyxaH.ryb-28518edc043e6479237426cd0fbb6d5aa1ef08900ea953e64385446c9fe5b79c.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xln-91b62961636993e37335a6119203528f2e4fa5ccc9085bf437ca0a2d8c008339.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xic-941e5dcf13258bec1ce9084a39493b8f425aab5bed52d7a5fba6533a3efacea5.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nopd-c04702a87c6cfd41c348911773e15bf45a7ed357faad1decfcc5f07c43f406bd.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Ducry.f-8988f592efb88b4998b54c9736898339811bda3578b27e0a4a03ed9a4c5ca363.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nzuo-5c93003e656dfd4f287872c450376c508f3cf514c47df13679e948d0ae9a7a1e.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\khpjmtzi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\782C.tmp\nRansom.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe = "C:\\Users\\Admin\\Desktop\\00316\\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe" C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\CertificatesCheck = "C:\\Users\\Admin\\AppData\\Roaming\\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe" C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\Local Settings\\Application Data\\khpjmtzi.exe" C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Ducry.f-8988f592efb88b4998b54c9736898339811bda3578b27e0a4a03ed9a4c5ca363.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\app = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winupdate.exe" C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nopd-c04702a87c6cfd41c348911773e15bf45a7ed357faad1decfcc5f07c43f406bd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\appAppData = "C:\\Users\\Admin\\AppData\\Roaming\\winupdate.exe" C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nopd-c04702a87c6cfd41c348911773e15bf45a7ed357faad1decfcc5f07c43f406bd.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Downloads.EEE!QAQ\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Users\Admin\Documents.EEE!QAQ\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Admin\Music.EEE!QAQ\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Public\Libraries.EEE!QAQ\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Admin\Links.EEE!QAQ\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Admin\Favorites.EEE!QAQ\Links for United States\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Public\Desktop.EEE!QAQ\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Users\Admin\Searches.EEE!QAQ\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Admin\Pictures.EEE!QAQ\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Admin\Favorites.EEE!QAQ\Links\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Admin\Saved Games.EEE!QAQ\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Admin\Videos.EEE!QAQ\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Admin\Favorites.EEE!QAQ\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Admin\Downloads.EEE!QAQ\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification F:\$RECYCLE.BIN.EEE!QAQ\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Users\Public\Documents.EEE!QAQ\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Users\Admin\Contacts.EEE!QAQ\desktop.ini C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xic-941e5dcf13258bec1ce9084a39493b8f425aab5bed52d7a5fba6533a3efacea5.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\QuizShow.potx C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.BusinessData.xml C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\pax.html C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\System.AddIn.dll C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INTLDATE.DLL C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7.dll C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOCFUIUTILITIESDLL.DLL C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanResume.Dotx.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\pax.html C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\pax.html C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityMergeFax.Dotx.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\DLGSETP.DLL C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Class.zip.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\OrielFax.Dotx C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.GIF C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\FeedSync.dll.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\pax.html C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanPhotoAlbum.potx C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\READ_IT.html C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MML2OMML.XSL C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveMergeLetter.dotx.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Top.accdt.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AssemblyInfoInternal.zip C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\pax.html C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft.Office.InfoPath.targets.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.InfoPath.Client.Internal.CLRHost.dll C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielResume.Dotx.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\msproof7.dll C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\IntroducingPowerPoint2010.potx C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\DBGHELP.DLL C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.dll C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Students.accdt.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORM.DLL C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.AddInManager.dll.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.GIF C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSProxy32.dll C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Settings.zip.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\SettingsInternal.zip.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Contacts.accdt.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.HTM C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ENGLISH.LNG C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSTYLE.DLL C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\pax.html C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieMergeLetter.dotx.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Form.zip C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceme35.dll C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GKPowerPoint.dll C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\pax.html C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSN.ICO C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanMergeLetter.Dotx.ms C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CSS7DATA0009.DLL C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\READ_IT.html C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MAPIPH.DLL C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\READ_IT.html C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\4.vbs C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe N/A
File created C:\Windows\5.vbs C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe N/A
File created C:\Windows\6.vbs C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe N/A
File created C:\Windows\x.bat C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe N/A
File created C:\Windows\Öж¾ÉùÃ÷.txt C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe N/A
File created C:\Windows\1.bat C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe N/A
File created C:\Windows\1.vbs C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe N/A
File created C:\Windows\7.vbs C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe N/A
File created C:\Windows\12.vbs C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe N/A
File created C:\Windows\ÍõÕßÈÙÒ«Ë¢µãȯ.vbs C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe N/A
File created C:\Windows\2.vbs C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe N/A
File created C:\Windows\3.vbs C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xic-941e5dcf13258bec1ce9084a39493b8f425aab5bed52d7a5fba6533a3efacea5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Ducry.f-8988f592efb88b4998b54c9736898339811bda3578b27e0a4a03ed9a4c5ca363.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nzuo-5c93003e656dfd4f287872c450376c508f3cf514c47df13679e948d0ae9a7a1e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00316\Trojan-Ransom.NSIS.MyxaH.ryb-28518edc043e6479237426cd0fbb6d5aa1ef08900ea953e64385446c9fe5b79c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\782C.tmp\nRansom.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nopd-c04702a87c6cfd41c348911773e15bf45a7ed357faad1decfcc5f07c43f406bd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00316\Trojan-Ransom.MSIL.Blocker.ah-c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xln-91b62961636993e37335a6119203528f2e4fa5ccc9085bf437ca0a2d8c008339.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\khpjmtzi.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.MSIL.Blocker.ah-c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.NSIS.MyxaH.ryb-28518edc043e6479237426cd0fbb6d5aa1ef08900ea953e64385446c9fe5b79c.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xic-941e5dcf13258bec1ce9084a39493b8f425aab5bed52d7a5fba6533a3efacea5.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xln-91b62961636993e37335a6119203528f2e4fa5ccc9085bf437ca0a2d8c008339.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Ducry.f-8988f592efb88b4998b54c9736898339811bda3578b27e0a4a03ed9a4c5ca363.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nopd-c04702a87c6cfd41c348911773e15bf45a7ed357faad1decfcc5f07c43f406bd.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nzuo-5c93003e656dfd4f287872c450376c508f3cf514c47df13679e948d0ae9a7a1e.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\782C.tmp\nRansom.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xln-91b62961636993e37335a6119203528f2e4fa5ccc9085bf437ca0a2d8c008339.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
N/A N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 3064 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\HEUR-Trojan-Ransom.Win32.Generic-208cca124ddafe35a122f6bdd36191151a2730b4e1051804d5f68d0cb4b44145.exe
PID 2800 wrote to memory of 3064 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\HEUR-Trojan-Ransom.Win32.Generic-208cca124ddafe35a122f6bdd36191151a2730b4e1051804d5f68d0cb4b44145.exe
PID 2800 wrote to memory of 3064 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\HEUR-Trojan-Ransom.Win32.Generic-208cca124ddafe35a122f6bdd36191151a2730b4e1051804d5f68d0cb4b44145.exe
PID 2800 wrote to memory of 1416 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.MSIL.Blocker.ah-c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5.exe
PID 2800 wrote to memory of 1416 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.MSIL.Blocker.ah-c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5.exe
PID 2800 wrote to memory of 1416 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.MSIL.Blocker.ah-c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5.exe
PID 2800 wrote to memory of 1416 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.MSIL.Blocker.ah-c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5.exe
PID 2800 wrote to memory of 1660 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.NSIS.MyxaH.ryb-28518edc043e6479237426cd0fbb6d5aa1ef08900ea953e64385446c9fe5b79c.exe
PID 2800 wrote to memory of 1660 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.NSIS.MyxaH.ryb-28518edc043e6479237426cd0fbb6d5aa1ef08900ea953e64385446c9fe5b79c.exe
PID 2800 wrote to memory of 1660 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.NSIS.MyxaH.ryb-28518edc043e6479237426cd0fbb6d5aa1ef08900ea953e64385446c9fe5b79c.exe
PID 2800 wrote to memory of 1660 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.NSIS.MyxaH.ryb-28518edc043e6479237426cd0fbb6d5aa1ef08900ea953e64385446c9fe5b79c.exe
PID 2800 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe
PID 2800 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe
PID 2800 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe
PID 2800 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe
PID 2800 wrote to memory of 1232 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xic-941e5dcf13258bec1ce9084a39493b8f425aab5bed52d7a5fba6533a3efacea5.exe
PID 2800 wrote to memory of 1232 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xic-941e5dcf13258bec1ce9084a39493b8f425aab5bed52d7a5fba6533a3efacea5.exe
PID 2800 wrote to memory of 1232 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xic-941e5dcf13258bec1ce9084a39493b8f425aab5bed52d7a5fba6533a3efacea5.exe
PID 2800 wrote to memory of 1232 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xic-941e5dcf13258bec1ce9084a39493b8f425aab5bed52d7a5fba6533a3efacea5.exe
PID 2800 wrote to memory of 2376 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xln-91b62961636993e37335a6119203528f2e4fa5ccc9085bf437ca0a2d8c008339.exe
PID 2800 wrote to memory of 2376 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xln-91b62961636993e37335a6119203528f2e4fa5ccc9085bf437ca0a2d8c008339.exe
PID 2800 wrote to memory of 2376 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xln-91b62961636993e37335a6119203528f2e4fa5ccc9085bf437ca0a2d8c008339.exe
PID 2800 wrote to memory of 2376 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xln-91b62961636993e37335a6119203528f2e4fa5ccc9085bf437ca0a2d8c008339.exe
PID 2800 wrote to memory of 852 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Ducry.f-8988f592efb88b4998b54c9736898339811bda3578b27e0a4a03ed9a4c5ca363.exe
PID 2800 wrote to memory of 852 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Ducry.f-8988f592efb88b4998b54c9736898339811bda3578b27e0a4a03ed9a4c5ca363.exe
PID 2800 wrote to memory of 852 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Ducry.f-8988f592efb88b4998b54c9736898339811bda3578b27e0a4a03ed9a4c5ca363.exe
PID 2800 wrote to memory of 852 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Ducry.f-8988f592efb88b4998b54c9736898339811bda3578b27e0a4a03ed9a4c5ca363.exe
PID 2800 wrote to memory of 2920 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nopd-c04702a87c6cfd41c348911773e15bf45a7ed357faad1decfcc5f07c43f406bd.exe
PID 2800 wrote to memory of 2920 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nopd-c04702a87c6cfd41c348911773e15bf45a7ed357faad1decfcc5f07c43f406bd.exe
PID 2800 wrote to memory of 2920 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nopd-c04702a87c6cfd41c348911773e15bf45a7ed357faad1decfcc5f07c43f406bd.exe
PID 2800 wrote to memory of 2920 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nopd-c04702a87c6cfd41c348911773e15bf45a7ed357faad1decfcc5f07c43f406bd.exe
PID 2800 wrote to memory of 540 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nzuo-5c93003e656dfd4f287872c450376c508f3cf514c47df13679e948d0ae9a7a1e.exe
PID 2800 wrote to memory of 540 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nzuo-5c93003e656dfd4f287872c450376c508f3cf514c47df13679e948d0ae9a7a1e.exe
PID 2800 wrote to memory of 540 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nzuo-5c93003e656dfd4f287872c450376c508f3cf514c47df13679e948d0ae9a7a1e.exe
PID 2800 wrote to memory of 540 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nzuo-5c93003e656dfd4f287872c450376c508f3cf514c47df13679e948d0ae9a7a1e.exe
PID 2800 wrote to memory of 1548 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe
PID 2800 wrote to memory of 1548 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe
PID 2800 wrote to memory of 1548 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe
PID 2800 wrote to memory of 1548 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe
PID 2800 wrote to memory of 2364 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe
PID 2800 wrote to memory of 2364 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe
PID 2800 wrote to memory of 2364 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe
PID 2800 wrote to memory of 2364 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe
PID 852 wrote to memory of 3056 N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Ducry.f-8988f592efb88b4998b54c9736898339811bda3578b27e0a4a03ed9a4c5ca363.exe C:\Users\Admin\Local Settings\Application Data\khpjmtzi.exe
PID 852 wrote to memory of 3056 N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Ducry.f-8988f592efb88b4998b54c9736898339811bda3578b27e0a4a03ed9a4c5ca363.exe C:\Users\Admin\Local Settings\Application Data\khpjmtzi.exe
PID 852 wrote to memory of 3056 N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Ducry.f-8988f592efb88b4998b54c9736898339811bda3578b27e0a4a03ed9a4c5ca363.exe C:\Users\Admin\Local Settings\Application Data\khpjmtzi.exe
PID 852 wrote to memory of 3056 N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Ducry.f-8988f592efb88b4998b54c9736898339811bda3578b27e0a4a03ed9a4c5ca363.exe C:\Users\Admin\Local Settings\Application Data\khpjmtzi.exe
PID 1416 wrote to memory of 2196 N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.MSIL.Blocker.ah-c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5.exe C:\Windows\system32\cmd.exe
PID 1416 wrote to memory of 2196 N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.MSIL.Blocker.ah-c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5.exe C:\Windows\system32\cmd.exe
PID 1416 wrote to memory of 2196 N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.MSIL.Blocker.ah-c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5.exe C:\Windows\system32\cmd.exe
PID 1416 wrote to memory of 2196 N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.MSIL.Blocker.ah-c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5.exe C:\Windows\system32\cmd.exe
PID 2376 wrote to memory of 2008 N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xln-91b62961636993e37335a6119203528f2e4fa5ccc9085bf437ca0a2d8c008339.exe C:\Windows\SysWOW64\WScript.exe
PID 2376 wrote to memory of 2008 N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xln-91b62961636993e37335a6119203528f2e4fa5ccc9085bf437ca0a2d8c008339.exe C:\Windows\SysWOW64\WScript.exe
PID 2376 wrote to memory of 2008 N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xln-91b62961636993e37335a6119203528f2e4fa5ccc9085bf437ca0a2d8c008339.exe C:\Windows\SysWOW64\WScript.exe
PID 2376 wrote to memory of 2008 N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xln-91b62961636993e37335a6119203528f2e4fa5ccc9085bf437ca0a2d8c008339.exe C:\Windows\SysWOW64\WScript.exe
PID 2196 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\782C.tmp\nRansom.exe
PID 2196 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\782C.tmp\nRansom.exe
PID 2196 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\782C.tmp\nRansom.exe
PID 2196 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\782C.tmp\nRansom.exe
PID 2364 wrote to memory of 3676 N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe C:\Windows\SysWOW64\taskkill.exe
PID 2364 wrote to memory of 3676 N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe C:\Windows\SysWOW64\taskkill.exe
PID 2364 wrote to memory of 3676 N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe C:\Windows\SysWOW64\taskkill.exe
PID 2364 wrote to memory of 3676 N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe C:\Windows\SysWOW64\taskkill.exe
PID 2364 wrote to memory of 3692 N/A C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00316.7z"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\Desktop\00316\HEUR-Trojan-Ransom.Win32.Generic-208cca124ddafe35a122f6bdd36191151a2730b4e1051804d5f68d0cb4b44145.exe

HEUR-Trojan-Ransom.Win32.Generic-208cca124ddafe35a122f6bdd36191151a2730b4e1051804d5f68d0cb4b44145.exe

C:\Users\Admin\Desktop\00316\Trojan-Ransom.MSIL.Blocker.ah-c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5.exe

Trojan-Ransom.MSIL.Blocker.ah-c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5.exe

C:\Users\Admin\Desktop\00316\Trojan-Ransom.NSIS.MyxaH.ryb-28518edc043e6479237426cd0fbb6d5aa1ef08900ea953e64385446c9fe5b79c.exe

Trojan-Ransom.NSIS.MyxaH.ryb-28518edc043e6479237426cd0fbb6d5aa1ef08900ea953e64385446c9fe5b79c.exe

C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe

Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe

C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xic-941e5dcf13258bec1ce9084a39493b8f425aab5bed52d7a5fba6533a3efacea5.exe

Trojan-Ransom.Win32.Crypmodadv.xic-941e5dcf13258bec1ce9084a39493b8f425aab5bed52d7a5fba6533a3efacea5.exe

C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xln-91b62961636993e37335a6119203528f2e4fa5ccc9085bf437ca0a2d8c008339.exe

Trojan-Ransom.Win32.Crypmodadv.xln-91b62961636993e37335a6119203528f2e4fa5ccc9085bf437ca0a2d8c008339.exe

C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Ducry.f-8988f592efb88b4998b54c9736898339811bda3578b27e0a4a03ed9a4c5ca363.exe

Trojan-Ransom.Win32.Ducry.f-8988f592efb88b4998b54c9736898339811bda3578b27e0a4a03ed9a4c5ca363.exe

C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nopd-c04702a87c6cfd41c348911773e15bf45a7ed357faad1decfcc5f07c43f406bd.exe

Trojan-Ransom.Win32.Foreign.nopd-c04702a87c6cfd41c348911773e15bf45a7ed357faad1decfcc5f07c43f406bd.exe

C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nzuo-5c93003e656dfd4f287872c450376c508f3cf514c47df13679e948d0ae9a7a1e.exe

Trojan-Ransom.Win32.Foreign.nzuo-5c93003e656dfd4f287872c450376c508f3cf514c47df13679e948d0ae9a7a1e.exe

C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe

Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe

C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe

Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe

C:\Users\Admin\Local Settings\Application Data\khpjmtzi.exe

C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Ducry.f-8988f592efb88b4998b54c9736898339811bda3578b27e0a4a03ed9a4c5ca363.exe -d

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\782C.tmp\782D.bat C:\Users\Admin\Desktop\00316\Trojan-Ransom.MSIL.Blocker.ah-c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\00316\AutoRunApp.vbs"

C:\Users\Admin\AppData\Local\Temp\782C.tmp\nRansom.exe

nRansom.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /T /PID 1748

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /T /PID 1232

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /T /PID 2920

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\ÍõÕßÈÙÒ«Ë¢µãȯ.vbs"

C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe

Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /T /PID 1748

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /T /PID 1232

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /T /PID 2920

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c 7.vbs

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\7.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c x.bat

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c 1.bat

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c Öж¾ÉùÃ÷.txt

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /im explorer.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /im taskmgr.exe /t

C:\Windows\SysWOW64\net.exe

net user Admin 32796679

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user Admin 32796679

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\Öж¾ÉùÃ÷.txt

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 352

C:\Windows\SysWOW64\taskkill.exe

taskkill /im taskmgr.exe /t

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5jzhzusi\5jzhzusi.cmdline"

C:\Windows\SysWOW64\taskkill.exe

taskkill /im taskmgr.exe /t

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\1.vbs"

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\SysWOW64\taskkill.exe

taskkill /im taskmgr.exe /t

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\2.vbs"

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\SysWOW64\taskkill.exe

taskkill /im taskmgr.exe /t

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\3.vbs"

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\taskkill.exe

taskkill /im taskmgr.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /im taskmgr.exe /t

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\4.vbs"

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\SysWOW64\taskkill.exe

taskkill /im taskmgr.exe /t

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\5.vbs"

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\SysWOW64\taskkill.exe

taskkill /im taskmgr.exe /t

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\1.vbs"

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
NL 185.82.202.183:443 tcp

Files

memory/2632-22-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2632-23-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2632-24-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\Desktop\00316\HEUR-Trojan-Ransom.Win32.Generic-208cca124ddafe35a122f6bdd36191151a2730b4e1051804d5f68d0cb4b44145.exe

MD5 c35506bd3fedad57e7f1ea975ebcaec5
SHA1 0977676ae8c8716824a13037c7eb4c7b95c58ae7
SHA256 208cca124ddafe35a122f6bdd36191151a2730b4e1051804d5f68d0cb4b44145
SHA512 adbc0991a10ce0fd293f3706583f44bd0805a97e10e45da896bcb2eb3cbc507eaeb711f2ff98df941d12aba9804fccc5c6a1948991fd278736360acd9b411b51

memory/2376-60-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Ducry.f-8988f592efb88b4998b54c9736898339811bda3578b27e0a4a03ed9a4c5ca363.exe

MD5 0097a8f504424a0563f837685794d7ff
SHA1 11d32b0bc5c32c08ddc88dd0c8668b5578544b39
SHA256 8988f592efb88b4998b54c9736898339811bda3578b27e0a4a03ed9a4c5ca363
SHA512 412418f9fe6307896ce331773140fe6c8133110533fbc14ccd2741c4c1faade158fe4c0c2f728f4d106417dbbd73d82ad5ae17bab8b8f3ef4f6c8ec490401d65

C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.mt-9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3.exe

MD5 e815dba500b505fc995baa743d764efb
SHA1 0cd87365223f4d3479d49fc5902c67159a2309b1
SHA256 9346ad80694b73c5b680b825567f0550f5c7d6a61e39a9a09b481ea524a82fa3
SHA512 69bcfb547e5d2ba4e333fd0c2bab590b7c1a2b5b752d3431da4e14ad35766c754802741ca780b80367df3c5ec274496d92e980c43ffab601cae03b22951139f5

C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nopd-c04702a87c6cfd41c348911773e15bf45a7ed357faad1decfcc5f07c43f406bd.exe

MD5 78f171f62d5f886dde30b09fa2c4d371
SHA1 064d4739d10d351ef3fb50263e8e5d1eeb34055a
SHA256 c04702a87c6cfd41c348911773e15bf45a7ed357faad1decfcc5f07c43f406bd
SHA512 6b31c50000da18c5f809fd882dd040037bbe73432de43613409ed0c9ddcf817a87b48e5c7541660b39bd8a6b8f9ef16b672766a1edc8ae6537645e1864d18dc6

C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xic-941e5dcf13258bec1ce9084a39493b8f425aab5bed52d7a5fba6533a3efacea5.exe

MD5 b411c591ce52767541990585dfc460bc
SHA1 d931030a12a2b517df88fef43141600bd8986a3c
SHA256 941e5dcf13258bec1ce9084a39493b8f425aab5bed52d7a5fba6533a3efacea5
SHA512 6d76f90be6a46fdc676022cc40038df64a95da98ded25f883afb372c7454b5e4fdaa91b181a00ba51cdacdf0d25e7f8205fc14e2c880cc220f4dc1a995e25578

C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Crypmodadv.xln-91b62961636993e37335a6119203528f2e4fa5ccc9085bf437ca0a2d8c008339.exe

MD5 a19e4f52dc89cc8a5ae5a29d01cd4746
SHA1 33bb6549e41d002128c607723e89449bdfd91106
SHA256 91b62961636993e37335a6119203528f2e4fa5ccc9085bf437ca0a2d8c008339
SHA512 4020833ad207f74da0dad05dec6d9bbddc519a4ebabb298aed64cbea456c73776b7092d5954bf9b0b53fdf24797843cc2cfb789887e59f54422b1f1221db9f45

C:\Users\Admin\Desktop\00316\Trojan-Ransom.NSIS.MyxaH.ryb-28518edc043e6479237426cd0fbb6d5aa1ef08900ea953e64385446c9fe5b79c.exe

MD5 92967c987466f07d57c5a91c7ccf41b9
SHA1 79e8fc24deb95dd9c0939a56b87c8f5cc09c278b
SHA256 28518edc043e6479237426cd0fbb6d5aa1ef08900ea953e64385446c9fe5b79c
SHA512 e09ae2b1e98ca717c3dbbb0c6f099bdb2e1f9e9a645fb03e1a6b00c740f81bf96e667dd63b3eb2715fa3b7d3b3328358e101f8e7a863e95b805852d2a4163958

C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Agent.abjr-b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f.exe

MD5 66a5f61f37f3591291b3e722e38f7541
SHA1 50e2cda0a2ca8e60358f5dd3892d0c36f383f919
SHA256 b2ec72de3543060f0f3af322c4f1caf2d65fa8ff56b5a93a5e8fa59c191d178f
SHA512 2428bcfac5e6ca5679ecc843faab346a1f7f6105543ea60422b86932365c0eb543d608349816947d4db1b1d09fa256b9d28912ec68bbef34683bf6f77096a85f

C:\Users\Admin\Desktop\00316\Trojan-Ransom.MSIL.Blocker.ah-c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5.exe

MD5 9a60890fc062d10d826c31d049706ab7
SHA1 3ae8d97461fb08c4327431c0589322e3cbb1e3de
SHA256 c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5
SHA512 03de8351ab6ab1e46c4f1792f4caeeaaee4b8a18b407839c1697890032aa813cae9174e1a27cb582ef5286be0b47d23966a71e0b740feb6b1814137b779fcdcc

memory/3064-87-0x00000000002F0000-0x0000000000312000-memory.dmp

memory/540-86-0x0000000000400000-0x00000000005D1000-memory.dmp

memory/852-73-0x0000000000400000-0x0000000000441000-memory.dmp

\Users\Admin\AppData\Local\Temp\nse788B.tmp\System.dll

MD5 55a26d7800446f1373056064c64c3ce8
SHA1 80256857e9a0a9c8897923b717f3435295a76002
SHA256 904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
SHA512 04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Foreign.nzuo-5c93003e656dfd4f287872c450376c508f3cf514c47df13679e948d0ae9a7a1e.exe

MD5 63316b248c6223c9af780f6702462e72
SHA1 61bbdbe9cc7e769bc6f9487f8e6ce43bb3235191
SHA256 5c93003e656dfd4f287872c450376c508f3cf514c47df13679e948d0ae9a7a1e
SHA512 bac1fb7c51a388e28946fef08805cf212393a7297b7808cb72e57eb1be6f3d18eb6825f177e149c2508116c9822935401b1e30227e25678baad75141f604bfd2

C:\Users\Admin\Desktop\00316\Trojan-Ransom.Win32.Purgen.pn-9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76.exe

MD5 9e9b17ab9b1fec080ea3e9571ea8a226
SHA1 d3bd6921aef95925b9566dcb0192e428218c941d
SHA256 9f2fc39542f8e995ce8bb63c20f861ff24a8f5dfe87681f940464e5df6213b76
SHA512 c867a51d986811d41b9fff00b4152c1ac215a2efebe83c7d49ad94d073fc054353ec260a4962f88e2759ce8ca3d092df7b510bcfcc57c824e9c22eba86c8d6ba

\Users\Admin\AppData\Local\Temp\E_N60005\krnln.fnr

MD5 301768e001d4db20f9a029ee835150f3
SHA1 7b10cb57e513687c8a89f180c2b3eb8aaace620e
SHA256 3e0651844de3362ab64883fe80a04757080ebc9167e665a7cfeebd741a0b193a
SHA512 ab9342585a56ed4075c5df0c7d38a0dc546c9f1bd821c70fd215b0923856c805ed00d54400e43fe9bd3ca49c63c68578a78152e2a397a6d32cf1b242c97c6f71

memory/852-84-0x0000000000400000-0x0000000000441000-memory.dmp

\Users\Admin\AppData\Local\Temp\nso7B87.tmp\System.dll

MD5 b0c77267f13b2f87c084fd86ef51ccfc
SHA1 f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
SHA256 a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
SHA512 f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

memory/2376-113-0x0000000002E70000-0x0000000002E8C000-memory.dmp

\Users\Admin\AppData\Local\Temp\E_N60005\EThread.fne

MD5 206396257b97bd275a90ce6c2c0c37fd
SHA1 3cae4506a033cf7e97156d5261f2a247c6270f42
SHA256 64eef86745d7ae0168fec357099e2e952ce74ee19576d06cc8c8c65f210cc22c
SHA512 4c23e52b5b23b305c3172e01dd205e15fda8f20f8b60776ba59d080bf05bbbca456a0ed232f2e2a2bf01d32efb913063f89fb4928bc4d5d1c1eb4c4979803455

C:\ProgramData\ɾ³ýºóÎÞ·¨½âÃÜ.!pk

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\Local\Temp\782C.tmp\782D.bat

MD5 47135f10b1e0f478a8a64cae518619b6
SHA1 bd520aa0b4937f707ea0881232fe1cf10faf2de7
SHA256 5f49ad7e1ca7bc4cb2c94fb89e79ac4a993a27852d150fe22e3d8b6c6172389f
SHA512 5deed2302097e5be3f1f157480e87bcc0e61939d2215b6fc46b32fd80651a33b35e64b19e613f92964b1cc6f079aafd51af240ee9115a88693b8c344723140ff

C:\Users\Admin\AppData\Local\Temp\782C.tmp\nRansom.exe

MD5 773776263762568ed199228579fe4a54
SHA1 43986aaefd50cd2006a027939947e34e0633e60a
SHA256 9e4f9175ef942d0e84f7f9c64dc89505c4c8ffb20787513e02b4eaaf502f5ec4
SHA512 77956d7b18a1435dcbf837d9924d6fd9733d825811c134c3b5806813a32f127b9b1b67abb729a7dbbcce399e3e2cf099e4ce95b95e9e9fdfc106a662679bedce

memory/1964-121-0x0000000000CD0000-0x0000000000D06000-memory.dmp

F:\$RECYCLE.BIN

MD5 dcb6fbedbe262e28f158d2512d6acb47
SHA1 8c6f355db0e400df6ddbf52efb6d7602658d9d6c
SHA256 79ba5f0cf23709407caa8a45ed71c283a53453eb92f9704b08ff094251bd3469
SHA512 aa28b1278e88ce5d3b4029b00983ab87e24f8b2609553715cce5f9ac574766abdfecd17abb168d5b38b5f4abf09327d6f62066ac77fcc6b9e56d103cbe8bb1f4

F:\cz.txt

MD5 7f77da97b5241f3c97b53cacf1069c7d
SHA1 de270f266340ad78ff9e9ac170e02f0826894f03
SHA256 16dfa3b1f0521467079738a73ddd18490db5019b1c0405377a969e2c3c5faab0
SHA512 538500a001e842910edce90c6be836854c248b67047b5b3703fa3a316446810c6e2f8b3bdbce03155932c59a6e6d9636a8174bd2a9d38a1dbb71cec39a2907c4

C:\Users\Admin\AppData\Local\Google

MD5 c7aa675c31e640d584a9c6a305911fcb
SHA1 8f9a068f7aba117a6166f882d46310abe8c027fe
SHA256 62509317fe1cbbbea345601645287d62b005e63c8f83ec7be8c9e1e4ee931b78
SHA512 e6d5e6115bc56d214de305e568e1047f3ab2b87cfa167eff861dc0c6155047ab1f3d3c186a2a4598a2bd9550b73867779efb421c351f0c94165de48b9dfdb4d3

C:\Users\Admin\AppData\Local\Application Data

MD5 7baebad3934b2bfce168b17687a64c95
SHA1 3c7ec47364414cf568983929ab7b5427710315ba
SHA256 da651f17a4d1475c4d114f639a4e4f8a6010e63816cff75ab11014602950ebca
SHA512 d6700109cfe042c0592882a47300b09fa843eca34a19c2fd5c0c5592fd1092d22fd09cc92caa282c37b9ccd34c7969b66c56b403999c55bd9f9d0746bd858f23

C:\Users\Admin\AppData\Local\Adobe

MD5 b9b8224f66d458c4f96e667470d4286e
SHA1 742c7a97ff45771698ec5e35934f0a76c2a1e9a1
SHA256 fba375632a16a86f36ed0e8eec5cf2ffa67666c4b82a68065b3293fb90116cd3
SHA512 158e64dbe6591c6df9358e500882ea21b32b3604b708e9d49c0f278ab84eea130b62bab8646b36ab5c6304393480cf247810eb2a5bef2e62af955c22e5e3feaa

C:\Users\Admin\AppData\Local\IconCache.db

MD5 d1d1b73353f01351f46dd940da43f24a
SHA1 f3ae7cc874b3673099c05df059e22d7118e52572
SHA256 30a29892f1dc14f2696af6c01b99db78c829ba780e45ea12ea5de6b4110883fd
SHA512 992a269e5049a2c6f3b55000b94bd76ab99f0ef5b0ce7dfbc0faebf82cd93b0c30f68cbe804ccf1bd5cc7bbb3ce436863cc2bbec3b99921102f1b2608f9f2e92

C:\Users\Admin\deployment.properties

MD5 e18be81700b5c63a9259ce8d1725d296
SHA1 2e6934a5703b0ab887d39e4adc6930c9123c21ac
SHA256 768c8959fae46dfb3afaf2f25297abd407a6dd0d9261d5ab5811b775097b6035
SHA512 51b20648333f466bf34c1ce6edafcef82d2cb085c617917e936e7cb852d3ff8a724c6332ee0aae5b36ea460ffe5e8991889045f8a2d57a91d9f09f6930e83233

memory/2376-123-0x0000000002E90000-0x0000000002EBE000-memory.dmp

\Users\Admin\AppData\Local\Temp\E_N60005\dp1.fne

MD5 07201b1fd5f8925dd49a4556ac3b5bab
SHA1 a76afbb44376912f823f2b461507c28d2585a96c
SHA256 abebbb0981d3d51eb63abcfa68be98da0cae4e6e3b143dd431fc845d1457dbd2
SHA512 0cf673ce1b6cad38f0211231e876f00f6a8397a5f3e71680046f4a216bbe0f47f4541e5f5b49364310e41a04cce14703459725c3d9f052f9da13624e73753e12

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer

MD5 0dbfdb10467f62f3294c2822d05c6146
SHA1 c65fc7e6d4ce850e7216ecfe99b09d5d787cdb28
SHA256 e1116b73ebac5406fff267d81142c6d39473cf87a95d60f3d90d578916337de5
SHA512 817107b98ea63ea4af94ec3342be86b06d2406c206ba6ccc9e74510b6e32cf302d9b9606af24be7c3b90b5cd881922c68d88881088bdcb9bd411a8b6aa71b420

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache

MD5 0a66985181605d479b233cd94f4e529d
SHA1 2421c6e5a3dfb6d2247512a336a5dfccdf26ddfe
SHA256 047260c8433e02f97967d01c2dc475575644e9b64133a0facc85bbc1d8e5f0e8
SHA512 a5796137a5482ccfc9a3e7ff54e7d3bdba5748f1fb2d58e6fc63ccac6bdbca3c028a84df1f7ca8c5cd1dd3893bbdc4aacc0d8e295d591ece32ecc878fce58275

C:\Users\Admin\AppData\Local\Microsoft\Feeds

MD5 dfe862e0e4d2a1ff20cf74810bf8c2f7
SHA1 f38a64cdf904a91814636626d62e3e77a7e73100
SHA256 73e9bd704d13b4cd0e0390653f4acbdcbea83d8c6bba64e1be1ecd71819d39bd
SHA512 0960180a99d55a1e146a56cd6cc82f48f2142837a362beaac12f98a6ce6a076f0538e0bd037b7110bda5c8343e14fe848308d427c89fa5641546e58bf5911396

C:\Users\Admin\AppData\Local\Microsoft\Credentials

MD5 ce7091feba526b3472f42a1526e132cd
SHA1 23d8b28f15b6d7b04711fac323c0e1ac1c68b8f2
SHA256 8b268579e9bbefaf83a128accb12bcb064a8d76ee2d18fce0db0301af08018b4
SHA512 b3b07004ae5b7919d9acd20751d921e8706fad22a88b398e40fc553bff1bc7855c9a6e855816e0d92e6f96071c51d312ac20d8da1f8b799161910a1822f57769

C:\Users\Admin\AppData\Local\Temp\RGI14C9.tmp-tmp

MD5 0b39c6a4149515f29471551f31024942
SHA1 000c31fa6d616e1afbb6ed384b43e932c15853a4
SHA256 217b7fe9b191fc8cfe2735568b82173cd4d7288c8ca7fc2931073a20b9f45a3c
SHA512 19c04652467e71bd08f28b4c0dae75c8ad5837afb8ef2abaf7b0341fb12c9d6751d030c4ec8360feb5ff1758451a0d36c002634d213eca94d9431bcf044f8866

C:\Users\Admin\AppData\Local\Temp\RGI14C9.tmp

MD5 a72050bcb127dedd37548b76c3b55edb
SHA1 16dd05171ce777b64c5dbff20c8434c79106b5b8
SHA256 4ad94a4a0bb60ca1867837e20fadd15a7c5466a01a345e5fa0f895040769bb25
SHA512 da9c13188a876e7ef892055b3f20501a923ccf27bf59318aa9c1f04fc0c69f2c57b5561c7a96d6e07fb7ecdfea1aa585c258a42609c64c4a19694614d63089aa

C:\Users\Admin\AppData\Local\Temp\RD2B92.tmp

MD5 01764439416fc1c5b54b91e458eedf2f
SHA1 517b48bce61cf9782cc6f710aa060a23a9fff14d
SHA256 505b976e30b9b0ce6983f86dc21ad963e524b664d0d514050fb5e58e2593e4e0
SHA512 90712b96457230800a1fcffb1f9ee5f5f00063ba09aee1305fd46b389c93af61a802d6c858738b0b1d45b8e9ce7c3ea18d069cbe4e3d9fecc459754205aa6938

C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240903_051511232.html

MD5 1799941cc46de9869e908787dda894ab
SHA1 a330f0393812950b4a5172f9126945d9546f7ccc
SHA256 a7f965eadf108f4539b353ed09337b88d40ff4bfc9b7ca52b7a10e74daae3b9a
SHA512 90773d93a4620643736d15abea251354db2e947d63ec9c52b8e19d68b71dcc14bab6ef01a62e40d8e3822aef575a09f2027d7417d8b5245e586884e7f3db6fe0

C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240903_051511232-MSI_netfx_Full_x64.msi.txt

MD5 12f6502263187542e3175e59aa1f764f
SHA1 c69137b34c5d6bede505b2af444129b1097df2d8
SHA256 ddda09b686d873cc28e716fd3a336e51cf8861a99b5827acc621d022380f6794
SHA512 3af01d671376af0c3182343131757f65dc5d33043f641aacf46ef8133ec8ec9fe13d45b9b2ed1674d53b36dd472c25af22c91975822e8a136c193a81dc3d9769

C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052900-0.log

MD5 ad23aea1ed414aa03e7f45c81adbed7f
SHA1 81c7c8242aac54a8c86c21bf0cb55d1057479f88
SHA256 865d030cc883028a6198517acd04c86f94563c0959fce2c37f97c4e558045c3d
SHA512 9e6827ba57d7de65a6d6e5c4c5a80312104829819dea300d3fd07bdde44263efaf05711d3fc8f0b4ad2cd80cab8df5e281aba566794788260f7b1fc131eee4c5

C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052731-0.log

MD5 4afced3eb96d30c8e2b196d8e0d83185
SHA1 27758ec6fc43590bae9e94d60ec26777e9c694d6
SHA256 c5f16939fa6fe6f560083d551e23eb564e8b81cca2b1a235f5269e9b2c471820
SHA512 f628a61f41bf6cb9895be1dc37053d1bf2407cd5516f8eed451be11caca525d259f7ab76aedfd57914f538cd8a7d2342394bbd9fb289ffb67849fa46624c29d7

C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052555-0.log

MD5 092a9c5ffc419deb6fc52e1439c15663
SHA1 6d417b6fb917a8d5e7b1bbb0382523c208aaeca7
SHA256 6a947daf1b239dd02f70bc00a236f1f6e302fd7e9f3ccd94fe93baa457c9602c
SHA512 f6b7497d27c94a5ce6192e7de2e6c4e1a728bd6b6d308923c2fbb77ec78f9bfa40bc84416e4ada4dd1d0ebc0e397da222ee3d39d858b8c7602692c53f0df69b9

C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052430-0.log

MD5 48fafa88268fe232c6849bcac3053eb1
SHA1 cf854b5acb62ef8a4687f7aff1f9f2dc0a625b0d
SHA256 94be924b4590fa92e80d809746f038751512204723662b443ba29142e16c3c4a
SHA512 3f4e58717f6c380e289294095ad357876833ee14b5918ac47bb2386d603bb6d204f65fd03f16000ad690c737a46ddcd0cbd0438e366ea1a4ed92ff03a12a7ef4

C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052254-0.log

MD5 e6a4a869db3915660ff2fbf2c8a4d0c2
SHA1 3559f29f7de99d68484f71d02e27e191267cebab
SHA256 1bcc1fbec8a77d13b16aa65b62ca220e69a0c910f4830f236411d22d03a38d1c
SHA512 374479131dc19fd806c0862bbd72259c4d7ac6659a002ba894ea64d9d343476da3b9d1d06655e7ae8d31fc043f015ecdf97334c569ede33cec452e16fe12565a

C:\Users\Admin\AppData\Local\Temp\Kno8E59.tmp

MD5 d190da43be7667ef903792783a3e41cb
SHA1 66f10a8306550bb71504611d08313eae7ea61a62
SHA256 512658d5a6b83c433bb2f6ed5a872705aab86343fe7e3118fe447643a375b542
SHA512 b664b68e3336a6883251650397b73b20c9cca96374163fe33623b279ad6d7653b04e1566e084a044b15c8085e27fd13de6f379e16f7ed18fd42f9c85bfc0c363

C:\Users\Admin\AppData\Local\Temp\Kno51BA.tmp

MD5 3c72e6f5fa9a33b818fda60303ce4841
SHA1 a7854312290e318688bf231d54507376e5d854c0
SHA256 35b8f9e15c4be9944e4887a96741ac052e164302762f5189aac425398925d2c7
SHA512 805ee80a5f157e9aa4e6a80ef05b3d8499de2a339c7f60891b9c10aad9174c4c12baa5e7ebd95562b99f42a08df1d99ed10146efa73a7e6eead89a16c9475fe3

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 ea0fcf560518a029b08106c53d711ef5
SHA1 1674f7ca7f00967440ae5e815f56ee102ec00860
SHA256 12811b5b0f0fc2d7c51a75342d2e5f1ca8b04cb2ebae190c7200a829eb4af4c5
SHA512 026a6326af977226620982366de95f03bf4d8df3b82f2c31235536f21e17018818dd8b9a87ba79826930f1621bf4dfc1be12770fb9c09cb555172bda1cc8d796

C:\Users\Admin\AppData\Local\Temp\jawshtml.html

MD5 4c59a28df2aca1e85090053058fff4cd
SHA1 00b01515c2106dcefa7632eb44b3441726c6fd24
SHA256 7e18a45a9ae725486583319616a1034cc0c40c7bab36d9d320bc160f283b4039
SHA512 3917bf402919282b838443286244310407332ffbc0611e092c3b2230e0876297a83019363d4bacf5468735cd2cfce4887660b25d24812c9d3cd4f1abecc9ee17

C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

MD5 d379a17852066dd2aa2832d9b78f854d
SHA1 24f36ad80bd0c670aa2c65962d3c04c98254514e
SHA256 64ae46cc906a199a6e4e630f97497b10b23aa23c558f07735f4bd319a542e377
SHA512 07a323a34335a09e98d8dc104519af5840101ced3e75e447f5c0641c951b12a6458e55be71aa0a9b72f0ccea67b801987253d8cda52e28baf21553e0a578cb9f

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 e62f93eb639cc7c69906ed1bf57dc508
SHA1 701dafe2102fe2c154426cfc7f136647a48709a9
SHA256 3f2ef98283d7f402de5f154b002b04e45e4cef1e78d203919453beb55d40b1bc
SHA512 a2aeacf2c15b6ca35cbc79102199555f9e0620478bb05131e600b844a1d2e24184a83cb203f0a010129fd315e491cd1ee28c879fedd14f6dac673e0dac5a5775

C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log

MD5 6d57c7725c246a96ae4348c98ac54844
SHA1 87a3fe173bc4ccb96b463e75f05382810c274468
SHA256 be7efa085cf96c9a0d5752e3de25e43f8701d47d32dbf0c2b5fd51233c8c191d
SHA512 fffc2d9404b093d3c0e6c9d888a6d179e4fd6b99ad3b15bb96b1e7485376dde5a14cb2635a6ff8604cebf40cdcc4f6a5da22694658fff93452026149e9c6971c

C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20240903_051522_760.txt

MD5 5e71f63a95026e0b6fe9864fb9dd0ec5
SHA1 7628482776b89b64e1ddc65188c07bb51b1ce0c1
SHA256 241c6bdb16b983048d002bab7f1399c980e8f87465ae7336e1a9e4184c63a083
SHA512 e1a9c5d3e0477aaf3b6af0eb5e218064fdd8c05852185b3f54067c9d4d83a562163ce9170abccce9e51d6c0a2d9644859bc3bd7ec0c0928e1088004dd07acffd

C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20240903_051522_401.txt

MD5 d8c738e9c284d9ea996480856039d5cc
SHA1 755d0b01a3e19e89a2b7e6e9fbeea12efab027a3
SHA256 b27583f1a2379e703e169235877cf6143f16d106e63fac173c64e7bf6380c34d
SHA512 3bfc8a7d926dbad4ad13e0ba004e6a9341b0f58cbd4fee306c4bd4d82692f2b2f27f9f500a1ec96671fcab8488a1ac261b860cd62dceb87a4dffe969bc4b83b5

C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI1E19.txt

MD5 4953d186b233eb9e3e2e5367a73ebe30
SHA1 8a79370aa6e833713386c1a6c4f4b494d6b6e1e9
SHA256 47aa222c933a5098b5373e59ec60ec8e3fbfb8d9945c5974d707095afdc5ada3
SHA512 62cb4c123800b7f54a2bb2d6373ece8211371837a1446afba278d2d928c5268530a9ac12f04b8bfed85de2fd67a0c3ab28eae4a366a36a2a0cd8bb2b02599693

C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI1DE2.txt

MD5 3163aebc90f9bc3abe77f187511377d2
SHA1 a6ce0d18bf3719642e534d44cbc67d67c0284843
SHA256 4102718bb160ff777c5ba02a4f5bd1e3a5fa4fc51e6fa176e13090c87364a23f
SHA512 dab30c923fee9dad8e2c28680c14fa66f2d791c0872b86013b00bd9b092f1b5c1b11011a8ce140bfa59edfb3b314c7bd6d3334d1f600c7f21acd2a84c852e0a9

C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1E19.txt

MD5 1e2fcb91f3af39f6b8a3a3c068959098
SHA1 212f02bfe63c8c91f27007b001be14c5a9193b59
SHA256 09b25975af26a8bd3ac621e45753861ba3a44c9bfd7584f233795d57724ddb86
SHA512 1bf8281c55c7e08192acdd690a7aa1de59c3207a1e58b1fdb9395829a8d4cd2328b775d45430577759ce65ef19e977923fcf43cf8dddb9905d1b6c61636856be

C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1DE2.txt

MD5 390cc05c87c761714f4361c413abc05c
SHA1 d13e028eb7cb4d0166a34fc4cc671f62fe5b9f87
SHA256 66d8a28ba2343122d365357c4e2efc9ee568147c13b597230ca3650d332d68e7
SHA512 16ea5538b1aacb39497cb83b3635d20e1a2303f7615ea217935f3afc0a2aad24bb7e6e37f149e3f434de8a1a0bec76109c8f2f2d989967060837613fadfba8e4

C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt

MD5 36097c1c21470b4e60fee14dbeb42c33
SHA1 55851d08107057078724a57e7c608d2a52fd57a9
SHA256 6d586f6c2148f5e00c7f41e960906d8f3dafa3dbba3c29fb591400631099de05
SHA512 8fee07985f2409e4b39ea581d60e6622c25c6c99823e48f51b9802c663a88d6d447d2dd641162c8ca4f5f529a118de83fcdc9b23426afaba4694fc7431441a3d

C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt

MD5 fb545e94e9d9a118a1efddfef5ef2fe6
SHA1 c8aa41e5643ee0d4507103c0710576212ca9d6c7
SHA256 e2626146f26504cab15f98295f2b8b854dd2fc6b9799a75082ab630c1524c557
SHA512 403b43596a07bfc9b5fc6cfe9f3f932989b564aab81ff0c61c9d8dc2e1e527658834c202cf0d05be082469c83981783de3fa9cae0e6be9b152c2274c8bf51c90

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 b8a247eb7647f9c494dad111b106c1ea
SHA1 b42324d1f6280f981226e6ccf5fe1b764e95edb2
SHA256 aa93ec93b2d192cf5b6e5a1574a0abf2f5ff13130216041e122046c801681ac7
SHA512 70df170fff131bbd7b80deb64e08803610a4be59191a481c188d5cdcbd60f3a9deacedb4e8d8b2cd5a6b7fc0b7e48d189f8c3ca5fa7e956d9940dfe6fdb8f06d

C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log

MD5 8c92622d69355178555ea8c14f3082fd
SHA1 e1faedba4282507ef64968589507cdfe6913daef
SHA256 f1e4e45fef1780d76faec8b2b26331e9b48007c6e61ec2ce186b7a345d1fa3e4
SHA512 dae4235346b860035a692c5f679d7c1fe3e5a0a9ae54c471d53252e2cd0c8e1301d3d97255f6e53cd022e64e20ce604812a1a662f912d00cde35790f61eac722

C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00000.log

MD5 fd18e6c30a3016261c56be24fdfa6205
SHA1 3b811eb6e35b9693d2c51a020a4b4b7ca29ff27b
SHA256 1a1b35dc56d73a1f7f66e2e968f273242525d87b86f571840c35e98e2a0eba7f
SHA512 36a7f186e301432ba4a25a914902647c9b88bb98be6ca62ff597092f4c647ecd35f6c3b9aaa85b47b99deda402ef1ee5dc940f64ac826da95918ac7cadb73d7e

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 b8e27c09d43e37a8534b8f44a78bce6f
SHA1 92e748b9d633cec245b213d46fac7f297d4b6694
SHA256 06836cafb0f08946dd48b8dc6107ddfb66b48e0311af1055e194c77b41ecb088
SHA512 bdaa85349531f9de25e663c55343184c994c000cea00c851eeb6f8fb34511eb187ebf16c99a0bdf825b96cdb42cfa3b5e5c9c8ae310112f7c5ec6805c1fd39c1

C:\Users\Admin\AppData\Local\Temp\785D.tmp

MD5 fcd683343b407fd05e7790d8bce75a2f
SHA1 6702e5434d975ad620f82b35e9dce5c4e62a226b
SHA256 61f398cacbc1ca9b9b1e34631f4dc23b54b14e3e458a4fc38b7ff3b494a729f1
SHA512 8a50dd0b2d79d8f6041be9a4580616b5a9f5adda49ecb7b44c17c8f7c2b9c6566e90cb1b5ca8fb8aeb506853e55e92bcd7c94cdd4122c71f81357cbad0af2828

C:\Users\Admin\AppData\Local\Temp\6510277a-296b-4b56-a9c9-3f581e159426.tmp

MD5 719e5881c0c295d8f0e898af175f6f11
SHA1 4172a24cc91e601f93e29bead29a9c6c7bb3a1bb
SHA256 5a3fbd66ee73c86f91660c2c4e17c646d294c6c67cd7f8942b6ab0e7ec95a282
SHA512 8280232e24a5ceb1b592592374dfaf65ff8cbce5bd58a3be3f34b967fbe4b8fc7536d9290d4106e05d3cbbe7ce8c80dbc11f7006b4cbc031529c4c0287dc8d68

C:\Users\Admin\AppData\Local\Temp\219892680

MD5 816343d79565406752fad068138dfd66
SHA1 24e8adddc2bdac39759db02bcd06ec65bc7305da
SHA256 3c81cc2911c853a1d800e4448297a44019f9ba2e28c8a7c9128cb2ac417007b3
SHA512 e409ec2fa77a6b73206d990fb0dc43c0f559011acfcaa9e9f3f51b56490ffba5712e48ea1b36cb2e823f0f420ef8b49d88c49eabd359b71dc16d06d2d2d0f9ee

C:\Users\Admin\AppData\Local\Temp\219892680

MD5 0d67472d02d9db6e29608c50f3bb0b22
SHA1 c5e10b27623d65e9241a1cf9e4c1834f9aa6d3a0
SHA256 790937c84ddd23ef7caede9c17c8961bebc4de8a80472d828f28b7c51a2b4d16
SHA512 c993c7f75fa70a760f69c23149489f477a4f14038e2726b9c9f0b1122ac84c84468ad0fdcd912d8ac750197a2a64e2163f85b5207db94e4fbce7c32b1e25bca3

C:\Users\Admin\AppData\Local\Temp\146431085

MD5 8c97754ae946ef42d5be72892ca59ad4
SHA1 c0cb019f608b2c9c83ddfebab166e4d797f4795b
SHA256 5d5f18d8a0c52a136f96150c0febe230b90cf50e0bc53536cbea167f66be6f79
SHA512 536891b69fc4366d9d237098f036e8777061b2d0d5d31beb1a1ee33ef9d11f987e5c05348c9dc18ddfeaa17267ab0e88d2a53f946d35a9497834d880ddbfff36

C:\Users\Admin\AppData\Local\Temp\146431085

MD5 cdf01c1af2ccf1fed3c852d9d0936357
SHA1 4c55b59c2e388a11f995caa341e395a6b583bb04
SHA256 f3fa7f9c7a0f91a834d54ab46f07489228dd547727dc90adca12e448717a3aca
SHA512 ad5adbaecf706ef24a58ccaedeb2f43cf3884975e02a3442b9d2098211fe9ec7e5466205d104cbcb2f468dea4fb79b4156afe11e20569619dbca332d78661ae2

C:\Users\Admin\AppData\Local\Temp\06589065-81a6-4a34-9932-08d9f8bb4483.tmp

MD5 748122f1c3932b67b12dbe3874a3d6c6
SHA1 9dcc327474d463c60868634a2cc98e352b151d6f
SHA256 22f588ee562086063a2d1dabbd03928c81b00815bc2f58eb4f3395413a559b87
SHA512 6c4c7294327193bd25e5892b2b2032f87f65489d3b368cea3716ed60e13bccf0c413e01eb12e1012385cf37e185db5483aefdb3691b4ee349554225ffb7cf4f3

C:\Users\Admin\AppData\Local\History

MD5 40da2e1ea35881ff3f440df090cb99c7
SHA1 4cae0843c52b60458b9bb529129ca89ca248371d
SHA256 9946bd50e2b30a0ed0ddf55fccdd3421f2e6a8a2e19b3066f6c5acb17e9b160c
SHA512 5dddaa666261309d7e49aef6c5f95823fbcd86958fc668a7b6ee1cca9b55c8dceaef09ecee3571bdc9105dcd300c05820352f5017f160aeff52102d310895513

C:\Users\Admin\AppData\Local\Microsoft\Media Player

MD5 43a408345f140f214e178cf9b111de47
SHA1 699dc5d8d5617ec298f4c4db54d54dde8273f2e6
SHA256 6dda43e0c0cb71b1d262c1e5aa8b4d6fdc674b4464e76abd1ed5aff347af8f34
SHA512 465090c08e62f0e2f94659dfea6c4a054c2501d4c2bbbb3f779899dd308f2610475bdff1072f1e63fbc3be7a94059cd3c39d4c1d1aa3541f59c0b7225ac52604

C:\Users\Admin\AppData\Local\Mozilla

MD5 e2eac098f32742dd73459ff3aee6b9d6
SHA1 7d3838ad2adb84d073fa7dd7020344ec356d7bb4
SHA256 f482a211e8363963ff47943596d5536aab254ce2b9b892c098c6aa521a9606be
SHA512 7653ab811694e7d4a97f903d384935265d7b5047bb6ad0c139167aa03b5f4b5e474333476aaac68297d07cfb988789240d34d71381abeb6903feb0fabb736867

C:\Users\Admin\AppData\Local\Microsoft Help

MD5 a94cfd599a9d550616e1b43f352f9f6b
SHA1 a39a67cd3888557bfa6e08fb6ed34b7995578025
SHA256 4787a9f87a67549496deec20acdee877810691ffd94fa83e2d984858ab6a042e
SHA512 6a36650f57415d5d5c685fa236b6f50452d3bf22c682e16174cc13ff2c269ede90a036c7e7d522afd18bef6ab7f5838474d9ddccca0f4d80f7c14e1413e02cc6

C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar

MD5 c2919b2f601bf31091d4e3466cd6e955
SHA1 b8424f6220c86c9b22bdd719e43b943126152966
SHA256 3ca2b97860258012c8359dff6192fb8a386da206dd7cd1c92f54bc99bd32d197
SHA512 fe9311887daf0ac54de198fb5b0bb7c56597d6c7737a9bceba444fbbf75cae1276eb092b950dcd3ca6e3508256781faedc63da4c42c4a8ead478c68c496dc560

C:\Users\Admin\AppData\Local\Microsoft\Windows Media

MD5 06ea1c9c8c39708954668803ac5e486c
SHA1 52d7da94c153d5549a475f72df87d1ec75bc9bb6
SHA256 7f81b93e6a607d2b26b04b8428c302eee7210a7013b2f9369967e8d91489faef
SHA512 d954c2ecda04c6f76318b3c1f781a6bc57c7010c144a3b3fcb1a9d713bea510d4ab658970b9afcf6c6626fbee104d183d25464668f1e44b90b80622e52225654

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail

MD5 d6215182042d8b82ac94ecdd7652c87f
SHA1 7d4ee8f14765013bccc991b896df81244eccd7f9
SHA256 afea9b142c3be65a66393b2a9005a374ae1b4b046a25cf1dd0faf871ec5c831f
SHA512 38d91e0a0e95613a8fd464677f906622ba3c3eee0f3c5586f63e2ecd7ca7c15c36539bd40e658e0ed4dc22b04b3181c3ab59f9f53a4ad486a3f61f08fbce980f

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01res00002.jrs

MD5 2f4dd390e2f38bfc0c65d88d88ec2aee
SHA1 509b255092c82e7986b3bea7d001e248dd8317c1
SHA256 c0c4a0d389d2629b7fb9163b100c416f68c34045acfea79fcefb37b8db69e993
SHA512 3e18150fc3d6a7f9bd092d0d2c20f03b68041574c43e20fe8b07fe6b787c0688424de715bd36a2a659fdcaa388722808694b72a898686abd3d5ef1278a38a881

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01res00001.jrs

MD5 0f268286a9e4e0b48590a13e0bfca894
SHA1 402196b004c42741604238b7d6cc0c21b64e4469
SHA256 5ac9842c13ac26ac46467b12e4000b9eb32a908da43b96f5ca2f4947fd6dc3f0
SHA512 fa9fd1e55d7f8982473c16f0914c24dd8f004fb8621c9c207ab201fac32feda3e75099f5cb379579e1813a4d097fac387ca195ef6646f3b99d73525c8d57f2a2

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V0100003.log

MD5 7b81b0ba446e48166bde5d603b9cfdef
SHA1 6d32353e8882cd47cd242b482272ff7bb3cc878f
SHA256 66371d2c66b6994dfec5742ffed8a28625b4af511be174ccbd9c861f3f8dbac5
SHA512 32591d6ddad0167c1d38a895a2ecb959b8bcd918539bda6ed966b7b70790690ad742e0882577861434d88cbedb350a1a22bd06114fbc6e76fb23420082e93136

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V0100002.log

MD5 0368c5a5cc495d25215f37045b877fc8
SHA1 0070857d7b77bbb3d91f82b732d51ee8955f69e4
SHA256 c2304f9487b88498a88c178e5b0b66673c95acf8fd99e3c2be8269be5a8a75b5
SHA512 8e85d3fa15c8a21277f714b2edba011acdae8f54cae2bbfc2769359b3816bbb6419bd7a2c5a1042b860ed78eb976eb223367aede9534bfe3c7ed199aba891760

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V0100001.log

MD5 68d765d4464c8215a8b19fe19ef10473
SHA1 b5cdb4512f306d597d6e15ca83721a79cba4dd4f
SHA256 c3617644cbb636a182dc51c1b9600e1ecea21d9d7c1ca9e500ae52f29a7ed540
SHA512 c4f0796bf381b6f9fcaebb3a0bf14c09242e455953f65532d552b0ca31bcdefeea62ce6667fa54582967173b147c4580d722da5a15d67fe14ef10c4f2753f071

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

MD5 a5a98dc06680f8bd374b7b7b6bc2299b
SHA1 e54abbd787b27ec809afc12819a4b516990cccfc
SHA256 f64d25ff9b5a92c8d4e82456a491314e4fb6ae4ee7736550e3adf2b4264c74c7
SHA512 1095a7ef31986f2543459a45c4e71ed0f579740db6518768b7e30b9d5ebc135c2791777f2100ee9780d3cbc7a6b68dce57dce303bb085e18679ee03069230cfb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized

MD5 f34a5a69bcde2894d82225e645cdf6c3
SHA1 15e7c56ad29dc466f173c60674613a392acbd8ef
SHA256 96c743f968e90d072513aad9ca4ec0818745e4d9440aa447b763154f41929264
SHA512 ed2cfe54746ae59581172edc9cf70761aef0b8d08ca135ce0082a69d053ddb72f7567cd276c87cc73de83d8ac41c14b2f0ccf14c89cdddf1c71ff203d7ed689f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low

MD5 8c8e6c054460cd6d1c2bf8615a61925b
SHA1 d6ef9f1b2747167f7ab0e3c2d2c697e5727c7322
SHA256 1c555c0b3da6546a21290ef1a30d5ab09e3cd1b3e28feaaced9790981a1f839c
SHA512 b140cba9a8ad6e5e8616531b16156dc7ec57c5acad6445a44576d78c6b45b3edcc4ee4f05ee1c67e24ec0cc2d84cf6bee00ed15ffead35f7f375ae83103d3e08

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

MD5 98a3a917f80f341ddd503c38e0c824cb
SHA1 13076bf22dd0cda951a3516ea104688a8226dd18
SHA256 213314519463ea17ef2c2626242a028230343b39cc7a440dd1f6a439f43a69f0
SHA512 4dc3f2dc873e85c45ec5087996115b4ad84c71ea50570035c9ca965887835abed8e9f19da0e889643149d8fc1e2ef3d2b67adec5fb29c0b1d350509f8d65616f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO

MD5 9e18f687839c14badbf5e5694338f63e
SHA1 ee9c56f4678ef84132847cea73686892d39d786d
SHA256 c4a88ce0b3e7bbb5add615dc17e4d8ca3b2f9c174d1cb2ee8ff294d616c2f316
SHA512 47942181bff56289c37482c0b971a2f9abda25a1c5738be3ad3a0e3f38b8aa1e9d70c82de41896c0d54a38076f38c7c46ba4bffa98b3ab86ccc7a65cdc3e2427

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5

MD5 75ff17a56e75957e02e2990e7f4cddbd
SHA1 f373d27f8a0b9beb2585a52c944c7030e6f7df59
SHA256 fa244cb22b7f6c2c15d9a87f295cb46bf01c59dacc96254bf2d689409e0b2dcf
SHA512 58c0d59456acfd6812b542a44379ccd708ed61e39beb07463e439022da7d9ab9ae9a4452eec300f0cdb561d873d94d996770a1d2ddf1a7fdecc981bdf7ac9a9c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones

MD5 c5bbd514e589f6218104a73230be6eec
SHA1 01d12f84d4a4671266dce1e034c509431b8169f9
SHA256 3ac086a0cc11420e80453bd2b77a1d146021f24d53e96492fe9a4077ddbb94c2
SHA512 7dc0167ecb0dc5e7ca5d9061e1893bb10b820f3a4a43ac50a43b7a12e80f3594871dd4268207c94932f2e0766c1944dc8c84f8109706aa978c39e525ecdc53d4

C:\Users\Admin\AppData\Local\Microsoft\Windows\History

MD5 3537c17e1b4a9a0a1649d225bb72bd68
SHA1 217383c668388a33f2f2af15a545525dc509cf4d
SHA256 21b89dfd68bd060c9ffc8e174e0076637f286a7229d72855b6d6412ab3b6489c
SHA512 54ff7c9db327abccf6bb59f6a09c6612ca583de1011ae856d33a04dc8c605b8a401757e005362a12558a00dcea11be351bdfd8d158d2e142d89bd0e94ffbc335

C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer

MD5 42de198f8db62be4fc0528ed6e13b239
SHA1 ed52aa43e3511b68c327954764d44aa185ece0ef
SHA256 3d7b49242d244c315708ddf92d39bac0604e0de8e51b09f5f885416b15ad6f01
SHA512 5eefd8ac657a7fa75ce96fd00879d2be3dd50167e185fb502abf5880dd2ef977404c19dcdf022f0caeb660731a7caacd50b773b0240740ef81f202908cae4d83

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db

MD5 d61a88b92e6e99cade5082b52f9a77ee
SHA1 2eed14efa816c9a54cebeda27c4b6704c3b10c64
SHA256 e05951a6a68f6b80dd449e00ea16ebbc53e4d3d2f1bf5f5c1694288fd0e9a8ac
SHA512 b7ff51178e6b5baabadd2d56b43adcf454e96bb9cb804a16084543b02706137cc0d3553c45170b599531b1ebcc55f0a9f335d53f0b1f104f39365f5981bb9751

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 aacf9268189b33e99383c05084a91850
SHA1 13050aa6a5971fe281864778b71e77ad097769df
SHA256 638f44dce2ab2b6680f5e0227a90a5ffa4b255eca3dce3063198aeb5b2c9aa89
SHA512 2ff2c8193e799f160f016febd3512698a214b93f777b3dc16668530c643b5a6ae2f4f76fefd6800feb9a56ebcc5bfc525b29be411df52f53f659c6891ff47177

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db

MD5 fdd515e413a2904c375bc10a6b2361e7
SHA1 0c368317fe55bf0ef2809832e30e40370bd1e54c
SHA256 c66ec0a1996868203c49fa63b152b7dcc86b5bd45cedb5688a13060007d313e1
SHA512 d341062297b7505cec82f35f11721b7e3ee74af4fa424531259cbe710acb8106fe5bf1c77a10050f664ee8dd5946ea27c326ccfbe73708b58e4f7b5b59823929

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db

MD5 bb8b0fd589135aafe4b4594232f15f8c
SHA1 167a2ea39db9c28d60178756c4508a50913f320e
SHA256 0e11806df5464959e95a341b7eec4e01bcb8fe69802d9a89b85339161dd60005
SHA512 3646d8aaf8871b1871d5246e7f3070150d1a762c629e5cc11d353c45a6c2792c2ec69f36f43e8289bb4712c2a5d243611bb4c35b93cfbda2622aacc468f831b9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

MD5 d093aa06163025ede32e2c862246be65
SHA1 14aa5a0d4c1d349319d3d1e5421b970a880b26a3
SHA256 90ad968511dabaa05c62ef3bd9b8ac23e7127ee4c6e89f1d68ddd9d17c6f9c3f
SHA512 96577c27f11dfb0bf356f6de969492aeb931abd3cfd308cd155ac4889d8a230bf6a520515daa0b3d0bca44f7f06b32942b787a11fec8102c75334cd6a27df580

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db

MD5 a5c86c07c3a82ccb1553f24b8ea74402
SHA1 f9be8e9ead2df0f4fbcf24ac88fc14b9f7a65dd4
SHA256 5739d65250566c18ca0b9fa5043c6c27aead8cc351ac11f4f0bd810911da31ba
SHA512 d2198b3cce34ea13474bac7236df796d106eb272964e3ae40a40595fc2e977b624c19b0c9cd9132742f7b565072e98028509cd1b2666ab5cb696844442e81f53

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl

MD5 c8292899728d8271944119ad8e79b0b2
SHA1 e82d0f696e11bf246268375c1ca1eb4af66f266c
SHA256 26fe779eaeea99a07e18dd250bf3ddd4d38c149c2f997f79968a9231c284f986
SHA512 373192b084603ac71e81fd9f73a88af7628d866be024a5eacdc0402cf9c4b70fae681a0cc4322f6a5b5c3213425893e0bae9fe179c427c046a0f4f62ec2d104f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog.etl

MD5 417b48fb68bf7cd89727ee7440863adf
SHA1 50e20fffdafdef3cf70c3bfa207a9ec076a586ad
SHA256 7a11b913c5525c332d9dc8f290649aa570a53aced1dc4dab91576762f3e72a1f
SHA512 b07e36c4497284b17fb9ccc31224c1b25f064ae5c4c65dc709e6826df0da6edcb8da952c0ee53891e37fe81067abc5a59430e3c50798a48c3c881518a95b9499

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches

MD5 1fe8bec2e9774661a866c9d4e7c14aad
SHA1 8a487b098db6ed01b7c43f80440cfca52b80e3c8
SHA256 3b557c90f55fd11ca439b1b0eea804b51294b0da6ef08dc5c554824df903a255
SHA512 08bb0fb453020b25e55ac5abf1906dc63349a6f297b279f98af89fe7658ec4769a514321e41d20b8b5720daacde321b77551192ecf8b3de81c727eac22c96023

C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn

MD5 6cab4227d81c4ace98d5c210768fa941
SHA1 7a18b622beeff7c8e07f14834e6333d26abacd3a
SHA256 491859af5bbf555e869faecb088a2898fa41dcae524eb8aa753efb79cea8e144
SHA512 5a63a72d529c0f7ca926b43b501f78e4db5b450fb9d0e767d9df3d745564941a58aeacd9771acf2c34503f75c694d9cb3f6a9383056ac824e0c0bdce2457913c

C:\Users\Admin\AppData\Local\Microsoft\PlayReady

MD5 2b10baacc52db7a5b4c67481ed20cfbe
SHA1 264b013dd6a2668c904e1f2a27cd556f6adb9bf6
SHA256 c3dce66087da9c659592f954f2dcae477de42f319e22d5d0b892edfac3af5fb7
SHA512 d8687ef460ebd9ee9441347d4e81fbfeceafc5b8ae5b0a58f05437a8e70e5a54e66751c0e95b289fa6d2fa664815cc030c0e99d0385a4af27f83cd07148a7ea3

C:\Users\Admin\AppData\Local\Microsoft\Office

MD5 eb2e35742d1ebc2ce5c8d27d8edce7b5
SHA1 e0f4ea8d0c70849c17946ffe5a9c31d321206d21
SHA256 6c5dba3961ec2cdc09b062714e4ee5993d4dbd096e7e96b67b001ecee1483608
SHA512 5dbe5bab8714d6a0815a42b7ccce2a11410325b973beb8b487baa2a4dff38aff68f4ce0d5e695feba593c974d8697c7d5b15aa7973591003fdbaee5cc5fc79c3

memory/2364-1080-0x0000000000400000-0x0000000000446000-memory.dmp

F:\ɾ³ýºóÎÞ·¨½âÃÜ.!pk

MD5 a177f2cc019292ef0c1598de5b65dc31
SHA1 8d6b38950eda126cf30d5642e45d207e228778d1
SHA256 9fbd9c7e0443c9dca2abd9de19b81cd0c11896aefeacefd4d53d66182683ff96
SHA512 e782e2fba627ffa517a5649f1ad33b6d4858deda686b14dc91355258cc81b2c78f22b1fd8ee91a42b5d9788f7cd14b2a4bf8a4f122112574a22807068ce953d5

F:\cz.txt.EEE!QAQ

MD5 acf07e0fb71c13a228bfeda3041dfc58
SHA1 0c5a2beabca02e7f39e9378b82f0677fc222eb26
SHA256 8ee8d80ec1250694e2f3d2cbc6bba60460902b5e626f21969debd95887bc1589
SHA512 59eea8f25c44d96342d67c8b0702f50a97dd14d7c79d1add2bdd3464d7b3c946bc9a6d251a257291e091cb9891cebc17b3641e8e2bd4f54a47d983df661eaf22

C:\Users\Admin\Desktop\00316\AutoRunApp.vbs

MD5 b0b07e081fc39d1c4b0e5da239e89707
SHA1 ea69a10cd7e12b3410c8bb837ea1f764a003247a
SHA256 d472025dfeed3e6293f954d05c7039e3a2640d7ef086491127c5f748ae02f23e
SHA512 b146d55b97df3d8b002d150a5f98d78f1fba9fb7606de654406b4825b811ea66852fdce091941485983fb697a8ed4ed4c25a6abae9b6dc46f8cacde2cc7b158d

C:\Users\Public\ɾ³ýºóÎÞ·¨½âÃÜ.!pk

MD5 990bd6c895d47c166471df91a2aa8d9e
SHA1 76fe4c79b19a52b7d2b97dccb5eb0ec4e58239d9
SHA256 bf4fbb9b10de348a7f0b68312e1a957150f0cc08ce961c982d2e1e5967293d4d
SHA512 262237f44abb06302425dc1c3f6d646cfedc647882b39e2e6490f2d6382af56ffc3713b0d99650e1e75f09d64aab21a6cba869474e3e1adabdb8079972278a39

C:\Users\Public\pax.html

MD5 4e1a418d90fb6960702ba82b2d757ad9
SHA1 c0160f1339be921576206b82b6f9a08630ac8d4f
SHA256 4aa341f3c71ce99840099fda42192796ccd5e80e7ef508e69f968972e05f3a83
SHA512 bc6e94480583b8a88fc289c0043995b185a73b8c29c59825c04a571681d7385f11c70a35755ce127b25a379f46578df60c5db66bbf78601dc339ee7698250945

C:\Users\zconfig.ini

MD5 b498409df7bee89d66440ca6f7de9af8
SHA1 ab9f089b017cb8732027c0dd1501117f04da87f3
SHA256 47c0615e1ebb5d1651301693a542f81e8124d7d81e856b9f779aea281cf6cb9f
SHA512 13f293c3aae889a7327e8e8b2a96e9b2cb4371b5501a9547e9a83dab92dbdbe6abd8515b81223559a2f72f2b058aa840825bedf2788c2f7ad8ae44af4889da71

C:\ɾ³ýºóÎÞ·¨½âÃÜ.!pk

MD5 432d9a16b29d5256a0274024988266f4
SHA1 b9a51bb30bf434651ec11c5673c6c280a88e0876
SHA256 1a2fbe786a0d57c4568f5208ed303a066f693c1997fef54cc5bedbaf262107a4
SHA512 30ef5834c9800d2415646a3efd2d881b50a6ea90983b6685466355719df2bc2e157278635a0edb8a48f6d2c71659119c66775f3e782df3dd4cb18a13795a625e

C:\Users\Admin\AppData\Roaming\BackupJoin.edrwx

MD5 9575e66c1c7f8e615e25ea3e9a676d8e
SHA1 a925bf99d7bd0c35743fcaa0cb3b8deba8e9d4d3
SHA256 9f74b1b901b40857aebbdb8bc6657a422673b3609847c359ac949112d888d721
SHA512 c51a3a39c38ac12a13f458b9d153aeb76bc33fda076fcdc5ddd6a1bd73dd498942d0db0c45a5c5a61d9232e45e2881c5f9b1c66fe889b7ad998d6523a2499bf7

C:\Users\Admin\AppData\Roaming\CloseRegister.php

MD5 9dc99b97eeac5c1f7f4cdda40aceadbb
SHA1 92660c963ed6dba5a1c18ee5550a98bb46685f94
SHA256 49d40271f7474bd9cfcb8d325f19d1c96fc3046a562e3eef0f71979e0ba325a3
SHA512 cc10f4ed97a23588eeb2b9dae43f103583d6a5e9c4064bfe218840406a0f407756981aae06a1f3861974048461225df50b38a64351c133fa746dfd9cf88b8eeb

C:\Users\Admin\AppData\Roaming\CloseCheckpoint.search-ms

MD5 5701b406e31e7dfa6fd85aecd249ed04
SHA1 ac15f26df04710f973195a42c44df20238cc79a7
SHA256 b922c9755187fbd4fe0a9dc9a5d172f110c1bd9fbac6a0bcc1ef875784581880
SHA512 57e2ce5af8531112729732ee6106de33501df11000ccb137df973c2ff54b28816c755e31baf4700619f5d06a4898623330db1dd9e57a58535aff8abc26b0e325

C:\Users\Admin\AppData\Roaming\CheckpointOut.clr

MD5 5b6018687f6817ac0878284933403141
SHA1 2b087a469608a6527a2e44e5d26a695af9557e34
SHA256 069037a6f6bfee6e4bf3786ece6e3687edb795bd40b8681c091c15fd10b4c89b
SHA512 2c4009535aa7f44795f3e22954630b91484652f901a8d070dc41862f9a7e68866bb52e504d670fdbfdf40aebe3bc994db0a5ba9b0474e66660d542eb25fe02c5

C:\Users\Admin\AppData\LocalLow\Sun

MD5 eb710d095000df32d539b749c9a23bd0
SHA1 3ca905127defe386e0b6f32b4ead5984774a4a8c
SHA256 0a80a4e8a198e6b311d2ee7e5f09334497891586e1327ef3fbc7a1bcdfd9a878
SHA512 2c261a1d24c3f0df93dc7bfd02ea4bc94a53d09b5a1a25214b6bbfe216c2f12333fd4ed2d87e70c8ae41ecc7c491528d575b87489c629339600b920d78cf9b66

C:\Users\Admin\AppData\LocalLow\Mozilla

MD5 df450eed5ab9a23afa5915a7fc33ab0c
SHA1 8817142a650f60885cd52deb81f63f182a765bc6
SHA256 19ceee869f965d92b98fb02daeab15071bb35d95be049c610484df878a727718
SHA512 352c338ff2c428786dc42d61b8bb79701f3c4c54be604b574fda9b4ee2badd69eaeecac6f68c98c2fadcf1c1473301b2e4753cf3a11251a23fe49c191af15e02

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer

MD5 9a8a664b71f0a4c78fee08e94c7ae865
SHA1 7bd682acc50f4b963ca0cecd4dcf93426b927c4d
SHA256 172dcc0fdac9f60193ebacecfeba569b4554a03095a56c4287e5fafebd628714
SHA512 cee23f2aae24a1904d63e3e3ac07cc7e4f143535a26b7b0f980a639240f530ebc1b51e9f7589ca2a674fbe8c1e1b6d3f79b331df61bc32e3b81246de9893a968

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData

MD5 5a1f11b1f681fa0da38188ad049f67f6
SHA1 e4d615e28c9d4dd504642b954703832ad48990aa
SHA256 e593abab5ad37130298f6e07d63998397a7523659b0b2b9de71df28327210d9f
SHA512 ee1bb6f83745a775297ca2cc6e212aa645085834ed97dd3326555c9fac2095be84fda01753cb7338846fc9ef293ab0c822b1da908d1685c3de753fd9ff85da30

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content

MD5 cab6c2ba098889904a8f78a66038c2b2
SHA1 82c6ab4bae87a057437feb26facfc5aac08a99f5
SHA256 2367b087ad534e500e647fe4b42b74b64661ff10269f0e128f17f8c673f54774
SHA512 8998f0a7c1af768b4c24e1ad840ec77106e139a8542441ebbf594020666e40a712d5f5f4c9324af5c43f2bafc4c3f6680b8e7b7982cac0c715101c72c6f5a8d7

C:\Users\Admin\AppData\Local\Temporary Internet Files

MD5 83722f421b7f72e78c7e1ed411fc3ee7
SHA1 01c4100b0468ccf623f10ab658c7e8df6b1409dd
SHA256 79c10c057bd9daeabda389c6036d16cc6aa303cc32476afa140690aea3e6edfe
SHA512 e620fdeebd851e694b6ae64a603b247b0b7ee0c037751e712bf33a3b4da6e347268c0aba41bf3495f1bd8c8f31889ad40d4f92c35fc4943aba1e6bbcfb5c44b8

C:\Users\Admin\AppData\Local\Temp\WPDNSE

MD5 babcf458f4070d02a1047cfacf67379d
SHA1 2bfcac72064b93257cbc705b9a3fe13614fec8ea
SHA256 aa733185148207af9c481e7b9d70cfb4e679b4ad2f670cb6bad854db12869c55
SHA512 c56fd4ea7bf192c328225f4ecb5986fb95ba71395addfa03a7a8c9d65f982bd560ac76335ed539bdeb253f53047865818eb03dbb67cdc30f5c54e8444ef1ed00

C:\Users\Admin\AppData\Local\Temp\VBE

MD5 bde17dfa1d6bced0b86cdc1c4e89b718
SHA1 5a87108fcd6b405248cde8a5c1e8549e513f99f4
SHA256 64e564c6defc1757bc3764e85ca656f96c67bce0553afc824f0051d77cc29132
SHA512 2ad938e13287613dd0fd1d73309dfcb939d970cac2efd7fda49b9beb16f91757396a1fa193b402993b0e32b9365169ff44fd8c72fb6261c0c067934b1824f8db

C:\Users\Admin\AppData\Local\Temp\scoped_dir2112_817205846

MD5 766201932e46bed82c64f9ff097e35ba
SHA1 4c95a6e52ff0d2904efb6ca962b960c2de1911f1
SHA256 dac33e2c77dd0ad5c68740b7191647948463d7c543306c93e6deb30c9da6281b
SHA512 9c03eacdf8ad14b88732eb562fcac52b7d502ba3d6459686250b8d6778beab2d3db1bf4175b2e88e63d5f9c92b7b26d0410f1212c631f6715b5560483da52ae3

C:\Users\Admin\AppData\Local\Temp\scoped_dir2112_1667198029

MD5 f946495e9d439b3266088db1ff8dd588
SHA1 127f26a968a4b929b2eebbfe43417c241c80c6da
SHA256 5b3a75b7fcd6c12e319485d56490882434d66833573a1d23b2d7ab3c84170168
SHA512 ff8882b954f5552caf385538b9924265e81eed05aeae60c511fc78b2776da6eb29d3cf1ad2a93109411c98ab0f705c8a4e4c6e27d435d0ebc2717d1c85847453

C:\Users\Admin\AppData\Local\Temp\nso7B87.tmp

MD5 1a96c0938cde43ed6f7d9daca9061852
SHA1 476aa6a719e89a3e37fb8a251b87de2c92893e00
SHA256 6b4b8e4fd64acf1d4ab04c83b5fd13be83e9baec80ddade2503d611975a43112
SHA512 0a7a7cfea2b6a8f315ab3763af73bd859af3a3ec5d8ac83f4bb2e33fe1fe4f04f2ac5ca7722b47b570f2a7e816d3e847e08e95b0620c60ae2ee2d466aef53b70

C:\Users\Admin\AppData\Local\Temp\nse788B.tmp

MD5 1a85eca2917dc33642ae3cf519c4bec9
SHA1 c57a7ffdab619d24d52f80141df365355a34c458
SHA256 dfe81beb4ac6a06d85da7774654b6057263912e1fa522a762baa56bf040b4f2b
SHA512 d52410255e40a854ea5e0e6afa870262b57468c52c5e2606fa2c737993fba3cbe809355e3b5715767d016444b720266ba63680080ac3d889dcc7e6298dc4dff6

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files

MD5 828ff9b8ac42b31968457610e1da8be9
SHA1 59c1de4cd079ddee9aec4c31b8c11fce1f5dddc8
SHA256 54221af42f13dad4bf5c55570848860cee7ae53309597e4f9e121d7ec1c8d5de
SHA512 95b9ff5582097ab932c0db02dd8928201938bb4b8f1328e395d637d034fd7af27478a192b552b3269ad259299cd363e3a3bcaec0440239063b30ec31d3f180b5

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219

MD5 7178559d1917bf3826553a5364ab4aed
SHA1 0f509008e82677a7f066e927280b6a2a3e45a3ae
SHA256 77cf9025e5242348694b75675e768ee94504da7231f01d96a48b72eaf64af284
SHA512 4ab6aa9d751ed89a0a31f3063650fe6445949f719f26ffc0e60ab4d6076c5e82248cc2fb2041e61d7d4477d094c061cec8a80936f891bca9c33727eeba5be462

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219

MD5 a4675fc380a940356892871c7909520b
SHA1 abcab5a63e638e854b5c1ff26a7eb6c940267137
SHA256 985bf3185d970e56178365bef21ef04bbac0cdb4163237e9ae51931e6f77e18e
SHA512 8d74861466756c52a7f34eab11fd4d8945bfe6c7aa15699c8a742e08c603bc6131e9d361bcad252b2dca2c0355ad8554b36285dac8069fe90c75964fd73b92a4

C:\Users\Admin\AppData\Local\Temp\Low

MD5 86c7c439ba06f320526478ccbea7c1c1
SHA1 31b78c7f1a994a16adfa6e4aee09db5552c08741
SHA256 0c9098dfc87455ff4dbb0215f479109eb4a0d8ddbb63e41f7dfdbc70ba514b31
SHA512 3dd636281df155186ae11488a76fd83dc71b318815bf5c04335ce6dd214ffc45594a5927657a63b4b19893358739bb51dd4778a1a4d79201bd09f6c2eed8d87e

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin

MD5 780a64841ad80a4b1675713e3f5347d2
SHA1 6251578b8481784691c18bfba0fda15a43c4b329
SHA256 4be447fa7553850bd2dc8c1e6f4901583898a0561b043b2318536194a4ccdedb
SHA512 7a85e4d4c7f564d02aca6c7097d2d35c139a1ba1701de2013b7ee2bfe94139d58adaa9e2df661b5140ad85ab839d2e61889516fad6ec242e6a18be13a826504d

C:\Users\Admin\AppData\Local\Temp\E_N60005

MD5 7e9844dd97f64a7de1de9f446478b664
SHA1 86aa41892e5393edb5d3e7ab7ac0cb886e890543
SHA256 1a812e709d3cb0fa924a764bb90e65f621d157b1060dde9706d09e1bdbe88330
SHA512 19d78acf0b55b51831ebd096e0e1b26a8516dfacd2d6069b1b78cf15181df7d035ba4d471af5cfde74e4f81b4b3fb1354a6eaed6966b52629d355211bdb12599

C:\Users\Admin\AppData\Local\Temp\955463884

MD5 74a0dd0a49c239bce821e59234123fa0
SHA1 f8fddc5b3ad08abd430948d6217cc09a8c3152f6
SHA256 185b7d2a3bd6e700b32b31845fb1b9dd1bf4cbc430381b500e05dc07c35258ad
SHA512 c5196198c7df1bbf65f04f3ef31c1aaf0941d597249a18815f6b105ea36caef0348a21d3e3aeff156b21375b06c879919d3b48eeaeb4ce3e90675ca135c0f3cd

C:\Users\Admin\AppData\Local\Temp\782C.tmp\Tools

MD5 913b9d1f2d3a20c8e61e221e2533efde
SHA1 8d089506ada87ede34407d355c88892db703b770
SHA256 931876e9707f8d01f6b47559655c5cd4f08fe58162c724b02b6f8652527b57ae
SHA512 2ecb4d7fe9db56bef76b01d1ee47e4fa34ecf88d5f3e433bcbcbcf43f911812d87bddde5e003c41265ae606255ac40e54dad4ec349ec9218dc6eecf31d3945ae

C:\Users\Admin\AppData\Local\Temp\782C.tmp\782D.bat

MD5 e6c8b21412d82268ace97e67ae85d736
SHA1 b830c0143c208a30dba3acc743017aaf98066c6e
SHA256 d066d55b53d67166fbf080a82949b9ff3fbbdc87b2b27852d8ed46d33065cc8e
SHA512 9d44c879ef05e142169b3cf80e49cc26d5280e5f502b97b2cbae7908164c4637367ae5efabe714d9befccba45a7ac067c8d8795b9bc6ae1fc80042818b6ba940

C:\Users\Admin\AppData\Local\Temp\~DFD2DFBAB4230F1ED8.TMP

MD5 5ecf94e47cb054ba064924e3c2e56230
SHA1 b3bcf28e7493683008ecc62a20778f1c02c4fe6e
SHA256 42b9d4b44f83e7bb949305854b0bf32294183f6cf6541cd0d271e4cf03aae415
SHA512 f3972e573ac818b405940babf0b0a1665d00807b854494c64b99181f0e0a540b20f90ebdc0f405d670ba360375f6fe71805318dd6ecb8a375012622e3c14d4bb

C:\Users\Admin\AppData\Local\Temp\~DFC15D4EFE990B173F.TMP

MD5 ec6a4839a81c48639b0d1b44a33ed8b5
SHA1 2c875a0af1d4e8a5db6a1416fc5703c52a072b8d
SHA256 fb8eab1c37fe8d8115c9780cacd3b427149439bf6fee90621a17f58026a92a59
SHA512 f52f7a624395b9f3a4914bcb76d145a5b3ee2ce1059c2323074e77edef4cc6099946cee0716e4f2738a344d57f802eacacffca765b1aaaba9bc086764663e3a0

C:\Users\Admin\AppData\Roaming\SendRestart.eps

MD5 4168fc14d5d2ba892a49db4d720154ee
SHA1 0d010da8eb2c294d59dc9795b23abf7ecad1d7a9
SHA256 e373a74e9cbb63d7f30da2a68f4d3ceaf918d0b636fe6d43b40b61a89c4b441d
SHA512 d3a9b1abedb4caec4213968acba17a34a9949303298df49d0a360215a4051bd1f859431730eaeda9c0898317114e9399cde863446aa704f65ad42a66c95bc624

C:\Users\Admin\AppData\Roaming\ResumeSubmit.wps

MD5 93cd72d3dd926757be27532cb2a879fd
SHA1 0c551ef6c2fb94f815937c495000cbe559bc16ca
SHA256 7bbde20c74be3379ad3a10654143fd7f3f9eb0baabdcd2d152ea4c41f35f1a36
SHA512 dd715ce24cc99b19960082f852b390f94852c4a8471aae9cdcc1550acb3e080301aa25ecf057778fe0928519326256acb89ed113dee42d5acf2aba014795d489

C:\Users\Admin\AppData\Roaming\InitializeResolve.ttf

MD5 b8fbba6b071b17944e3993fbb247d92e
SHA1 4595999ca72d3144f5b01adacdaed1dbac7d2f9f
SHA256 b766e42d463ccbefd0fe0853ad8713d2abd4b03b1ae5450ef04b96e22090128f
SHA512 6e302f427ce2c316e27e6b9938374fc64e46e85b670194593b50871eac24246e1a4ee140149a721d109d40585c2b34ee324c0549d354166325ebed49ca1501e6

C:\Users\Admin\AppData\Roaming\CopyConvert.docx

MD5 0516a1f2d4c150fe96aae439f82fe62d
SHA1 5e9cfe356fb9d57432a0cfd123234556e1c2b499
SHA256 49ec8dcb49b7e8f1da38718ed0be19b7d2c489f7ea031094903e62e09136af21
SHA512 86ccef3962904c3336f1ab990c1975c3e1100f0e1fa9030418a326a211e85570e12be6d0c0be446a48c4b35578581abca6c9eea7a44baf350b8bb1eaa744832b

C:\Users\Admin\AppData\Roaming\ConfirmRegister.pub

MD5 94c8b063110efb0d9f5117196f2a12b9
SHA1 fc69748c7d8bcf6d783223c0118d533f6913d2ee
SHA256 dac72f105dd5a1a64909b6a8cd15b07064e093007f0cbd2b54fa7f5cfb192209
SHA512 22b21a7fb7db30925b0a8811893249894e586da93291cb378a7a1b01c75a65530a5381780c3a7d143a34a880321bb6f8c735f87660b569caa763bc835b0a74de

C:\Users\Admin\AppData\Local\Temp\~DFBF60A8B4327EBFB9.TMP

MD5 8eeaac563b1250bcf415790e2e08a657
SHA1 80fa3e2a0b319258958130926ceb6ec4f65765fc
SHA256 c2fb5ff4bc4390d4a219c42622ef9624079c82bea0d8d4130e720f20971b0b64
SHA512 11447823c636645099d1583c1dd4cbd432be3498e0eb5ea87e9cfb0a8b7cfcd62b9f7653259e1438c6a6183fbf792b51591020e19d2baeeeca397312e213f2f0

C:\Users\Admin\AppData\Local\Temp\~DF7917A8DC5F1F0869.TMP

MD5 6e461b166f7b3281f63ed00c76b83ada
SHA1 e54626782d4ff092f01c124c418bff83a9e4d84b
SHA256 da224ecd50a3405596abe83d89de145d1905c286e18a3108238f86ca372a59f2
SHA512 6e6a3b8ee10d09cd52c8717b04f836d49090a34085b453194814c2e9afcf893c4107896bd6f2054dcaf24f6ce12a21f56be40ea81fddfc443b0108696bd9dd1b

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 1202428936edd4f633dcff7f628e5767
SHA1 f068bc410d8f527974d0913dbe5c89ea2159c8db
SHA256 b873c9af6060b71a9d1eee7733e33a261bdd8ea8a4617d3c52db0d1d901a360f
SHA512 29dd0f6a3a33c204cadf5205d5843972ea76b930ffd2069df7d342574daf4ca40ec4e7f5f621921fc45c147e162e1bea0f869044a281bec027d878c9e8879517

C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051847924).log

MD5 85264f9ee12d8f1b7e135703cbac7ed6
SHA1 9e12137acb82755e3fcea6e7642d07a805534edf
SHA256 87cac100cfa3f766348781810ca9daf4d7a4b65dd4c8376e9f8b500b2dc7748b
SHA512 8dcf21adf10d49741823fe6a6aa292ea9475128f34d38bdf471749ec95e22473306eca35e94a64dbef5c2008b9d2335da9fb937098922d3923574f6e0e4fbcab

C:\Users\Admin\AppData\Local\Temp\RNSM00316.7z

MD5 7fa612018fbe212c25cdb7e268f319a3
SHA1 29ebebf0e5ad5f80bd08ded8fea7332ebe2775bc
SHA256 7b68a82775271b23d02a26e2f33160db3ada3ee3ec930485a4856f19a7896f52
SHA512 95877fd1cac4fa6b1a3bdcd50098e83262173c120abf04eaae691cc68d41d841633e78784dd397821b9080d5a2ea11e1b08e933aac41f207ff736a516e45c364

C:\Users\Admin\AppData\Roaming\WatchHide.tif

MD5 31e38cc8dccbb96b29bc0acb5152ed19
SHA1 26f612bf9377c63c92f83a099952d318e2f5a211
SHA256 0ecfcd02905d8e73224ba7be8841ea779fd5bf6326efdd56e795ca499b56b909
SHA512 6d78c55237df2c699c919bd365d5e283ff5b694425cff78a111287531c5e20e97fdc9278be0ce44f703808f94f0fcb7e8bc94db63cf6d4e71d165e43f5ee5f7e

C:\Users\Admin\AppData\Roaming\UnlockEnter.emf

MD5 7ca0efb54cf07f1fb6d31881627fc8b6
SHA1 c3a80837c8026a12b3ca21258bb0d6335b19dba1
SHA256 67eccb9e4c2b137b5ee8b57a2d30f11b2df17c0bc378ed9b369574046bef1fa7
SHA512 3a69ac40bc07a77bb5916af86749b9e83708e9eb06270b49a1fd987aaa850aba3d04a89d9050324a94cf7e62db3f0cd30616964c09122853ee5f154047c542ca

C:\Users\Admin\AppData\Roaming\StartPush.jpg

MD5 bb261ea28e44deb7032cc38ca6a46a8b
SHA1 60d54429451d9e3a80af8ce3ee8eac232fa58ea0
SHA256 2a956edc029e0fd7cccbdce02b8bee5da57fbf928d2d0696b39cb9e2740ad44e
SHA512 681eb9c443b88d85aa82553526773bb2739635acc2e5459fd47a443d142739f958a103f3f0fbe60478df0013ef5379ce8ed852d6225e7644aaba9ee15f22dabf

C:\Users\Admin\AppData\Roaming\SkipOpen.fon

MD5 04d815f1941d8b5dc9c054fa85988d0c
SHA1 ea488d376a8baa581cbfcbbc4730305b4b67131b
SHA256 3455b06a09d3ba4b8195d5ae594e3c7d8dac5c7131832fc8e9aeaca9c1358a2a
SHA512 1a2777110aa4e20eb8b96c5d0e150626080b5ef8c35233376d2572244d1d76b3227852b92d20fd6fe50309d3377c27d4cd76e188707bb491713f648de3f77ff5

C:\Users\Admin\AppData\Roaming\Adobe

MD5 903feb5a0df63808eeaee0c88d4a2552
SHA1 404f1464f072d4be990d01717643531d3fc97515
SHA256 504bee96289ef8648ff31497c2ed005475cba32b014a91896ffe9469e0dd4797
SHA512 f503bc271fa8345e75945192f2fb7b35980c83f24ec1eedb74ca1b7b329629eada1aa1ae73ac9b10f7b50d13c979a90a6a2a4355aa5031bae8fe6717b3bab3a4

C:\Users\Admin\AppData\Roaming\Identities

MD5 b3ff118388c27d9db62e49a7a5cd27fd
SHA1 e8e90e6351249f6cd8dcc84fd315f4dd79916c99
SHA256 5946ec219f708f7b5b8c8632075f17957c9dd6ee8aea06e55a5bff0c89ec0c58
SHA512 d60cb7a0adac221f6a6fcc5e4e8f36083860ce60400625f5f7df1fc65f9d5453703bc022dc127c02aa6a00c616758ad87457bf2f1083c21cf62e9c03e53eb1e4

C:\Users\Admin\AppData\Roaming\Macromedia

MD5 dc1e9e9243df44b4f97e706fa133b3f7
SHA1 7af5b23510424855412a6a4ece506cb0cd6fd8cd
SHA256 255e3a6d3769d634f506c3b17e0c56b76049ca21c26464726faf0d152e23aeb0
SHA512 1c3336c662e7206ec54c387b1f81d3bca1395857116325a178b3e2c550719a5323631bf89267d2845bebf01f3ab70946fdff2d25f858e9cfed676bd42b44b096

C:\Users\Admin\AppData\Roaming\Media Center Programs

MD5 7395f879fc2e1608beabed29b3c32a7c
SHA1 4b6ea790b5309c1eb2bc7c6e419180d65de0e89e
SHA256 cf3ab202ab225ff086fc7cb1c7a353bf23365723e9db679eb7d2b103a8b3e9e4
SHA512 827449cd7a4b050cce539a6af75190e2040a088f5a06a5905b6cd659687ad95f9a22f2f665cfe5772b091aeefab9081a03670e0bee888069f6af7d515df263f8

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns

MD5 b6ffb1fe3a3988e1ef6714b1f7b33b9c
SHA1 92ab63ce6bd93b5aabed395c9037da8c94359818
SHA256 d2b1c3c7b3380963bf8e04ed1879fab9adfffadd4a6453095b521397fa1acdef
SHA512 e2a7847a9637a4ba14440682f95d386817573a0e2203244b776e66f02695796514f3d2f1abeb24176f62e1fdcabf6ab76a176e6c7cd7d01c72422fe33941d5b4

C:\Users\Admin\AppData\Roaming\Microsoft\Credentials

MD5 1c018174d3cef4255905640e3245b5e4
SHA1 fea5323e784e4c59d1979560761590a37a20d5d9
SHA256 f9f26b52f87be10949d824f062bfda3a3ba08bd7f1250824b7d363ccc8a763ec
SHA512 55db569f55b3843a5fb9423f02f07584ae04b1e850494098b8fce86ab02921b1ed3c460ceef24681d69ae11fb6d8c0084f657dd8365a0c8a7acfe48a4eab6c28

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto

MD5 6bbe64c57ebe9f55ff521064ed17f704
SHA1 74de2b252e4a934a58606ec9e8363a83a7826a5a
SHA256 d933a1823f7192dbf3c6a3bae12ea24950ee7e0c19897ce71f4b1223e926fd0c
SHA512 a449a01f2d0bf324622a0fb9ef30d3bbacf7b2a5ec420031fa097796176c0f0c5306fa217d889b4ec291f1f9fe73d06422861ca7976411b620ed971d5252e6b9

C:\Users\Admin\AppData\Roaming\Microsoft\Excel

MD5 344f208755ccb7a56fc5ceb42212b320
SHA1 92d1231cb65b57da357321f7061fb664a8b00703
SHA256 c3659339a551c6c68de39aaf1a4e6a9a4bb3574f13f4f3417e429b6fa312a274
SHA512 8a9be1f83c0e63a9be2f8f93b5c4effc9f060f960bb5dc27a0a0e75e08511927e5059cd4c28425731ecc750d27686d16ef0cc2d885ce9e09bf7cab6303ab786f

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned

MD5 8bf38726c734f8d6f52f1c4b4c4c72da
SHA1 33ddb4b7c43f991785486a7c61bc265fb05b2ce3
SHA256 68b6c4a87f2949942a1a1398dffa63d1fb408d36a313b8c089d65c1138f2269b
SHA512 2dc80c14f0ea1d96bb27c7394cf64b69b5100fb244897da63d099b69ec5b62204d14da32e6782b78897519d13ee1de8b69a7ec5a0b4e3d4e5f19301c98b8dd00

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData

MD5 ffbc9917b9d1813ba9b8df65cbe2a09b
SHA1 0bddb5dc6fc03fd592f2c100c078b681953da299
SHA256 bdd7320f5eb45e5c4fd2b6b632407721786d91704cef5e0bb17a60cc1f880193
SHA512 e2043182e1c073a9b5a8404aec1e9b1203a51673e1f0de9b42c993349ba9f4e8cc58accaa49011eb5a425b5301b6b43ff3ccfa8dbec2585a8887defd4f7a556f

C:\Users\Admin\AppData\Roaming\Microsoft\Office

MD5 6a4fba29cafcf0c282c0b87e1e50dddd
SHA1 15b798644efa59702d69605bca9b41d7c3cd90fe
SHA256 d50445437bcffc65efbb56c202ab666211e82394608c6d529d66783aac00ba4a
SHA512 601a716e94b811a3e2191b102e170ec5a55f90c016eae0abed735891cfe518975239a1ef52cc6bec6a6e575f98d1fd8051d7acbee573b1e8e18ee4b3bde88e57

C:\Users\Admin\AppData\Roaming\Microsoft\Protect

MD5 2900c24cd13269f30d1c2a404913753b
SHA1 57cc02cc38baacc1328bbdc4f2cb36490e9e80ab
SHA256 64405253ca6cb37ca18fe26b80f79bb54f53b3d03824bff75705a696343a21c0
SHA512 72f36fdee0d08c632dfd92f7b9797d899b0a15a77b7ed4de45262e7e63baef9e6ed8b3c93f1c67b39183f82104cc01fb8eea4cde2b5791b41a47578943482acb

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates

MD5 4399b43cb9ba25c7dcdcf8ec99380f46
SHA1 602d941640b3180e8cf3c5993626fc4a44cfd421
SHA256 6cf2c6000a581b5ba1499af9239ad6f439dd41df34fff3d5378425285f716d8a
SHA512 51a92ceaeab6af494b580764dbc8b4268853acb467ba5543ccc83aebde79524210c1617ff85736ffc79ee3c108ff69b3ff44f7bdedee58b41ce4b3c57a811100

C:\Users\Admin\AppData\Roaming\Microsoft\Templates

MD5 d64cf6263502008afb62d22fb60e5c87
SHA1 7c0e057b7c800fc14aca5b5b3d774f0357deb783
SHA256 b95e6bfc61d15165627be41358c3c31fde2a17ac2f0c8e9d5d45fd2a0f416e92
SHA512 be26b7f03c2cc8a226a3c28a4404a580c35479383e8b9402649a6ee27d66f1d439e46d077da1501d525ebfc3a670e2f247c066cfbd4d3b737cdbc6ee80d856c7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException

MD5 d3bcb2a55312306be0fe9c16c1afc937
SHA1 e7ba6611c9ba7f8dde485232a2fd7313123e0869
SHA256 496e93f635fdb8a382ed255c8cbb898dfb5cc6cdaa9abd6489f9105309224dd5
SHA512 869b8d7164e49ce27e74200d4d1d17a176817775d1350dbf5d81e2758225ff8170756cea7fb64e55119aa93637836a895fc7eb88fbe151c0332e50fd178c7201

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies

MD5 a18cc8d2f58dd07475a23e66d5236ee3
SHA1 7634c0ec0cea9fa6954df9ee18ae7245c9c8a6be
SHA256 ef75f8eda1b9a8eb8b120956f3b56d75ef8078c5e5359fd7d2e6dacdc117b8b0
SHA512 96735699a68f3726030bf8c040b996e56c41489692ea6f53e2a5c13606cbf0c5e9ed360999507e7cfac2f151babe838e965486b73b3ec29a2a9865c63dcf853b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache

MD5 49522bb2f634a54ac8659199e344b872
SHA1 56b35492d8f4d769adc9abcfe4f651f07ec1375c
SHA256 0c10f48f72e9ea544a3d32cc64691d025eaaeff3427cc07d57d9b28ac132cbda
SHA512 84a70bd63ad8b3603b82e6cab73b2fdc2058db6438c60afa57ce57e10c2d29c54c47bd4dcccca7d0b2ac7df31883f5b7a76cc2bd18cbc36e573704a73ea293e2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache

MD5 2414fa60f8cf01767012c4e9159da377
SHA1 fc7d6ca8bf192e33b0bd71772b7a69025fc88a9a
SHA256 d22a3d03c0367a69170ea4aeb9444c63e12c6715fa9c9608b49bf53fe0c7a505
SHA512 7de6d3c2608853d9986c3ec6ad6948e91c7052c4224706852e95c569629e90a47bc888e8282e145be2f6ee0d5bd5509e9bf28051e40e18f4c79ce811e644a5d4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory

MD5 60ddc5ed9567f9ca9819854cd1e22a3f
SHA1 0033d7fb78ac3442a0068b7ee579e985292e5577
SHA256 4717125087e642fb8ddaec3af5c5bc74ab650a2d9a213a3fa15b433eccf632c6
SHA512 0cabddbb8dcc6b2b11dcda8e9621ed0a27c3bdb9fda5a55d9918bbb5a507ddc9de3e1293f826d0559d64d546b0f3c3abbf39b83845d5d2230c351b2b7f92cdad

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache

MD5 87698c9cd09f75ef1d220a6ddbc20072
SHA1 a2e6038e99e24bfadb28d042af83a1f06fb68175
SHA256 9999925c24f89a308a09c399712f3d3a1674952f3041438c19b478a715b14fde
SHA512 6793d517e8e1ab3a0f151543e7ffd90e2a19effb1b9900717823a73eb3d605346f2ef9b4e552e7cc9886452fb0c164306f95f5e453d68cbff1296c1c69659741

memory/1232-1893-0x0000000001EF0000-0x0000000001EF2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries

MD5 b20695575c9b5d354a4c9845ade8330e
SHA1 ce522b6be2ea4b169cc08fd9b4946768f5cf003a
SHA256 73f24782fb40e2607a2e6a1cc00042abc36163e2d12261a555fe8a53af336b7e
SHA512 23edc80bbaf70fa7d13b005f1deb08cda5b6bbee7dbc40b4d45c910bb8200dae04e579e637b528eae3c038d9368df9e9f2f7a2c26871257347f7bf64c8d325bb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts

MD5 9631a7fc36e17e3d0327fb81841536c3
SHA1 6f625e3d034821a1a1ba2869353e2dc166acee67
SHA256 b36ed429236a8064b7839f91073ffb902745b622c75dc145f8aadc8011edc1f5
SHA512 d6cedea0f4e085a9cfca65f268b9eb92e9417fcf48d21396f82f37229f29a35d3239ab2f55f2c72dbcc5bbc700664c322bb62b78a1189c51d02099d42965be53

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

MD5 cfcb00e985a9e212becd9369801a4a3e
SHA1 d17a8d817f0e3b47bfbae7a9737c48519c040c2d
SHA256 0330e41dfc18a6100020494558fb054e6f6a0f7573f76dfa10a67c2d76a18fe1
SHA512 9ff7a9c14513a3da0e2b45f80a16a38a61c8dc6d1dd2a6a3336aec0fc1290e748c085bb4f9c8178079fab5056d4d27d869f1f352e9524d348b41a4fc476ba06b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE

MD5 811140513e0f4684fa4dc3dcf5def03d
SHA1 15cdda19c34b6a3ef88e3e8776739965009a7dca
SHA256 4528d0b2af3e6ff6d2209a4857d2a7e00d6372aa93a51bf147264deb732ffd0f
SHA512 3a20b6e2b5c287907a42706c996ae129e37e10d9187ff8d6d902951b438eff7e1d226b678a160b20aa5125d5423ecf07137664171fc04c80793c5562217cde5a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent

MD5 3d5703eff79f5fb41b154243afe2c219
SHA1 32ae1e2cbca8b860090f74191c18f781a3039110
SHA256 945705b635bcd308e23e1676e396806f2e6f3a71a6187207022584cdbf2d470f
SHA512 c2938300f8c658d9b26e050549284eace1fef7ad1f32a90116762b46f32fcbb84e8e3aab7f32e8bd2d1bade90fabf1508fd8d7d8594efb908285d26d89031c05

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo

MD5 9729c9e52015f3c132a2c23a6e2d2fda
SHA1 03dd433a935820e4e2fc057aace6cb002b59d3b0
SHA256 07a043822f02f73e93c775edf84770eae4a344984713b4409d6122e44321c778
SHA512 a4018f643ffe882115d33c63971bce4d977ffc15172e6106f7f53fd399d6d6941fd9d887f5e4487c3a65c9aed52337c29263912da76bfe9a0c9d831d27f0b2d4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu

MD5 aee123b9914715b732817feeee9c0f3e
SHA1 229db8bcc02683c8de275dc41fc4095829c013ed
SHA256 0943668c6dcd5075d8feb7e0ad0c4673e5e4cbab164b48ff82591e0c1cea5e92
SHA512 2a9efebe845b81ab55b6acc53ebad3d9ed885a2865b0f1dff41bbff55f121c96b69889821e5db3d7b7ba528f060a57db56a374d811a09a0c9eb90a2d6cacba4e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates

MD5 461264aa9e5616894a8ffd86d0bfc600
SHA1 3aa4ca2b323f42ca7e534b1db94233a099feb8b4
SHA256 928b0be1e8cf353f1f3b3f87a1737fa367bb6a5908430f8b212162d398c128b2
SHA512 57415c53d551bd70c5a373fac6f8df29f7736cf45ddd7ad8c68ce28baab5166c89a187b418039dcedeaa5195c9443d9504e72b046f20943f2bdc414045a71c9f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes

MD5 9ee9a03bc5711c31efb2fa3e9e33e853
SHA1 d2a2c2335c24d56d8e128619a494386826cefce4
SHA256 f05180353e5e93dfb4bd4e66934344147fc929e561253bbb64c153b9ca1dbcbf
SHA512 de026115e046d6de33fb6edb0296e0946d8f4dd51afa51864bcb9b2a30abbd2f8d4e9ba795669cf6f488e39217cdc31bbf15265464a74af27958d0bcdd43757a

C:\Users\Admin\AppData\Roaming\Microsoft\Word

MD5 bbffcf69df6e4ab20df79a09a1092400
SHA1 40c81ad5ce84029ab1f0d4bec7e42f2b43fbba77
SHA256 3632e7b535f7cdcc798a93079759822968883bf4922d47c84af04146f2f03d5b
SHA512 e453a2856a14d6bcd492b77e810f333238a9f15c00eeb2869a951cbbb9c0721569ce1e7f4ccda1b62462328e3c097680294a5d55ef7b271aa1476e5765d47114

memory/3284-2027-0x00000000001B0000-0x00000000001B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla

MD5 2506f0b6ce8d2969bc00a5fb3ddd86b6
SHA1 9a3ff79c1d6fc859188953a9ba4f3101ad3e7541
SHA256 8c227292a59bcd97757605b7dc5d2a8b1248c18885a70aaff818a2105eb49126
SHA512 d7c5e1b744d3e17320c2709d0f418b0f244881fea9a8358b95085e47d195ddf967da4cd033855885f940cc59e6f3c82fe0b1269c40419164e1bb5102338f8304

C:\Users\Admin\Application Data

MD5 18156c9d0f8970c0b31c7a9064e635b7
SHA1 97f61caad11b738090891bfea6294eef467462bb
SHA256 ffb9bcc15e45adcd0bdde614a4d7cbaec10373307699e48782cf1bcf58fcb3b4
SHA512 519f77b611e5233b91364fec065a87ad9c6ba03b195f68af95e39678b170a4f2f716cd79adf28dfdb94ff79920c43ea40f4c4ac2dba6640cbcde8686d3a0c3d7

C:\Users\Admin\Contacts

MD5 c97ac2d3a4565e846b5e94a4d8a666ab
SHA1 e92face508e1d7b0251093d8870dc79e5d9630f0
SHA256 a30a14b2060f82ce9a929de2dd88e1a4d3b5fbd3d4873f0f89ba97ae8242a0cb
SHA512 64091049826645248dce998ad75b8d9473611d43b4b6de296bdc5158b02cc0bfb6fd60d7d9cfad57432c2b4f33e41c1caab5a61ec228197126d4b18b1b6d466a

C:\Users\Admin\Cookies

MD5 b9d608d6ae099df8e66e9b02e77fcbb7
SHA1 a1bcbf1118933245ba454bb7e8007bd7ceddb189
SHA256 4ec65fc6775a94c97b63ea98d479fd25873ef6cd97520a3efd215bc3c8e9a8de
SHA512 cb702ea7413c3ca958883d5741eaafc2426f9ad1785c8d0333d168fe76c0d2b73934c318b707c4e1c2c236a4a0848efc9cdaa46f1f657c761a69a67d0fb5e567

C:\Users\Admin\Desktop\DisableRestore.css

MD5 f7b045109ef0fabc08771a7a7b3e65cb
SHA1 b30b1cb702e8534c0fdead3e709d9b2a33fb1449
SHA256 dc766579cd0555f209fc0e6bfc0c580a7bd051a75624bf9d44366bc64c6793f2
SHA512 473197b0cf54fb649a27ce124beb45a5c64fa09334c93e9c577d7c2265e8f03b2f7617ccd401719e60ef45c86ffe66154e9adb523158bc776d1a87ddca523443

C:\Users\Admin\Desktop\ConvertOut.vb

MD5 2ce29a7ea9b6a7d91ddcc9e2d0c2119c
SHA1 759ad4e9cce2befae0cfea1ed3a457487a68314a
SHA256 4e1912f841776cd3c6cfb288231c0c55a1b943a529bb581b61380335e65f2cb1
SHA512 ee8554a2ae2a0594c1735cde5f73053fb62e5f6cdb4a4a9accc91ea6591f6c02e063487f0fceea22c258a10a71f3fe2f31dcf3e5bdda446d0c56fdf0ae9b7470

C:\Users\Admin\Desktop\ConfirmSet.txt

MD5 63b4142ad9fa8e0288a9e00898fc04d2
SHA1 66397a3963d892e5c209b22aa30b8bb006a6a3d3
SHA256 8c96529e93f3bd23e313aba84181964ce8b7e62e93ebc50097fde4525a753e08
SHA512 d21b8b71791a8510ad6cd10e8fb0ab0a0531c87abd445ef9396e580354c52b559fd9d455983f396478aadb361abcb4a8663cad931438222745a181b6fab4c934

C:\Users\Admin\Desktop\BlockUse.xps

MD5 a8c36f26683af9e4926ff740d17b1428
SHA1 66c28dd7fcef67dffe7102810b641673b81b2297
SHA256 9cb6495813b256e5d9e4f9f85b152a88dc63856866c6be5598839f7dca3d4fc2
SHA512 3ad7ec6d87046b894bf3e0c953717f1328da99824908d2284d88d5d90affa7b7245d6fe5989d76a5b42673bbe9d493158ad39419a574e5c8a71d9c525e382b0f

C:\Users\Admin\Documents

MD5 f569db7c4c810c4faaee38a1016a8327
SHA1 8df9e797e49be62c746ad47a6ef8104ab1a7ff8c
SHA256 d914b4de56461a8eb0e60c0eaebeecc84110058acaf0aebdc7c2b301571a3ccb
SHA512 258afb408580e35ad27fbf0eaf3a4b1037f475c6b936d4970243b75de8afdff40b4c1e6bd1936c46bb1857e3e5133d77390813fb787027022a39123aef6ff1ce

C:\Users\Admin\Desktop\00316\ÃÀŮͼƬ.jpg

MD5 5033eb4d47545fc1af829e8594999088
SHA1 4cb63c0cb2b0dd6a82604cf6aa27d20dc20ff66e
SHA256 2e24dbb7503d1f410ed5b595f1f6a186cc2fc3fe3c060d98ce8d70f3d078d0bc
SHA512 7fdbf7099bd0417940d03a480811b2ec86a199951bc55beb959ae2f1448f6ebf4833730ebe02f5560a9249537889b3939733eaace45fdbb8f00e29cb8319ffe0

C:\Users\Admin\Desktop\00316\ÃÀŮͼƬ.jpg

MD5 e8c091283463831ef232bc399cbbbe74
SHA1 24f97abd55eeee0bd1992e44bf9b4d83a52549b8
SHA256 12226ccbe3e946ecdf3a1b913f1970ab75646eec4a04ffd2dd587eb62d0509d3
SHA512 e559eb513f3de0b717c03e2faf9da6ad5ecf215f083165ae0473f721cf2497cdb449c563c9fb565e657960963db73cabc91497166673f44c4fa07e91770374a1

C:\Users\Admin\Desktop\00316\AutoRunApp.vbs

MD5 08d0ea50b4eae373dac93c2da12a0dc6
SHA1 ae4cda87edf8ac3b88f6af923c070942d005f990
SHA256 637a37d1d696c70d608693baf6ef060966dac4b4d99536faa0c9527ea066ff4e
SHA512 af5ea6ac7460a33fe41fb8fef6f035eb627be00ecef0ee548fae343080a54695e11a132ee15cb8f40b70d36e9b974434aebd5a07d30e501f8dae4130b70c79d8

C:\Users\Admin\Desktop\UpdateMeasure.ods

MD5 70c1114fb8a56a0deca66ddfea2f503b
SHA1 8c32947775e628a7f243fff325ad743e7cb3839f
SHA256 f7a695d3b58e2cee1c2e6541d9b9799725013a5e593809ae71e92c162f72e586
SHA512 843a0026a8e6155ff591ee0760ab149a6d21c9357190ffe2c298e45bd83a5dd2aeac9a1dd0c3b2340b031f080ef991280329e9151d714e5a54efcaa16bac7b4d

C:\Users\Admin\Desktop\UnprotectRead.ttf

MD5 f4216cb7d5507194c55ae0f662a06909
SHA1 15d7977c98809202b08ea8382ef51b86d0bafece
SHA256 29e1855f5406ba264c7f994d0a6c33a113e336204601c139e7a44397b5d2f7da
SHA512 73bd68b498719c13b54819bffe0a54c51f01175b2222fcb9799e06046ee10471982d8bedaded9d7ce00d56a6b1526238d007eb610be0d44fe01d2fd7b2ad3e92

C:\Users\Admin\Desktop\UnblockUnpublish.tiff

MD5 2161f28b6f472d009d644850b4356e2b
SHA1 19b895756c659f6e527bbdd7468b44e61bfc018b
SHA256 bd5eeec9f1cc9dcc4d5d3d7713497b2134e98857195087982bf9c0e6e84ae741
SHA512 155b87e49991d419354011f8891edd2432ef59c5fa8aa2a62cca56a3a1c60bb531780fc570d6907e64d60069b25b7d7a92307c67ab14582632571f5442e2cf01

C:\Users\Admin\Desktop\StopClose.m1v

MD5 0c7b3a7669f57cae4d5adc72977fdd15
SHA1 28fa4191784a2f8fa1d8b6f6f029f14bae0ae1db
SHA256 5bb117e2a4edbcab4d7837056fc844a42aaa5d1a9d3bbb76b978802912542041
SHA512 76d44bdc4ba68885cb6522161906faa1dd17cd22ead3b2a07f2af84ccb6e8dce00a5db008f035f82f5460b282af001cc0f460c60c64d15680ad63f116657a489

C:\Users\Admin\Desktop\SplitLock.asx

MD5 aa621b79e3e7e5cdd440c2af2b6efe1d
SHA1 b91f885a867530a63190b8826de939a591daded2
SHA256 0083f430db150b9cd9cba7f10757b1a03bdda41a2f0ec72cfd59fe715355a351
SHA512 f2f1afd1038e726cc7863aa297d96ba71c41167cf6a6de7a68c9bd5697312ea168a69483f8a88b226d8a3a2a0124bb1dd17810fd02d17d60b602bf5379accd69

C:\Users\Admin\Desktop\SkipUse.ADT

MD5 ecb2f8f92c669f15a2421bbe8781e82e
SHA1 12990fdbcd39f63329abf308d709e45ab1e3de10
SHA256 34301ba06628ff9744ec2cf8b32ccfcdca0ec722266a924f86c598802164096e
SHA512 db4b4a0f4ede203549e6c7fb921b4352e3ce67b0c3e25db0788b185260e0de5d348645fa1c3f36cd0b8390ce2f2c69a657dd0dafa5cab1ae2a3da60ed2adbab3

C:\Users\Admin\Desktop\SkipStop.mov

MD5 48907e0b124fd2593b80e3d39689f0f9
SHA1 f30e77cb722f155587e88fa8ef37772aafb434c8
SHA256 990e9d1f813ff7a24c318c5e2db2079abc420c327e7bd76533cc1ea231a5273d
SHA512 4be6b8d25f1ed60bdf619ef56af5cc36eedbbb3f4593fa13057e254ac28cde36e206baba08f3bfb437cfe84c722caed11fd15031bc96cf012ef3328412aac7a4

C:\Users\Admin\ɾ³ýºóÎÞ·¨½âÃÜ.!pk

MD5 17efba670c142c9a53b3a3cbebbb067b
SHA1 7cb9541ffd7db195047f9db41354e61c48d9d1bd
SHA256 9269657e7d0898f533cb5fcf194913f67c20f308d34e0cfc6c9c1b569cdbb4cb
SHA512 0485b7dc4a3947764cabeaa14f0c0d93dc55087ace33a94343731885ab3f8f24a2839a7ca86b4266313cc9840e9a879de7fdaac07c7c703320dce0503249bcf5

C:\Users\Admin\deployment.properties.EEE!QAQ

MD5 e60002f6e9f23c8cdda36b8cbca75cbf
SHA1 2ec126eba58e2d71c54923171eecaccef866a8f2
SHA256 f074734b1b011de212a2fcb621766168264319cb384a7da26f370c0fae68dbeb
SHA512 8d924071fad589bb4ddbe4c1521dab41ea81ecfe089ca788d4a8fd9de59ff67e7aef09bc097c7f90ff0ab66f3f905605c6ca1b81e8faae6ee6ea7352694273eb

C:\Users\Public\Videos

MD5 19a0bd44d330b2b1d89172eb462486db
SHA1 e78b28b88c63efcd9b3490389aa62394f63f2f3d
SHA256 250d6803467165a018e2cafc49fd62d8010b146d4acb292b9bbe5b34a2dc463d
SHA512 b507f42757c70d5dce7ba6a655a53b16fdf7f6c682a36670f6798dd441493ef459bb5cf2b70b89037dc13d46293bd034414be3f042ec6f23c5afcacdc841d47b

C:\Users\Public\Recorded TV

MD5 a5abe8439686b90431fd9edd7f39ab66
SHA1 37d267e0a3810c2d9435bcb30ab5fea68cb5c830
SHA256 f8734a19f214c85a775ba204ddcc2eb5c1abcbac5517b106c7f32d8bd7b8436d
SHA512 f571dfb2ad13633df23570ba5eee8c96a1d8e081b118614f385227289a81c773f3a36da9cd91623d43602d9dc4026c19ca1335b66530267ec0966534a26cd523

C:\Users\Public\Pictures

MD5 f52a237390af08663040f51925ce936f
SHA1 54d440622dd893a606723103378ecc2aec6bf70d
SHA256 e6bf90ae4795ea82988752adf0ab4b08988e05560d9f9ce02150779f279c22f6
SHA512 fa03f788a7a12aaf887cd23bcf326d9b4981528c275a245ada3056efaa232436ea389b027dd2a81727ddf8ba8c8ac9e76a0e13cdf1825f5b3cc7539ba0ba76a6

C:\Users\Public\Music\Sample Music\Sleep Away.mp3

MD5 033e9100bade9d32f84d75fc25d834f2
SHA1 e26ed1a7c0094e311d3c2e8adafc70296ecbd13c
SHA256 07a13d37fd487a959bf792cf3ca7a42f2a02fbcb012917bfbf4511602be51ae3
SHA512 a2ca76a0c90e3a5091cd243423855537e08854d935251caaccb9f4695e740e0093e1ee10cc81c42101764b93d02821cb062c0a394c0f10fa8c2e40cb04fbc7a6

C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3

MD5 2d1922cb5d686fa8ffb8b308bf6989b0
SHA1 04ae7038e68155e850a3e3b2bd6fc59401f98047
SHA256 a95d22b9fdd4825fc8b0d67f57b03ed7da7847e3d10020c08ecce477f00dc58f
SHA512 5c08dd1a37b8c8c91d9ff0456b98c3efa87b1ad49b2f8167e5ab5ed60fd536cb61a4661a6d61cb9f44df64bcdec1d2db2cdd0cf7e63b7597f10d8573de23c1ac

C:\Users\Public\Libraries

MD5 a1b2de6e6211cf414758e4d54e7390bc
SHA1 fb11ab9e80c7572575f5c3ac529f5b16ab25ca05
SHA256 f83db159843ee3375413dfebb127fa73b2f17211ee28ceb4b9494728f3415e0d
SHA512 4af9882af4614d993e20929fffae3be45119930bf12b704691e691c9316bb66db31b4ea3cd1f310e2f19897d99177bed49d21d593ab082026ab9258349ffd06c

C:\Users\Public\Favorites

MD5 04f820451e0ae6323de486d9f1de62f1
SHA1 4ee2b7ba424cf3e516ecb76d3a308c9a8c55030c
SHA256 d33fd6d66143f034a64a4a408c971be1288510e13190aaee11fc82ec0db88e7e
SHA512 c19e918f8e9deecc44a60794f57e9bb049cbed309e2305487480b97e731526e322b9d8e5f1851a7a0637a8b7aa65ab2f8c95e5583c4abd13eb0f0656198852fe

C:\Users\Public\Downloads

MD5 3a38e6d516d772a25ec49e0224444c29
SHA1 7eb041a0a8a79ab85d09f8bb34d7a986b3449d39
SHA256 e137fdbc1e85d416e8e6d6c9f877cdae1eb8ba56a46dac48f012bd6d0a1c489f
SHA512 bd34ec5bea084e83ed2facf0f9637575dfadf8ef7b4863537feedba1843209d4f6378ef0a312e6ad378bf9f5ac92388f8884663a58d1c1019068f428ee3afd48

C:\Users\Public\Documents

MD5 38980d4a2e1a6eb8476a20d6846e5dbc
SHA1 893a40fe1fd527184045a87052ca567d5fa24d53
SHA256 b1a4f3f4649a32ba27f92e34e118e5603180fe8269998dd1730bf1d577a701d3
SHA512 a68e992a61d305aff99a200c0d9e26e661ac6d7d66e5b48326b6e7f9d92a29c4f683c44681006fd1f8c7a27a9af85699f514b9e5b8dc58f9399240a7fa9022b5

C:\Users\Public\Desktop

MD5 57f1073ef7262151c9da7678f7222689
SHA1 adde6cf141dd0f845a3e4fc34f4994013453233a
SHA256 b8e65037fdfebe38561a8597aa42710278f88ae93ebac41b743991733c39d186
SHA512 d5a45854109c8ff0bab9854ca1383616bdd43e4baef85dab43bd60c942e5cbe64b4f16b901fbabaa6967b8f64c49022002308aad31e2b95dcf30ec346b91b6ab

C:\Users\Default User

MD5 e03bc3ce19bdd9a03819029cc007c178
SHA1 7034c4ff971ab0433078769b20892792c4a1c341
SHA256 19f9ee24dbccb72c02eba184eaf96720bf2b6f6079750dcc8b879f7083b3b953
SHA512 e1375e2fa6fd8ef5915952b10f24eeb7ab17c7ccdc9e3f47f40faeefd3dae27c5fad57017a2f8ecfe87cafac974dfd051fcd44fb870c34f21aa56b086afc7997

C:\Users\Default

MD5 b3994b058793c64efacf460b52f9c058
SHA1 96fdfd37bb25299e88d6368921370d2a7c57de15
SHA256 bcf3a210263671f7181cf835026c737b6fd9025790c910ead4c3d5cc13958bb1
SHA512 2ea84d627b23fb48dbfbb1748a3c5d3d412153ef962ad58ef9bfec3ba7e34ed9bb632607a22d9ace74ec540cddd78945a3ec7d57af136ae729ff1f90ac68d9c7

C:\Users\All Users

MD5 d4e34ead1f1adcfbbe0940a843217cee
SHA1 539fecf42fa190b6ae52528084144ef6bef24dd4
SHA256 a038f6bb60b302b06f5a2cb10579db803d0d480abb529d3c52b98783cffa6b58
SHA512 f53c5b5a2c5189873f490b6a5b9b971ae4e302289d47783fa8c49194113dc0876e11ae1b873ad819d279235b90a3626f090d48b51a3bcabc8871390d8ea52ec9

C:\Users\Admin\Videos

MD5 ef71751d53c0f274c3c2f084b05ae81d
SHA1 b069c78ffba3160c973a97f365e3aa47f0561183
SHA256 21e240443ab30ecea400596ff6c8f10067eda2944284f34d865215f820aee1ef
SHA512 b59ed980700170f819b0b7411073c5ed6e75de69c041e0e5de99b801b2a4488b3441684d983cc4e850ee31cecf12142a5de83386f37c27973f2a449d79aa2ddc

C:\Users\Admin\Templates

MD5 9b14bf605195908f83443f247b8e2188
SHA1 56de7580ddf551fb56651d6301cee754d38a7d28
SHA256 a495e3c2f20ec8a7adb7f13542147abf3caf8fccff5fdf503d8a26779780621e
SHA512 26608501076032bb01cddd0fdf375516c0b07a596c67daa65fbff6d928e15f1e217f7d2d048bf83b1303372dd5ebc209b2c1c8dab327e8b90c819ff1fe853b14

C:\Users\Admin\Start Menu

MD5 0b46a033a2bc5bf9679dc9cd5dca2c7c
SHA1 e19375ddd2ad55c0fab7d2af7f52789fbb8203e9
SHA256 d007c5f54ab5cdcef155fdd4de96491fe942afb7c51d6fa8b90c05dca5dde5d4
SHA512 7ec5371756e1198778e5a36433924cec1d71623b04d43cd5319ea8e99dc2b81e7f2bf3afa964ee1f49ef2eaa2d2c21b2aa467db7387afec2c17da28932e3d9a2

C:\Users\Admin\SendTo

MD5 0781367c265dcc25933f037c27bfc813
SHA1 032e7ad0acffa5d7c4b614d3e3a7cf0f00fa0ae6
SHA256 dfb55d360831bb9ab67fe7cbcce44319e8f583a8322cfb4f4bcb137e7959564e
SHA512 ba46b82263c7e92a6424cb7add90d3ec87726160c80bc04fdee285b45fe01eb4dbda9fd3b755813cc33fb192dcb1b50841f009bc7a27b84b2a62d5fd34f0fb5d

C:\Users\Admin\Searches

MD5 61a519980fb74d49d39289dedf4aed03
SHA1 041a2b05fe6e2b2f04e8982b140b4d3dc1c5ed73
SHA256 d3106ea10d70dad35a549d74865d93b18034ccb6711906ac4de12e6ccf323d72
SHA512 73a47600dd48ebc757f0ca96a42ecf553bd0e9bfc0968a16dff877f44f62667c4b4dd150aba2eb11a3922c8a5a7704ff52558257858d3b1020e6d40ae90e519f

C:\Users\Admin\Saved Games

MD5 cfb4357b8fdd955ef3359c381d0ac295
SHA1 6671ab2e5eac7c63fe3c9b626bc026458d0ff955
SHA256 4a9cc9889e6a24f6f4b6e5d8537ed178e4deced2782272eb77ca1243cf2a09d0
SHA512 44162e2259cc287ca2c5a07a3748d85455ee9b54e79c85bb97fa57e082eb2c46a9ba59a6236e1018a3d115b77143ebc0fc8cd7be176a303a604becb425a1b031

C:\Users\Admin\Recent

MD5 b4091998a15e160ee342a92a47f88e44
SHA1 5819e2db3c27da6e5a9d70e75a71a8ce4c5280d7
SHA256 8d6f04bb85f174e04dd5185406c684f9655a1797198829bb03976c5915e2f2de
SHA512 faec7bcc688aa2819a90c7d68bfadbaf192d0ca2ddeb76f085530cc5383943988d28bb079856f337eec9cda391cbf92a49b2ab07559ef6cb19d0e2358bc8346d

C:\Users\Admin\PrintHood

MD5 1e8deecd45f4cf38905cf2fdafb8bdf3
SHA1 627a0883ac591841aecf3f5c2f94f02ee66edeca
SHA256 c0f7dae7a118740b179797c5d2c3d494dafdc05b50e3c583819be0154ca7d012
SHA512 9f3ca91ee54e2f4c694b7b0b3b83a2629fd84166ba74854e517ef2ea5d07c94a146f20fd7ac8f4a02c1e32839f686577b576a17451ad48bd90b8c0637a3548e2

C:\Users\Admin\Pictures

MD5 ce16a3ef629d189f805da4ee79015e9b
SHA1 dee8f228c6ff7d1e89f8e98eacdb09ea90b0489d
SHA256 9e4da4d2ded2b45f0e242fd95d0f9fdadafa5fb67b252b983e6db71d0bfe48f1
SHA512 0cc0afd9b4220a471601b27f8257d8d2e1b24996fc9f85ac1e10c1d7b2880dca7618da0e0f682aac7679b0cd40c13f33884b65d9e5521e20a1f64ee7eb1373ff

C:\Users\Admin\NetHood

MD5 53d88f5907eb9a90c031ef66370a6fb2
SHA1 c3d7df8396a0ba2080dc8eb85f0b9be2feaca25b
SHA256 c35c02d1737b97fe2f8704e7ac2faa216e8f950370017c4cb8d2e262c6140908
SHA512 feea62290c4b769db3f0e7f51f4791928efde9172a25ada48cd413b242557ed4dfa1dcb53ae35e10dcb8297c21e7bc5c5ce18b7b79b052400b0b4f49acc42166

memory/2920-2818-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2376-2817-0x0000000002E90000-0x0000000002EBE000-memory.dmp

memory/2376-2816-0x0000000002E70000-0x0000000002E8C000-memory.dmp

memory/2376-2815-0x0000000010000000-0x000000001014A000-memory.dmp

memory/1660-2814-0x0000000074120000-0x0000000074126000-memory.dmp

C:\Users\Admin\My Documents

MD5 20b00cfd1666cf69b7fc08989ad856bb
SHA1 8cf8eac7e932b2bf920fce227474c911ec9ed32d
SHA256 c2d9ea0faca3da8f8d0c6b03bd1862e2febbbdd63de243ae8ad81d1f92f81358
SHA512 c0cc0184ed132ddeeb759617086999591fcbac89e044aff73c7b574894a9b0a42ac74e84453a3dcdc82aa210c5ad0c85c367cf6b535120f80f60cb85f0360776

C:\Users\Admin\Music

MD5 fb3f72d12e27cab8d4679dbd53c909d9
SHA1 202061dec38191d779d6c8b96794e453551ca848
SHA256 805bb6431afc59a13cd77c6e64fff60b090ccfe79b081169a1d1c498b6a5836c
SHA512 c95e96173ae090643adf57df87e42a95ce157c7e62147375bb60fe0cfed2a463986b03de631e97c4fe56331030c20eaacd073053d118adff88893a86d3ad0b3f

C:\Users\Admin\Local Settings

MD5 9be09a5f1905fd76fd12f60e7c49b324
SHA1 21fb2f518257bf042651317ba598ba6626db7dc0
SHA256 084edc68203d9d20bcfae4ae3f0781d821349005a8efb123a5bceedb0ec3fcb9
SHA512 77f0a1bc8553b102c90b08888d801039f49201f3ace40f0c934d513fe021d80313e310d72b20c1b4d62585fb1d34887793471cf1ca4c730e422357f8821593fa

C:\Users\Admin\Links

MD5 69149b1a41a88c8bd952aa3c169ad6ff
SHA1 e896ac986ea7ce6e20115ae95759b7bd30fac027
SHA256 a3bb069830178dd5361383dbda133803a9df50e34d597e66f49fde2196123c8d
SHA512 5a9725cf6558e093712abda2e20e611e7606bf790b12f4a5f382d0a2a4b251d54089b25f6a3fea81edc92d36c03f07afc39e0b8562e081cfc11abf95c19460d0

C:\Users\Admin\Favorites

MD5 4f42cd6a62ee8036a3e787ed6d5e0915
SHA1 32b2274ce2ee59cc47813fc20073a52b45d540ec
SHA256 4cc328217492d640be6fdff2bf1c19c2b66be7dc1f7fefd2f4d39761c94349a1
SHA512 9a0789e2a8fad6e3b90a38bdad769b709523eaafb585a8213ebe746cb5b1ab52ee64788e73c4cfc787313d02e8a82577323c2be636236b74306629cabe9d809f

C:\Users\Admin\Downloads

MD5 89b47e15c8c158843b8b4c9875ecc99d
SHA1 5d4ff8ec6b3a04b230e428cdf331068110b4b668
SHA256 b4030824a67ea7acb8751a957a891e155cf88b1a597ce0a1f08d9d33b88824fb
SHA512 60ced21eb6ec41da08a8c09069f643bcb18ace08c580e6f0accdf1a11715c277151d79211776b3ce5f705d7463fdc324f5dc112caddce02471325d224675e8bb

C:\Users\Admin\Desktop\ShowLock.dot

MD5 681fe8fdd4a987f43a9a527a4ebfb5ae
SHA1 b109b4b946d3e62ff28b8e9fad991b9596331da1
SHA256 edcc6c3f16b8877afcdcc26d4126fd69910f73b42ee4cd59539d188723735aa5
SHA512 49cf380ed247704de9156fb1ab25b3ebd32abfc7e6cc78cf078319ee5c0943b62acadc7d67777f9adfd6d10ce85ed254e56b11e345c0cf2d738af47e2aba564a

C:\Users\Admin\Desktop\SetReceive.pot

MD5 0953f45846fec1a9f10900e02abd7847
SHA1 57a5a0e04a5368542eaf23787c544e30aac8d278
SHA256 545ae4391c41b71172a9b0a6660eed6b4501a7721531f5ead7abde55aa638a69
SHA512 29f47e048031ebbc08bc6f80257aea022f119af7c6c64690b0d1c0a7bb51607be507a0ba1f821693ff9a585b850c044ec6727d11e7fe52d155623efa543f17c7

C:\Users\Admin\Desktop\SearchWait.M2T

MD5 1232cb4246127a644621fefb6e9db5fd
SHA1 d895514ab9215fac8f2636768ed18dbd98ba6838
SHA256 1d451fa1ab4a422f2e4a08be53c82881059fc918d93ca807761f15d1f6a18876
SHA512 84afa575ae73714484348b4e78dacc218f020af7c8832a5692013afcf5fe52354ba06291a3da4b245bbeab5c910953a19a1b738e0546995dab539424987ebbfe

C:\Users\Admin\Desktop\SaveUpdate.xltm

MD5 140c45afb6bcc9b7a6dc25bc91285592
SHA1 e9128440bdc1f3315ef8990eb831e31d8802432c
SHA256 65ea816cb40c1b2367f461f9a47f63312563e1aeead21c0beb4413b6afe09311
SHA512 573e3dacb4198ec6804c9cccde238ca809ad7c5389eb26d1f6e79ccaa4ae9f363c0908dde7f0a54ba332e39f483b622aebc04c5f04d054723fe658dc2ec18534

C:\Users\Admin\Desktop\RevokeFind.xlt

MD5 f02f71c91a06cd565f45e8ed72a30d6a
SHA1 50306cde908d5ff51a5d248bb109ad0c8e46f596
SHA256 85a46b9ea697628e414c4c18746c6efd3ff6c6799b7e66d6f8b8d2d900d0c5fd
SHA512 7bbcbd5dda4c8f5f585468a2e0697bc38b6e2534b622b61d4ba1f6665b22a24875aecebc7a4d3e4f8d54ea94631eba0c02bf43212a92167e5669dfebfd57e333

C:\Users\Admin\Desktop\ResumeConfirm.gif

MD5 85fb36c8cf89bd9a7414b3292282032a
SHA1 8988b25d144b9ffb67da8042fa1b90ee740e17d4
SHA256 c8238f7e4fc8b652c0c5873e19ec34802d60db55486b9d36eada4eb8b265bdd8
SHA512 9453306fed98ff8b6eed180aea2b707ae19a95d31afeb17030e246b83851e26625996b0f2aa288fd37a957bf1b9e42304e37205c57de41f3845e24e5f5fcd944

C:\Users\Admin\Desktop\ResetConvertTo.wmx

MD5 33ba37f9d8805d6708a76db2a4173821
SHA1 a2719fbbbad629c40c7afe3d570882ba6136fbf9
SHA256 62e1a38e01fcba2d360fc6f01a98f8c4b850c7d925b5ce211ae51d4ecb34405e
SHA512 a69692487ddc5fedfa914aeb8d3001685f8b550ecbe1bd25e5aaf88eeaa2cdbbc676bcfe7573e240c5595d41518552bceb4d7dcf89882acb5dd2c34edcf04c6d

C:\Users\Admin\Desktop\ReceiveTrace.mhtml

MD5 f5b7b66dc2ef539d6147f6358deb1fb7
SHA1 5cb6dc501913b533d5b25aaf19580465108a4835
SHA256 770bb5b61d0babbfe6a9fac0263b37ef3034458304489449ced74efc121cfbf6
SHA512 cf00dafa12db4639e12b1ddd7bc27c30271937a9f8e380e8b36ab1121ceeaf14d43b19382f4dc0c87b13d9ad0396cfb76add6de19860046faf6956a5d5b085f4

C:\Users\Admin\Desktop\PushUpdate.xla

MD5 c0510f1e236f797a9041bcccfb31afb8
SHA1 b291566491f72c7716eaad8626ce2ff94fe4a982
SHA256 14fe742a4b7612f44bc5a38e9359d932ca5e93deedb4eb8791c58d60974f2fa2
SHA512 a956ec82cfed92fd021eed55675589521d879f66acff60d67a24fa7e4570850f138dc0ad0b62f0f4cf0399235237462a63660b49b4de3dd4ec141f5bbcc4b250

C:\Users\Admin\Desktop\MountOut.xlt

MD5 c5b54f6d51270e467ce4ebcb33e1a582
SHA1 4f3420e1cfc660b25f1a5de6e5e1bb329cbd0c76
SHA256 f946ba97143970d41564ac4648032855f9db332814fe97c40ec4c89680fa4575
SHA512 3bcb242fd2d04c39e2909d7dc0f2e6d8d2e75043cd25a6af5999c4c46618c3dcaaa1b4b8bde3abe708bc8f1eaffd03222aa0da9395abbf9aae26d14348995b75

C:\Users\Admin\Desktop\LimitUnlock.ppt

MD5 3f35ed9d6eaf3043e24aa5f0d5769cf9
SHA1 8dfcef3170f6345ba16922849f82508de5bb3ba2
SHA256 97a0c74577d63f2a911ccb1ca460a5f16f1508c3455fa1e01b8eb44efdb34ad5
SHA512 23c307f94fefa246180d2371d83052c7fbef267ca89a7d80e44a8d26dae227ba66547598c64a8c4b16be4f070432ce2a81c0a7d1b81f03cbf0f40fcd15f6d3be

C:\Users\Admin\Desktop\InvokeSave.odt

MD5 dfe61f260175abad3e6ac72a50beaa7b
SHA1 324c58c8059109ef96841ff8510b55ca6b64a544
SHA256 dfa731889ffe6102cba41a3007c2a659a6cc1c8002cf5d94c62def21a50c0b38
SHA512 28deecc39a24d55b2fd7d4ea72498504967541ce218c27eff93b7e83deffb4e534dcbc5af2e9d830d1aa7447fc77e322e35bae9d41be08b5c6f8a87d014b985a

C:\Users\Admin\Desktop\GrantLock.xlsx

MD5 97d689ccb3a7c7f4b85831fa82b59168
SHA1 ece711f71ee38a6b38bcd0b99e6a35813dca9043
SHA256 b9292acd378e713062d606d2f9335bae1924328118175e4f7dd639b3d3371470
SHA512 fe31cd9793dbf69ea62043ba718c8a028f7a4c8332410794db1f89de9e7f78baa5bd907e260537d76e1b74e058fd0fb00d0b046308a7649af3a55d831d611e01

C:\Users\Admin\Desktop\FormatHide.jpg

MD5 99cfd39b676b399a042b800515cdcc05
SHA1 4190a7e3908bc02bfd56824c679d3edafe0f73eb
SHA256 299a4f7ded03dd398e7291138845d3e548ec9fa92fde05313f01206a809c9846
SHA512 972961a218221eb80ff272043b73a913481ce56224ac46c8f19cd03fef11c8177eb962acdaa9e4ebf581b60107419cc934fb5478a5ce9a11fc67b4aca76ce627

C:\Users\Admin\Desktop\EnableUndo.pot

MD5 c9b0f27371ca54e8417c1ec2b57546ef
SHA1 cf332fab87d4af91598704f574e8a8e063654721
SHA256 3d4033c8e24a1a15390d0ad3c2f406736d9c30deea6723aad843b0409cc29bba
SHA512 8130e306a96affed929a23e79954662e9317b3a64d9e781d29487fe5e69626922e737fd29c20b0906d410bc6fb594c4479a4894a67e3604b461d4223a23942f8

C:\Users\Admin\Desktop\EnableInvoke.docx

MD5 2f69be0ed2819f75ced37de44f22dbe7
SHA1 f2646b11075f0e37ad461e13071fd321b4234112
SHA256 8146d2fabe29910e7aef7ca62d0e0007425230347f8a154ebfc06c41822de2d1
SHA512 2df9235a910cc8625d1fe5ae843fd6fb30a1d09f03b209a1611d044af052ba137a05015e569b43678efa74029ce22d330a4a6471d22feb0e182b6beb3c3ace0e

C:\Users\Admin\Desktop\DisableShow.dotm

MD5 5bcf5d43e4f2725606078165b662602b
SHA1 e9669e233e4a4cb8231f0f3a36b48f3a2d4616c3
SHA256 9d878424f29d7f604269b632a5b88347a08aa639a617c3c9d2d11f460127810e
SHA512 a8bb038d7f035a76690da1b7dc5f0d776e557213e4f3b0481f8f2e128eb8d563d510b77ff0dfe96ee83e7ee162839ac53b7c818c6ab6191d30080a121818f175

C:\Users\Admin\Searches.EEE!QAQ\ɾ³ýºóÎÞ·¨½âÃÜ.!pk

MD5 845f8ed8cfd3d0c48eab545fafd69212
SHA1 ce2a7791d6b584765c20fe3500bbe79a5d9a1830
SHA256 90e541ab8958d1fc22e9e23ef28cb44270057ffd2fe9ef4e2b630c773f85c9cc
SHA512 6c47d98ce4eeb950a96a0ae12d89ee1f83d7d8ce91a25b78a84c814d73c8c7124c5d01869056f2e62a5610c1a4551f1e8f90e2c89cd1c36be8e69538d41a25d0

F:\pax.html

MD5 38fee5dec3f8d175cb6f58ba1d0ba16a
SHA1 28e63dc8bbf4b7af4c2d405f98479f55eb87ea70
SHA256 658672fa34a1a3d09c6c3450263566b181b168a7edb601073b5f0ef3119054d4
SHA512 32a68f046a8de0d9089f0bfc093ff331dbdc065c5dafb3a3fd4a1d7d82df230361f97c6af1e1a9b89aa281289da04179564cc00b831e5c35dac3be0277e56109

F:\cz.txt.EEE!QAQ.ms

MD5 899587537906d85a64f0ed8179aa7f12
SHA1 e459c6cba106dff29ff05b07234e8225a0101e1d
SHA256 2ea4c2e3a3f080bc46bf01f4e7abaad5e5d15d711e6ce31c33fcb2d6e98319ec
SHA512 a9b66aae6ad69b8e4221d69e8bb4d88f3cbe318468699f49b7870d1591aa966b6ef6b06c83fc4a8c46828e8ecd9dafe84bd8b286d741604f325684dd304788de

C:\Users\Public\{846ee340-7039-11de-9d20-806e6f6e6963}

MD5 98f4e83af374785d5d3fee560165e053
SHA1 3c87ac8639880f107e824474cdeee2f851322ff0
SHA256 1c011b3bf3dd2d9fee112fa7ec8223579ba9bde39e765df4235cdc3a63e1a02b
SHA512 f7508877bf64df310d3c64df010edb9e6b1ccae6c193a3206f30cf8f9ef32732b2cabc6c4ab8f62b3713eebd36a2b110c91d2521db05a990c7b0f617b6cf85a2

memory/5108-2839-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5108-2836-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2376-2835-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3056-2834-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2364-2833-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1548-2832-0x0000000010000000-0x0000000010006000-memory.dmp

F:\$RECYCLE.BIN.EEE!QAQ\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.ms

MD5 006fdb48d6952ce41fcb8631a3be2049
SHA1 f55282e6a41f8179c3a4afe811206cd9b07a7366
SHA256 ddc2fe809118800c3f045f53187da6262aba6de6ea40dcf8742f02bc3b01b8fc
SHA512 a744d8a42153aa12029fa9ad088329dae2a6637dea2c447b3e8ce5b2ff6a4444eddd5dedbddab02477e1000fba61abb0b36bfc1d3de74ebcc718688636572ff2

C:\vcredist2010_x64.log.html.ms

MD5 4594ffc7d43fc33ad06ab175c499dcf8
SHA1 a7fec58c9741355fe9826dfc8fd53f5e45a30c3c
SHA256 6bc8bb389307c283a6a5cb4edbaf5a6974e4092ae8f68f3a79807a42ac98eeb7
SHA512 fe99f5c2b767ced8297f2e72cba2dc36d2819a3d04baf131f5b231788f5a89d2adf3adc934835edd11ae6046bb2816e0c0ed71a28f6130216a1151d45cd609b9

C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.ms

MD5 f8b5027aa7c0d49a03563a5c4cf2ecf1
SHA1 0e6eced7ed3864a65b4c624b957433b03644f04b
SHA256 e60447cfbcd32d013a03583808eb4a9002a4ef92e1f94636884852ea8320d561
SHA512 1424b86a0526d192524c0d0e3e3495c2cb431e1e9343bb2c755a4341d1ce04822b93094093722954d71252f72111cf8d9fed135d09a4bafcac59d40ae128c423

C:\pax.html

MD5 4975d814607c173e790dab7a77210f26
SHA1 5e9b75af0f73195a2af8153a8deff70ffac358b2
SHA256 f69cbc6a4070f12e1be8293725467a1d544ce69a68df3ea478f673ce98635792
SHA512 83e783ac2dcd7bddd7a5d8008e7183b8fb5695c4f4e80d04080dc375653c2b0bd2939383ae95301279edbb848dab1bb496c29fb796cacffffd83c68a56b1f8ae

F:\$RECYCLE.BIN.EEE!QAQ\S-1-5-21-4177215427-74451935-3209572229-1000\pax.html

MD5 f13c100aa0f069cb48400ec8ec90fb1e
SHA1 77839d2caa98c4113b865d73feccfbc30f2e696b
SHA256 6beb0645078741007f4f1d8f48459ddb3b6c52286a7aae53500fac3209717643
SHA512 ab05ac9a2d304312fcbc0bc811e4f81311598a08971a7e5f3d717972d54808d5ef34bb39f35b4d1284952bd5080286fd4a1eaf56bceae844b7da0ddb79e4fe4c

memory/5108-2852-0x0000000000400000-0x0000000000411C00-memory.dmp

C:\Users\Admin\Saved Games.EEE!QAQ\ɾ³ýºóÎÞ·¨½âÃÜ.!pk

MD5 94ea6462b0924cc5cf58b33be53fd5b0
SHA1 9876cac600d415d246651dcc127d67b290ec3323
SHA256 61d153fdff2c270d91afa2c671dc931204a2af27af881c2eaf60523a6de21d01
SHA512 4edd5e70cc4dc8b0baeaa5e9e23ca4a80badf21c388a8d6fbfb3f91a2bba6c1d0d0808b8733bde87bd6f089c7851b432698b32a5696af6d60e95e9293bb2b32e

memory/2632-2889-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.ms

MD5 1aa7da4d5d50f1e54fd8198138812e21
SHA1 f47295d7a13dfc7415662eab3e612a3429001eef
SHA256 f81d6c3611b5335e0fb802259c2070e591acbe5c4861704aa4113b99ac7d75c8
SHA512 a63700ef21274cd7696dc4d65eaf9852a88f86ca9acaa1f68e7b0755628b8b8fb95194cad102991259ab03388f8068c43dc33c729366cec4219fd1bb80a9eb5b

C:\vcredist2010_x86.log.html.ms

MD5 d594cc8f9fddbc61ce287febeab1a4a9
SHA1 8f9978e9a2c9ef616d610abf544dea5d5e78df74
SHA256 d7e0706206b2eff913badb2af5612f8b4012ada43ffe849a64f1bea66995c464
SHA512 0d50ce5ca6278ee7afcb117339a8804bac14b2327708fd740fb35d103760112914865720a474417d5b9b3a2df59079f0297f554e3e4c455f2ffbfd77422b9044

C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.ms

MD5 f251e583c5fe5e1916c8235d9cc51163
SHA1 d0effb7e55bf9481a69c701c50d6832e78a7d245
SHA256 7e3029e99b14b1a40e18ba102f49dadfd7bb0716e169742e930c64255e08408e
SHA512 838bc60e6441de2835be7afc30cbc86336aec48725a7ba39166a712564481b5d7b39fa0b0533a3d751e9c0863804f3216d5d43abcb52fae11f8f6ffc44d02a86

C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.ms

MD5 31c54397e993a98bfb1060f7210305d8
SHA1 ed382c9e3820a2f1fc5f2d9a45e8442d7334aadd
SHA256 37c463649a00f8bf2922e16ff5f05c43c727fefff17444099f02c1b835de37e1
SHA512 ffbb7f6b4817e79a54566d8a5733ad6df3b3dd5d91b442dbaa7bca4de7e30c7ca38fffafad42dc36b1fa5fac10c3b2a307e5323b042780f1ad1bff7e55c2bd33

C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.ms

MD5 4c03046ea2f5db3c33e7d72317d7111e
SHA1 4a0b086a3d5a741c754f25175b0037d8d1b2ac5b
SHA256 39cf113a176645348a08c53ab20c0cf589bf67c6f5a5ee265f6584442fbc4fa3
SHA512 4f909756b9c2c9b0d89c8c7c05917b8cfa25640b221b20b820556fe59bebc27aebbe62908f7b4df15411bdc0bbe33b5d52a989f10ad9e8963c96af5ec18414c6

C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.ms

MD5 cccaf698c9d42c32e7fa665360aa208d
SHA1 4dbabbe299755656aafb60bc9f0ba8c162d5ff1a
SHA256 bda950a1d245cbe9a3249e243ed4a09738145674b21fa6017b061a824482935d
SHA512 efd465f50bc20c492919a12455e16750f8371455d8b150695c3a8faf2407ca9198578de9908262b399d50bbe3b1c8bf62252e695c16408423d9b07601ec6e4bb

memory/2632-2903-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Public\READ_IT.html

MD5 81f7daffbb95c3e6b2ffe5f27ead216c
SHA1 11c118d9ef6c5da749749fe248227e9fa641110e
SHA256 56d8748ee10fffd90b78d4467f3b7593786eb1ab40ca466801eb73c47b6c16a2
SHA512 01e19acfe9aef4c1ae2201e3224c7598ab4309cd1e94dfbb2ca216e35b2a3419d592bbc62acd2512df52bf3a433baf721c749d8db2eaf3c7d9d9944b5fad21a6

memory/1964-2971-0x0000000000450000-0x0000000000464000-memory.dmp

memory/1964-3303-0x0000000000820000-0x0000000000878000-memory.dmp

memory/5108-3970-0x0000000000400000-0x0000000000411C00-memory.dmp

memory/3056-3969-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2364-3968-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2376-3964-0x0000000010000000-0x000000001014A000-memory.dmp

memory/1660-3963-0x0000000074120000-0x0000000074126000-memory.dmp

memory/5108-4162-0x0000000000400000-0x0000000000411C00-memory.dmp

memory/3056-5958-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2364-5957-0x0000000000400000-0x0000000000446000-memory.dmp

memory/540-5956-0x0000000000400000-0x00000000005D1000-memory.dmp

memory/2376-5953-0x0000000010000000-0x000000001014A000-memory.dmp

memory/5108-6124-0x0000000000400000-0x0000000000411C00-memory.dmp

memory/2252-6675-0x0000000003950000-0x0000000003952000-memory.dmp

memory/3056-6972-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2364-6971-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2376-6968-0x0000000010000000-0x000000001014A000-memory.dmp

memory/5108-7305-0x0000000000400000-0x0000000000411C00-memory.dmp

memory/1964-7748-0x0000000006580000-0x000000000658A000-memory.dmp

memory/1964-7747-0x0000000006580000-0x000000000658A000-memory.dmp

memory/1964-7746-0x0000000006580000-0x000000000658A000-memory.dmp

memory/1964-7745-0x0000000006580000-0x000000000658A000-memory.dmp

memory/1964-7744-0x0000000006580000-0x000000000658A000-memory.dmp

memory/1964-7743-0x0000000006580000-0x000000000658A000-memory.dmp

memory/2376-8150-0x0000000010000000-0x000000001014A000-memory.dmp