Malware Analysis Report

2025-08-05 17:03

Sample ID 240107-ybehdscfgm
Target 20240106c59699d888ae2a654a972c74d44151c6lock.exe
SHA256 8354fa469e0c4dd3dc859d96fd1e6d6d3446bafd494bd6c0f001f16de010829f
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8354fa469e0c4dd3dc859d96fd1e6d6d3446bafd494bd6c0f001f16de010829f

Threat Level: Known bad

The file 20240106c59699d888ae2a654a972c74d44151c6lock.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:39

Platform

win7-20231215-en

Max time kernel

151s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\International\Geo\Nation C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\ProgramData\GGEcUIsQ\dCckcokY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cuninst.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\wUIMQMEA.exe = "C:\\Users\\Admin\\sqQYgYIA\\wUIMQMEA.exe" C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dCckcokY.exe = "C:\\ProgramData\\GGEcUIsQ\\dCckcokY.exe" C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dCckcokY.exe = "C:\\ProgramData\\GGEcUIsQ\\dCckcokY.exe" C:\ProgramData\GGEcUIsQ\dCckcokY.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\wUIMQMEA.exe = "C:\\Users\\Admin\\sqQYgYIA\\wUIMQMEA.exe" C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A
N/A N/A C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe
PID 3032 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe
PID 3032 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe
PID 3032 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe
PID 3032 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\ProgramData\GGEcUIsQ\dCckcokY.exe
PID 3032 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\ProgramData\GGEcUIsQ\dCckcokY.exe
PID 3032 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\ProgramData\GGEcUIsQ\dCckcokY.exe
PID 3032 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\ProgramData\GGEcUIsQ\dCckcokY.exe
PID 3032 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 2444 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\cuninst.exe
PID 2444 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\cuninst.exe
PID 2444 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\cuninst.exe
PID 2444 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\cuninst.exe
PID 3032 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe

"C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe"

C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe

"C:\Users\Admin\sqQYgYIA\wUIMQMEA.exe"

C:\ProgramData\GGEcUIsQ\dCckcokY.exe

"C:\ProgramData\GGEcUIsQ\dCckcokY.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\cuninst.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\cuninst.exe

C:\Users\Admin\AppData\Local\Temp\cuninst.exe

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.169.78:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.169.78:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/3032-0-0x0000000000400000-0x0000000000442000-memory.dmp

\Users\Admin\sqQYgYIA\wUIMQMEA.exe

MD5 b6ebbbff43d096ee2b3db59000d25540
SHA1 33fa5440e8b3e1e0fb4a859eee5d73b3651e617f
SHA256 1e378d3d0688c44a95d7b909f8218174f6f647f5ce2f1e1f9dfb9416b7a50dc9
SHA512 cc5b083ddb16e2fac971ae7589e1e281ad6c0c5056ab50d7b8ceeab8c332b545c6ce6d17396a767bfbaa110638034fa43b94d4c7cbfa7f2d1a7f6c728f475091

memory/3032-5-0x0000000000390000-0x00000000003AD000-memory.dmp

memory/3032-13-0x0000000000390000-0x00000000003AD000-memory.dmp

C:\ProgramData\GGEcUIsQ\dCckcokY.exe

MD5 210270fbb89284b67c5413aa26fe0b7e
SHA1 747bb7f8cd00ede52bd0204833debc24f4f4fab4
SHA256 f4fe9b59fd8fac5463a0a559c4d6e34e045adb1ad4088f2cf2208cbe6f09d132
SHA512 04ffe882508191529e7527670e70f36e86754c5fd17b2f5237e028ba4cb41d918d9e0b7215b0f4e871778945a421f8d50e37aa947218e6544e74980e62d2f7dc

C:\Users\Admin\AppData\Local\Temp\GAIUcYwY.bat

MD5 9d3ddd95fbdb049dc4985c8dabb8c11f
SHA1 5256ff469fdb42fd423573e42f050cfe97d89518
SHA256 016f753fe81d94ac0561af3bfd1df988b9dcb8ad49cda22a3a95b5d44b3251df
SHA512 4cceb1f53a368d16d4e0e761c308912d56d0178317d4e07fae1aa2ca8f894b06a563504916b6cb643f9a4978ab77f6f2181b6fa2f74a6847c1cb0d6f2857f70f

memory/3032-21-0x0000000000390000-0x00000000003AD000-memory.dmp

C:\ProgramData\GGEcUIsQ\dCckcokY.exe

MD5 fc0597d8debba815da153fd041986f55
SHA1 67540069dc3b599e111d564f502d8e9170e92bc4
SHA256 43bd7ed185165c6f5cb98ba980c871302d11ff42fa74a314441d547f9f62e1bd
SHA512 c58233dc20635d062a1ddf53dd83c34a463e5d2929d9a4f13bcf9169912220d0d9e88cea80564bd99a69a36edef5726b171db2a2c82ecc9062268ca05cf9bc3f

memory/3068-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2300-32-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cuninst.exe

MD5 3bc2cb2446a5b8fffd7ab3a98b9f51f6
SHA1 4f898bd1af88359128837e58cfe2a52f192a5d1f
SHA256 2ae11cc8a144df879a7be3fb6b1ce2cdce6c720a3e8c73b3a33fe120133b51b8
SHA512 482f58d2f62b6ebfc5822b5afd63b64a1fc99dd32cafdbd67ac0b206f055b3ca9415905494c375c4d7c5f22e86b53fb8d7a8943504b157df21c5a5b52e9b632b

memory/3032-36-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2708-38-0x00000000008A0000-0x00000000008C8000-memory.dmp

memory/2708-39-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 06c4469d6f9924d21f4224c1b056427a
SHA1 004968d7774f4c7a9ddf5f78ea6b2e10e6dfb958
SHA256 f52362a2ab6582e7ce4cdca6d8fc73dce68626cda14fd6020d5706817d558a8e
SHA512 e8aa416ed7e8393be615a92b7cce9258e4fe7e9e8d3f1792d28aa699d06b5ba3dedabd15588cbeb904e7b8d3e0150c999df8cef0695280fbfd84c3da8f5e7b1e

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 9e12257c7376a531022d61aebe9546ff
SHA1 b6873ea7cb2ae314c8067f466477334358f7e1b5
SHA256 edf555c24bb6887082cc49fb7342ea7af95769635479b6f16c6506b909a2e131
SHA512 b33622906d0e21d571e34e54cf38946e325e995f0a20c1f4dbcb4c17b9769d39205c4367ac6954ad1b8b8288d3ad4e94dd387ccb37e3338ec8ab20ae748a595b

C:\Users\Admin\AppData\Local\Temp\yQUs.exe

MD5 24ab1dcc7c6ad6b38e0cd98dbc8d654c
SHA1 b4001eb14c71110a439f86a6d904f79530cc06d9
SHA256 c59b079ff42978ca82f059797ce72b1bae57b0f3f6ef54d367e9c5d9361ee1c9
SHA512 9230375ea90b578da75ef2b02f1c196cf35b1e22ec6005f9479e654a3ee02c60ae6f7806067fe1b164c64a10ad6c3c72527261d5ca2c161157f2a1a5aefe4d07

C:\Users\Admin\AppData\Local\Temp\aAkw.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 b7ea6130c0b9d03004eecebdbcb382ae
SHA1 55f10aff8c04ee305421f488ad925ed38d6d7dbc
SHA256 49fbae854696afa68a1016b7b5aafc8e4d2e8e5c5729fa172bb22ff52326090e
SHA512 428efe15344569e8d494fd4574f55b95b6199b62a3605b4da8870b28cfaffc1487db42f67eb7e54a012a58fa14aca9f1f0ebdff4d7c33010a3656d80cd45c68b

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 f6526dbd88434816719d355319bf5791
SHA1 74703285d335e060cc30e4c4b8e4bb9e66a483de
SHA256 0ec7d3e4d69cf881475dcd4368bbe5b1c8f230fc7f44ba6b45e28b6577d7b027
SHA512 67675fe83e5c0b99b3856f8afe407efd09a624cddb248aa0898b1c13a36679f621ddd50fa440d026dab8170197c86903933271e453c9650765f3775bad35418d

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 98c6a867e6cd08ba2087f3bfb7e8ae3d
SHA1 5bbc76fb7349dd37d81e5cbc5322a9e3eef06d4e
SHA256 c69214f109fa867d3b2fa3b32c52cdeadca28079dd5745fb9f9aeb42adc03326
SHA512 fdac772edf1f4f3314e5ae20f78b6d81d5db38b4bf7cec9e0783c8b646efca407f82462e9eb260c0aaa428f36acae68f9cb50b5622da95b9afcc964f301d3357

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 a39c3fdc1358e98daabd32970198fd06
SHA1 9ee91f69cb5d307f9d520f314b3b66250a165f19
SHA256 2abc587693322de6edadafa5892cdf3893275fb10f6c1b65b1e02fb9c368ea5f
SHA512 1c017d62b1562d9269d2fe74f7503885490266cb43720f9fc7c3c13a8e9f1b4393845870d538dae3668f280b0be2f0c2ca3b2d63dde59e03c163e623bdbbd2f5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 f63d2b0d1c0151585e40ae9674a7bae9
SHA1 586a77a835c4f9b33ce94da90743905d22d2095a
SHA256 8768ec85f34612b2ce8d3cc42d79a5f44f3ea66e5ed1c0947208312b4f482342
SHA512 6925aba11ede015f7c454e6474a0b1b753020fb3802f25143a84349fb55cb779c52683975a2bc0a97fecd102321637b36924ed611d842085e26eba7a57a544a4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 273f0b828f7250fdc58f2e78bf5c71ab
SHA1 8be16308d2132af84920b03e1516666a37a243ef
SHA256 a1a6ed3a66771654bc72eb7b82b32468676ce6870add384ea6867fb78d67dea5
SHA512 b743e5fc7de5d2e6f7cea89e873ef30f91064d54374aa95d531283c9fbd58e8ebcb71d8563ba922ce8ce0070fc3fa553d25c21aca5b45679b30b93b5c82bd3f3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 9111fa8030294abb8d36d3d71a6d6886
SHA1 2cefa170f726f70b11952b2c6022bd429e957705
SHA256 d24fc5e4ae476105831836f052fb468bea6d6f653ab3b13e8e7b3886f5d9b6ef
SHA512 1f642487753b1449008a40ea871cc9f2f667d90b274e12a455e4069d604ea8d7618d154584750ef191367884ba769a2f732786af7049d73d62fa8f853253cd02

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 8382334275a095270d7e7b949d4afd24
SHA1 6c14d87a7b4a9582ac8e40f5a028ed54caf16d82
SHA256 26adeff42c7af8d01291adfaa963ee43c4784ce780eb4476515ee8428edba222
SHA512 4c018d96e671c46ec6472c273d7dba6b16573f678b46885d48455c73fd6035c6746e5907a20d39a29b81ddef789b62e6b712ddea456703353b1e4ad9d14ee1a2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 042bd39e8359a9eb97f21db924537855
SHA1 72661894b396eedbd44d1c673acf0b07c319328e
SHA256 6a64b20ea93a85bcbe44e35a9eed6415c42078d550d50f0dc25b9908e7f35f2c
SHA512 b9d5f606b01489e09f6b6664cbeaf4f150936d2a918ba0b0fbf0ebc05b22b778d74c8645eaccf1705d48ac2694f6c998455d6791caa04ce8184dbb03c39b7511

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 5c2527e08f4bedfd80c67b0b9d1cce8f
SHA1 3dda27888fba86e2201f66cca21658feaeb8fba7
SHA256 ae7697ab780f39d39a3ec3bc3b38db7ab0173c26293ba892747b9fd5f0cb94bc
SHA512 ad1512f00dfed342b0f0847424b9054df69e779ca73992829b37a8aeffcd0c333c68c77cfd68be28f4a2b6e142092c013f1f36aee7defc0c8df61e30bf270754

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 9625c759265958939f9e7233c275f292
SHA1 29a6d8dcf9cf7339079f1e022fb291b43a01c590
SHA256 7185036b61713214da73d1744a0fd8a1ed652f1c92556cfb6cb762ec7f3fb4b4
SHA512 d633b8385f883c3f58c47c735f4b4460898930748a892a2694c3011768f5996c728daea9dc73be29298f5b9a413eb1bed31371c7e1ca6accea74ea16bf1b2647

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 1b50188a0bb9a6f4faf497528b1ecffd
SHA1 e9cec565e873e275ffd526f5da5992b7db124627
SHA256 ba6170575ac1b8d9b3164dcdb5adb9a3508064cc1129cccfb909c9a839d9a67d
SHA512 34976cc6d3c613c7fa733ca5811d88f49c253e0213dac5a432dc87e7aabe874b74122172d796a6e0180524236f1c47322b5804a13edcd9b0d49c818e34b049f0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 0c30f7375742f96e7b15f11a06f2e40d
SHA1 8caa18d4d0f2b43d595dbcf5297f8e4cf58dc101
SHA256 fd6a4b71006b7e5f89ee9bf4773af465aaff74627bcf2e672d2717c08b27ff66
SHA512 9a70e504e173d29b71917444513e3a6895b539badbe7da28883f178b1f2719b059636cc08732194ab580d0b6188461e40eaccc09122b57a45e0899df62001fbc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 89498fe2dc5007ddc5bb9326d1562dd7
SHA1 dd7153610d56f0a45f7788730575e898c720e295
SHA256 89f509c8db52de13c05dd4189537f09d234e98c244ed3aae5995c9c357a7db08
SHA512 8c5ad409fc096210ea152a12e8c0b1e2263a4718f6d27b947b84ea874371fc86a40fce745eaad7273d5bffb22e1f5929c3204204ed3ebc066189e1a4316a1f22

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 0034ab22fe5a13956b62cc96933b7d8a
SHA1 17e84d8ae106924f3fb4e0b1f18f187748a87a83
SHA256 b492b2376d0fbc73a633cc0b341e56527648350bc0c87527e11d1088207f57b5
SHA512 78cf6803fbc64fdde893f0ce1bc50f267ba97c29359e757ce081de815f941d77dd32e72e6db350bded786a073b0cc85dd5f40457cfb43deeccbd0f89bdb8488a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 f7ab0df9b51cac768237120c9e04357d
SHA1 31f45431f6e6b5d124eda675d3f97fa2b79ddeb7
SHA256 d953bc40a62899a4e7f2fd8476e08198e60d141795749841b31c768a4475f960
SHA512 3c4902080581a8193ced044a2b4b06f5803225163d19f12dbf544ea35a1f58bda1243ea5bc9fd086752240e5baa89b2c2adb959bcc827ebf5fe826590865f5ab

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 70233d8ac9e6c8ba77f63234cd776914
SHA1 616c846542d90d2ba84992efd95122b1c61a8e32
SHA256 e8bb6efc1b0e96bb412898e9567c68264d431afac2aa2eff4d13fee82a9a21ff
SHA512 d53021aa91126fc76666c14311d8734318107370c81d17a7defe22bd4fa21a553b8d58db4984ca15debb4aa3c4cd92b0b8c33159050f392bcbff5651a2a745b1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 93066cd2c3725488e2d086a018622d94
SHA1 ed891ecf94faa2e7db08a52dd7f486bd86f971ab
SHA256 734a586ecb762466fa2f8c58751180e220b8f97e94ead1e56dc99b9e6bab0794
SHA512 547536441e6422cc080ce073be8e83ccffbc67930e1b99dc17e5b9c0ac9787d97cbfddd26850b3dc9db71a3fcdb01e2de4f740dde50bdca73381addb4e102552

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 bca7f5eb010e1f278a6dd0238605cefa
SHA1 86d7b97be65052a3a81aab99a96cd36f899917e5
SHA256 6d28b971aed16995762b57c98b9a5312067a04fd4c44b54ad9cd38780bed7654
SHA512 f472bbaf7e1d0acf93705a552145f461ba82266d21a80430dcdad7b072715c18c3d77d2770953b1a5ecdb90e1286bce22d683486908a0dec8eec4e0b494e31ee

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 54fd00d1e8ddbd4ee08d27304ed6ee19
SHA1 107fb370c6c0cddd8786675693998b003e19d88c
SHA256 cc26a23fa6386f4d9f50dc1fe959aea0f45ca9a96f9080fb9bf7d52808eead12
SHA512 bc69693e50d97cbb233d25ed54fcfe996e6f43d94cda2f23f0ec5d12ca4dfaacbe9d8a90c2a99525d28b3643316a4e787fc68d4a9d36bfecaf5806d0ac194aea

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 e216d57fa086b077e2d0a1962a727c78
SHA1 3d1bac827e15b6449dcff3c5cdf4981c92fcb069
SHA256 2f3231c148c45f5acb93182aea038a3d33f9f1c9f922936c8233d64891f0cd09
SHA512 829692214946adcfe2766a0090ecfedc243930da0ae67962a28e09f3f80b18b75cc6876a274669c7e97123ef552f07eb9b444c292eb289ee50ba3525e3018bfc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 7b009b56cbb325b3cbb37d67429b360a
SHA1 74112396d377ba7001ef7222d7e3f15da3554091
SHA256 6d79df0f1bd6b251ba6f24a2f65488846251ac2a12c152a799d5736f7eb8e77f
SHA512 bad0648d138e4f5874dfd41555e4e5721ba1cc10b560a290bc52892b4a8e717c602b84a5c1b809e7d3902b04dd4eb61021e0a56ffe3c9528f3040929f58ade21

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 70e7a885feb0d4a1b7a8b0e8410284c7
SHA1 6cd712baf29e2eac5b340fb7cee0147e6e1d2d6e
SHA256 08904f8e5b45a604deeacf4be52810f3c5a2ec46acc965783d74c6157006f20a
SHA512 6f796eeae8eb21d66ddb7f6f6cc69a1fe043b1b6bd64d98f01b6f305e0c25aeac23ffeb17ee311c62af1dd2bd8fcd7477f8c6a3c6c3222358ffb9cd3c708c4bd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 f627ca6936021cb62f5f7f3f2b331d7b
SHA1 6b5f002a63a3ac65efcfcdd9d7ba4a5533dd7897
SHA256 df68769c6f47ff7fcb075e53d68bef180511525b2833cf3912712d3f66b1d667
SHA512 62e8e78d07d7e403380bee5d76e8306a8b9104ffd41fe6cc3804511b90f5b32aaaa0feb363a798279ed0c5e88b881d435e95573c2759df842c69a50486abc86a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 f7736db8905c60c0cee0c12f04aeee71
SHA1 2979b18664b053f5c15f9ec6940050f22c59ce00
SHA256 ee4d8e93a478c3aae112361acc9d2a36f5702b3c9f3731782a9c214826f87f7e
SHA512 f4a2ba44d52ee4ec6e8f453db42feb453876fe7b0580627e5f31d462482f1560e839ec55a7695609799cd5aa78666a360da4a6118d1d8c284e16d6cbee1c4a3f

C:\Users\Admin\AppData\Local\Temp\qoYo.exe

MD5 e5795cdf5c646ea214a22ff569934bc1
SHA1 ccc9e38d7de4f900af463cc5267b50d95d2a93cc
SHA256 9acb9bf0d5eeb3ff6392e1df10e078c877c7024c4a7d13e42ffa8082f1943be6
SHA512 ec72d6e1e59977e6d52f05f5704b65620cfc6dad6cd9951ae8ce66b914c2c739fd45ccbb61eeb85cce605ffbe9f5bd918ba14800c55d7fcf8ee75a352ebe5a1e

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 14cff1914e6f204c8f010c17b9800e71
SHA1 71082b1291adff3714803753f746bbf7f6f2ca8f
SHA256 714096c2576454a31c3f8195ad69258070ffc428ead081f2b3e98685ce5818e2
SHA512 f3c6638f1d9e2de8c568ea324652c61435bc488ccecfb4e45df463d1401d0cc606f0e2240177f4586df345cd6910779f4b9dd3c6b6cd6c3535d96eee86c69f43

\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 1191ba2a9908ee79c0220221233e850a
SHA1 f2acd26b864b38821ba3637f8f701b8ba19c434f
SHA256 4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d
SHA512 da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 16b44294005d95bbd2e5a52f19705326
SHA1 f0efcfebe941b20aca84a0e040525ddbf25f61ad
SHA256 c40b474bd8308db85c490d53a6b16930ac0c0b6d46679f53d3dfcb73332550c2
SHA512 6fdc0bda1c1a5bd1a8dd252eb6b4f158d8525ceaeefebd543bfc1ec869610d60fe8228c547bfa1dd98eeda7849548a7c069c0a55e19aeadeca9b6664336ef8e1

\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a9993e4a107abf84e456b796c65a9899
SHA1 5852b1acacd33118bce4c46348ee6c5aa7ad12eb
SHA256 dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc
SHA512 d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

C:\Users\Admin\AppData\Local\Temp\mUkQ.exe

MD5 87434442bd166cb5ad5ed770415c9053
SHA1 89c73fb92a2b9d942ea2a743914010793cb507ef
SHA256 b42b187ba0d78a643a1e94229275d180c560cd2292b20ce4108266cdd75ba84a
SHA512 28bd03538efb58754ae73f3ead385c61365fa20bb6694fee08a68b349abb9363de62fd669d18a9d1350071855b5de5630f6d3ee6da4b26b247d188ab117c5d2f

C:\Users\Admin\AppData\Local\Temp\wAAU.exe

MD5 ae8cf634f3185d5f2400139d688e66f4
SHA1 7ef40845a972486278fd199e5a1c32970241258b
SHA256 c6fa92698d46afe948af2c834528422c81c30b41a717c672aab34fbc3c7770f3
SHA512 7e3faeed1acdafa4529ffffa347a29aa3dc3dce3fd9ff1c8c1c95d1dfc51697ad8876f5abee6e211024766ce35089be7a64ba61603d9351cc1f46590f27fe9aa

C:\Users\Admin\AppData\Local\Temp\aEYE.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3cfb3ae4a227ece66ce051e42cc2df00
SHA1 0a2bb202c5ce2aa8f5cda30676aece9a489fd725
SHA256 54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf
SHA512 60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 6503c081f51457300e9bdef49253b867
SHA1 9313190893fdb4b732a5890845bd2337ea05366e
SHA256 5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA512 4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

C:\Users\Admin\AppData\Local\Temp\KUEE.exe

MD5 9b00cf5dcb62747867e9bcb4ca2c3ac5
SHA1 00187b6407bb3049bacbc7f15edf0f3b1005a58e
SHA256 346197b9c18aab21b9aa552e66e4be06fb12f4ee59dff03b258af0c28b0deaca
SHA512 4db299ac3fbbf3298adf585eb2eb369a62a649c48f0e8a3e4ce3cf01d567314ef7664f4ccc326a42e40bd72688165763ecc4f3fed4680d0b47691a3e68eb03e3

\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 2b48f69517044d82e1ee675b1690c08b
SHA1 83ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256 507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA512 97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

C:\Users\Admin\AppData\Local\Temp\msca.exe

MD5 5a56399b4f21c306b20f774f8af96b77
SHA1 b0f2a95948d796de089321074c9ce6858ab58a37
SHA256 441950d99b6d7ae0618fe664c4874aa35750aaedd887feb5245e547e49460d27
SHA512 aefb67c4d8b063b06fd365ca6a4ef9549b8e24770fd5d7ed8aecf4911a2b57029181cdd6c880db8cd46a6bfced8824e6e750966a15150468d4e7755e87f3cc1f

C:\Users\Admin\AppData\Local\Temp\OEcq.exe

MD5 5c1eb29522a25e557708ae8f4fcb4c55
SHA1 5dbe4ca1a42edd90ca19483a98a13ea07c252cf2
SHA256 1fafb488b4e8e6fbc071dc9e71b2987ec60e56865574a845a1d4213408fb8b63
SHA512 555f9c860fdc918001e06bec862183d2bc6763cbd157f2d7ab4f2e17ae9b6f2836b2f4ed628522e6f5b200af04fdcab65f07be992e0f71e73ab6a4ee5d630c09

\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 e9e67cfb6c0c74912d3743176879fc44
SHA1 c6b6791a900020abf046e0950b12939d5854c988
SHA256 bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c
SHA512 9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

C:\Users\Admin\AppData\Local\Temp\AQEK.exe

MD5 f37679b15827f2fe39464cfdf5b9111f
SHA1 fe272635be9e66f074da0ba66317cb21e6a6986c
SHA256 284796e8364618c38d1ded360a63e525d28b5c244a9c4958c6a9350e7fe287fb
SHA512 2071f3350f6beaff9fbe3de44ea41c7f232974d34c806bb6bd9460f63f858936f8b669823490f374c67758348605e1ce3ad27b665c1555c710cc4b42314c3e52

C:\Users\Admin\AppData\Roaming\EnableUndo.jpg.exe

MD5 02c4f488852b1e2d9fd3a4342937d981
SHA1 a94a2ea36eaef69dc1d18967ae8651e1ee4aca72
SHA256 bc554f6234d1d99ab8d949f22c90205b72700b53bcef7f9591d9fcbb78c5fe23
SHA512 fc348ef5859c991fd2e909d6b3bc95aec093443a00780a825ddd64eaec42eee37ad0d0016f07e2da46ecbf546a80eac66697f7c46df008cfa16bbd37d1fc6e68

C:\Users\Admin\AppData\Local\Temp\McEq.exe

MD5 5345f04ee6bba4608f5bec7e6bb94448
SHA1 d3d6a60c04ebaa82f8e9276a03578edc21215e30
SHA256 28129c3aa87e6c93eaeae511ba3c59f59539c6153a2d399406b80ffbb0f66334
SHA512 204b9896b1a0ec570ef493b40f482d4c78bb4d6a1a5eeaaebf406e7c79d8dc8c48e55415ebba22d36a0654a15870430cf1640dd6fce9be80a75e511cfd8a229c

C:\Users\Admin\AppData\Roaming\ProtectDisable.zip.exe

MD5 e1d5f5da905e9ad096915deaaf5dd890
SHA1 05003797e74294dcbb05f9982da5b9a6afbd6408
SHA256 f6851039abd71f2c27fac9a84dc2d40dec87d6cb622105bd56dd2821a11bf453
SHA512 3832840c3407de9bd62514f69d6f16ec614bdcd01b02d94a5d30192f3fb66434f1fa9c251dddd77cdb6f7a8b95b72870ca67f863c0cf1388072aa6bf6826210e

C:\Users\Admin\AppData\Local\Temp\ykUM.exe

MD5 b0d09fbfca4a935d122b7ef1bfbd9134
SHA1 e31e52a50c0921078b3acb1ae6ec517ec8f54d7b
SHA256 81ba76d1d8c265e8d014580c79abf3bbc21fe70916609e9f5a6c7e04afaa075e
SHA512 977dbaf482ae5ca3c9f266624963255958fbbb19ccac6715014f9db9a326ed7d66ebea96c1494f1ce6f79e34a246896e17a060a97aff51a5c4bb167b39181eba

C:\Users\Admin\Desktop\CloseUnlock.mp3.exe

MD5 b48bce4ed09ddeb6de81b03d845c5d2f
SHA1 237c8f0603a8208cce77470bf97b096b8a9b16eb
SHA256 a94fe002d159035d9b27cc015456f505a0497707d92192e16ed4fede1f6feb5b
SHA512 d670f1c891eb718785fbe483e2db5803cf9c4de2606ddee09c6de20819454871098df5a96f6652dce22d942e3470e64f3af3adb5754c9d02bf058b9c3eca72be

C:\Users\Admin\AppData\Local\Temp\IIcq.exe

MD5 ea44be05cbc194616e40e689a97cdfc4
SHA1 2fec2fcc1cdb29ecd829b0d2efdf2b851366980e
SHA256 b33b80d590e780f993af2e7b15ce59894ba3a7666164068a9e71cc8223c8a0e5
SHA512 4da14dfaff36be2bafe370c82b0ebb0dd04eb0769a9777f12160281cd6ad05ca6a39fabccfe74478421077ef686e2c4dbf935f65c3405cff9afda694b9502363

C:\Users\Admin\AppData\Local\Temp\cYQu.exe

MD5 a98b88df066e4b5a339b56fe0977644b
SHA1 d500779210134f5d799616c7691c7f69662d8676
SHA256 4783e7e981b43fa404a8c12da77d4a19c98fc79c87ea9b11d4c5b6ac46eb9a15
SHA512 6b77c4efa454bd295fe4bf6ab06b620e457771b41dc1a2a9501d86308e4424f3df386ce6c0a4cc381671935f6cb6130460934a9a689d8a707bc36ce72e8939c2

C:\Users\Admin\AppData\Local\Temp\yUcq.exe

MD5 3b66ebb1c5643bb0e7337dd7fdc96c6b
SHA1 906c18dc7d3302c9bbed11d0f94463c3a9cf5ca7
SHA256 03a0cc1d093824824c0b0e27269f5e46b188f0803234960187dc29150b038caf
SHA512 a7bd4214ce719a440ac0c2655c8b3202637e768a08b9027490dd631addcdb08ac6da004b6f91e951df32da1c2ca5a0e18a3c443c60bfceeffab96d500c275226

C:\Users\Admin\AppData\Local\Temp\aMUY.exe

MD5 7428baca876e3ba446de18db2a64a037
SHA1 775f093c679c5f5cf5948a6a3ace9378a9f7cbc3
SHA256 1efc6dfe84c6af334c0f1a0b0adce35ddd9360850cfaa6758c18df19d09515e3
SHA512 08c5333994bea5c5d2186919e4c78e2dd83c178d506eb34b02d1a0545eebe47f05c8aef864a9d4f5a741ab85fcdba71efcd352f3883250e4d5ab0c017d1458d3

C:\Users\Admin\AppData\Local\Temp\GAIA.exe

MD5 906d55c1ed4dd210215eb4ebf219898e
SHA1 34a1c5bc13bb3e372d2adcf44e74d8f9f2003265
SHA256 ccf925a0b67bfe3edb194a4d5a941bfeb87756b8098c106ba2827618fed9bda5
SHA512 2975379c719307d891bf9fa3cd996f824d8f5373278a4f682cd9d905731ebf3c2edf3b6cda8dbfd8c758e97a8fd0172a2c7f05ab98b55fc3bba81060414fb5b6

C:\Users\Admin\AppData\Local\Temp\EQgC.exe

MD5 d6a28c0e7de54ac3863bfa686238170d
SHA1 0befa3d643089601ec08c384da43cde7bf61111d
SHA256 ab7894a632bf16988ee43858dded0be1c2688939e7e40a74f8f6982eb45f48fe
SHA512 f356884732b87ffc2db614426e3bd71da9464df90fafeb15d507fee47413e0522d760e12eb3ae7f687e0059f9c1fb17e4d9eaf6cf7006e8e5d271c887b4cf63a

C:\Users\Admin\AppData\Local\Temp\GUsS.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\Downloads\PublishProtect.xls.exe

MD5 14399120d429daad594a935afb4d982f
SHA1 1ea2dbc93d92d3a1c339b5100c3971e51a0da687
SHA256 ea4df78b20152a49f062d8e85152a16a5b23ba6174b709b26e8ec22ccb2285e5
SHA512 497ba7362b2c8b1f861b84e566ed3b6d279fadb3074cbb901c035f900f185186984686c4813db334b44848005d9ba93abe78fe791a12d73c85180aca0f6f0487

C:\Users\Admin\AppData\Local\Temp\wkcg.exe

MD5 75bf2747891a47edf70bac203d067469
SHA1 b4d73acead7d915238d637c9652a3f2d9d49cd6d
SHA256 4d3f02c6fc36bb3e5597a27ecd3c04c958648e0e11657d143f4a03a28068e9ff
SHA512 03ee6c8f68537175ec3effe5a1b63bbff367905dc454b3d5feb459e743bb0a1b0abe84463dd3ad029606240f50728f49458f2678569aea476efc7c93d6252a6d

C:\Users\Admin\AppData\Local\Temp\AIkU.exe

MD5 828ce701162fa80ea637d3e3c4a1712c
SHA1 d150955526961cedcbd066edced6348c61562751
SHA256 32c7ad8840a77a5d8b10c062d3b9e9bfca4e0795f74763cac134236d064f7abb
SHA512 f7ca2a57fb7fed7ff050979e5405f43980b8c0087cc3379b2b0bee977a737c443032954f5636096e848dfa14261acf4b09a9bdc4810b4fa732a7472109e55f3e

C:\Users\Admin\AppData\Local\Temp\uQAK.exe

MD5 1c1ce32691b8c2dbc805eed967b22255
SHA1 31efb72d97c90a3662e748b170ddbbd842bc75ad
SHA256 551bcf978dab18aa3da365b9654207a641a886d7ff6f8c3f352a8df1c970476c
SHA512 ddd299bb3b441e39537df97ea58c723567d4a95b26db5888c5c2e44c7f31b6c92e39307b96fee569aad558aafc44f40a191c954230ba053de41ddb4660d90af1

C:\Users\Admin\AppData\Local\Temp\ycog.exe

MD5 5b0e549d80e8c8867a8b63c0a9a771d8
SHA1 a66a12102c9a28c8fefacc6c0b728ae9d25261c6
SHA256 e0c54a4e3edbbe37493a6ed2a14bf6ef5d0b59d994000898ee4a7e6b5ad63226
SHA512 0b27c441fb9fbc84817733b40def2d7e1e0fa6e117124c9f3ba9454f16a85ff7fe3721a0d13f9b429172a5d6cbcd2907ff6021123fd348efcb806ab5fb294568

C:\Users\Admin\AppData\Local\Temp\GsIs.exe

MD5 eda19fdaf67e0ab72fad173edb9c7d00
SHA1 6d1962761cc34cccfe8fd38366acbc1477b09d96
SHA256 bc3e61cf25041aa1215586b10cf54599624d0dfd2bf9292e7d239a96fa5d902c
SHA512 bdca2548c265bf4f8ad108e71b6f1f53638036718c0f2469c3250338b05eb84223c276e427cf34a315bcc34a36b37764b3e77102032377cb83b01a92f029d297

C:\Users\Admin\AppData\Local\Temp\SEkg.ico

MD5 9752cb43ff0b699ee9946f7ec38a39fb
SHA1 af48ac2f23f319d86ad391f991bd6936f344f14f
SHA256 402d8268d2aa10c77d31bccb3f2e01a4927dbec9ea62b657dbd01b7b94822636
SHA512 dc5cef3ae375361842c402766aaa2580e178f3faec936469d9fbe67d3533fc7fc03f85ace80c1a90ba15fda2b1b790d61b8e7bbf1319e840594589bf2ed75d92

C:\Users\Admin\AppData\Local\Temp\YwQk.exe

MD5 6bc319c8978d17a6d64318181a0ebaf9
SHA1 ba56cb4e287301815ac000d9a7dea9fda61005d8
SHA256 fcb4a3338c9cd07ad69f6b25a6f127b8ca1aff4ec95bae04e26283fab2121004
SHA512 5cbdf87f2a8311a515ed0c5ffdfc819b34b7bd422f7a6905441a313559aefe125f22a7ead85988778ffec9d2efad547390dd42a29172b0fffdacdb9b37251099

C:\Users\Admin\AppData\Local\Temp\iYsI.ico

MD5 97ff638c39767356fc81ae9ba75057e8
SHA1 92e201c9a4dc807643402f646cbb7e4433b7d713
SHA256 9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093
SHA512 167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

C:\Users\Admin\AppData\Local\Temp\mckq.exe

MD5 858c21d6f2b095d935089798b7eb828a
SHA1 a083f197e54495e6e870b0acb3066278eadb2887
SHA256 5c306273c5208b5d914571cc5f0d97e912fe57d27a426b759397a9732d4eea82
SHA512 f0ec18e32d5801669a20c7ff1793cd7e76ec280883e6d07a99715ccc4c0f109efffb35f338a6bd4fa65bb1c25143a60a0d9a93a77ada1769445731ca3bd79997

C:\Users\Admin\AppData\Local\Temp\MQcO.exe

MD5 88085fa24aa00dceaa062676c24fff4b
SHA1 f45b43539aa5c52c94cc1be13a1894a53facc757
SHA256 aad1b4ef8b15eb63c42295beb26f241bce10fa28079b279a9128a00765436741
SHA512 57445805808b4994511e07f687a0e1b4064e228cf1b5bbc26ba5d5530b60c1ca4b5ca9f5a98ba102fc018384265b5738047a39a784da3fa12738d5cb436b9435

C:\Users\Admin\AppData\Local\Temp\sgYc.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\ukcu.exe

MD5 ca03de625666a5249a7f985eddb93eb1
SHA1 6c7ca36b84a8f207767bd3dac72c51904c9e7b90
SHA256 2219825337106caca1c0dfd5986de8c9eb92f74b053e2b1f21afb25476224a1a
SHA512 f64d2ee18ad24222007e2f4e184cf10b7d9c0044b22ef76a018614a9f1943ca3c22fce65a9f9e6aba0ee21037ac7548d0918614b9fec943a033ac4cdfbb7b0c1

C:\Users\Admin\AppData\Local\Temp\GcgO.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\wIAs.exe

MD5 4d2b565ae9c27a5ea6df25a1ce4cf181
SHA1 d80b88b7d481a3e5da09cb6997f7a25aba6eb419
SHA256 8e67e54e52459a97e45a3e85d6dbf3bab2510f9cf2d699ecbd31bc7f4a9b8174
SHA512 02ca829ddc8cf6b19ec549eb009067366076e17e98a66d676fc0e62be4689712127a49a26a08b4b63af9ab74808cbbdffae6829be7e6353663fd3b4aa408e7e0

C:\Users\Admin\AppData\Local\Temp\kQEK.exe

MD5 ea8011de9a647f6d7660b3002c3f9e09
SHA1 ba1da0da726cbc7a8d5b198b6f3d1e87896d7207
SHA256 03db8008924cab17b768495678b6d89df7c5d71b15e5035c69a100bf60900f21
SHA512 9390e5e0f9406616fb5fd7c04236bfbe2fa8e6c145a8e466faf8aa5972f2335ca7c0f4077c12fef331e3033360a0c61175cf7bdce83a61fe24e825e412d9a3a0

C:\Users\Admin\AppData\Local\Temp\IQAw.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\uEcs.exe

MD5 f60d80d77823fb544ccef9c5e721f449
SHA1 f8848a43af2775f5474940c60078faaf558d4f65
SHA256 8712fc180e3c1755b7867ac74715753d1fd61b17416f191b109aee51090b9301
SHA512 adb6f7c0207c5b91025c158da4413045a3d83b05105cd2bd5e7d91657033a1779b360e05cbed8f11121d24d7c22f41c3b64fd1b6560e7193a9ca66c3e9a897d9

C:\Users\Admin\AppData\Local\Temp\ggwm.exe

MD5 91c7fc8d10e1f61888d248b7be4fce80
SHA1 1bc486e36efcfbf1963fca7b633563e76157d662
SHA256 026cdef9aab1bdfa28226b77611584d6322988ae19367f5f4e5712b33a6b7581
SHA512 cbaac4c5b66dacf5cfa042060326006bc01e711c3a8f9559aa9c69bb6aae148b111a36e49c479a212a6681c32a0f45d82fe8b296998429f3c64066b2be259e11

C:\Users\Admin\AppData\Local\Temp\aYYo.exe

MD5 4e734049d725cac96e457759f8bf29f8
SHA1 f863929f47f15089bc32624230cbb4eae2c4d073
SHA256 a197a435346ede85314327adc221ca323b001bc882ac2c2dc1861859312421ae
SHA512 fe4ad2d8f49f9902d7da8b175415d74f42099885113deb20bf037d9dcb5be0ee6d7b017ffe396be61acbfb8fde500979e5a753dcc2e66e10d510de40dd4b187f

C:\Users\Admin\AppData\Local\Temp\IUkI.exe

MD5 bccfe876f57371e93b4af70e5cf0439f
SHA1 f280722bc7d21e49ca1fa18f1ae17bb6cef1b029
SHA256 22e31d4eb821254b5a64675c0e0e5ad58900af71220f0551625d9130a8c0226d
SHA512 eb608c15ab25f78992015726f1974165a7a436d5171d8bae60a26663474a44604bd11b0f89013c86871656452527da7b130e386248ea278200f8ca31b1f8f8e8

C:\Users\Admin\AppData\Local\Temp\IMgG.exe

MD5 75f219e3f6edf1485a973b3018fed6ad
SHA1 0db79f86d9f1bd8dc8b84d36c44b03f9243c8393
SHA256 3613f19212deb0b33b333cfabd569720fadb82c6f5fa6ce4869c871ae2b9e202
SHA512 198b4bed300088e666fa6772f0a53dc72833dcb3ea3433b4871c9229e19fe850b66cb87a3d4c4dfc1ff0f461b1bca40f532459724c4a0384c20577ad61749a77

C:\Users\Admin\AppData\Local\Temp\OgAO.exe

MD5 4d060ae074a2e49a70e6d02cfa1b071b
SHA1 3016eb0176255c8efcf792a331ce9e996d07bd06
SHA256 0326e870ea650d7cbf5a172bc32471869d532424bbcba7b1edf37d7f433c86b2
SHA512 11a7454a5f1cca4183e87a903a62f73ff6069df011f669eb339bfeeb4898933343ccfd72a7b349b012ecaeaa30ab9cbdb12af24e44880baea3308321c02e55bf

C:\Users\Admin\AppData\Local\Temp\wYUs.exe

MD5 f9b0c50b2949bbf0d86f36659e8aef3c
SHA1 f5244241020c73cac932baddf83a811fbed67414
SHA256 ab1d25737ed343931728e9ee5d6b577eb908793d322dffd0b1ed774ed419870c
SHA512 8bf0ff8a7cb0c9c81b03a23ade2215193b62da60a3c450315145716b400fe998625759a1a689d605e810a03d9b0c02d8048a39a98e66dbfd8e35171f8958516d

C:\Users\Admin\AppData\Local\Temp\gkIa.exe

MD5 4b890faf62dfac60244dc11b7fadba03
SHA1 de6a4b5605bf7fec5c185502db72f9a66c879bf8
SHA256 aedcbea7ea3a4f68a8a8c1b42ca6a58044e1d010815a4de851732e2f8d1c9936
SHA512 00bbfca7fa3f32b49dfd74434601758fe8b4a50dc83dc4e6d6382f47e3b2ed8bca633bcac17365370dcd62057986944b3c8d77498ff7963d4034c66adc2fcd30

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 83bbc4ac1c0a8feb0ffc3de07be12c97
SHA1 51726a07d7b61fe1cf25a8dff328e64a092a5bc4
SHA256 a97824c2a971639ba0666f38973e1362eda9f0ed01d62b02ba7fcc3b861e513c
SHA512 ea2cf809f1744d7f136947cf14712527476ed7017dcfbfc2960bbc586d773c8044bf88a86ca2ac68d9742ee491315ca008a9121f49e39efab7fdfc212e272265

C:\Users\Admin\AppData\Local\Temp\aEYa.exe

MD5 846d0940793f8fbe49939ba1394db54d
SHA1 8d47fba64ff8722986dcf0104847de2b16dd7d76
SHA256 f497ba0d7ed04b409ae2e2fd3b1dd02c922552cf83d3837980f08c464aa4215a
SHA512 f9a3daaaa1730eb89aa41e78b458ca56cf837efeeebc36aa8abb445abb14dbb2cbfbcf053a11f941e9bfb537b9e20f1ae9db2faa94eaa88320b7850e3aefdac1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 60e2fe870ae2573b66dc8e2a5d226d23
SHA1 1c7feae36cabb20e32af934f0b8a9d9965d6e0a3
SHA256 eff3bfea3b51404af4c6e38b3b868faa6d90a4917c71ef5dd5e24b58f378e896
SHA512 a213a57c6f6aaa65b0534236f97f001d347c47cc52dee7a586063cf499d32e695c64f3abe9021b31215cdce2c69f8a5e22a91fc23816d6fc4b16fe676c617666

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 770e947be5751d480f72f91f3ad1950b
SHA1 534acf1637f53256b3b53d3d97b45e9f53bd93bc
SHA256 6edf4d56e5b6e4a5abfcb742a49b42c6ed55947e2722d481cc32697741532664
SHA512 073fca4f7ee83585766841f7ec883d145587a204694e1df3a637aac77fecb24893dce97c9e5d131cae55ec0a98578d76fa89d0ddc823bcee698bc1b4c120ac86

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 f93b5d2b0294fd7609ea2a1b9888e1f5
SHA1 25fae794939c4201bb97b1168c9bad3abc8b5b01
SHA256 82f996f150ee24f9e0b9bdc858aa09e76a71c2621024d052e54c6cc619fa95d4
SHA512 99a266af6622b863bd85504afa07c8d288fafb8f052edf7258fda03f371517dcfa1ee401acb5b30880f72aec847f9dbc0da4795cac4ad5ad857decef75641b87

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 5356d1d203f5407a92fa28b1cc5dfdc1
SHA1 62ad6d9394b933aa598ccfadb4f265779d2f2090
SHA256 c03a50fb45ef3028568734cac3a92485685170800582eb64965036e554dec785
SHA512 1dcdff1915b3dbd4960749940e03f14280db986bfe0abeceab11af0196438cde8591174f6c7d5d26a80b7b7d6ff68ec67415945085076693431a3845b8c09165

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 f9d39680031b177aa96a4f8698219452
SHA1 490f2cc54a6b003306f18b1c86094d0d966197a4
SHA256 88560477e8136b938467818c2257bdca9b48cf9b0d56e8fc7abcad680a98662d
SHA512 309a1b5b9a2e8280a2765fe6abe8456dbb30fae6bdddbd2e9127676672d558e89a02e5d97823ec78ec4d6f79dde6bc14be971e933d380df44ca50efa53802d87

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 483067cd9b255f2d1e3e0c3af87fde99
SHA1 1e057cdae299117da6a26f97c376546fd874d222
SHA256 5affdf8c0c5585a1844d851429d12b7515e6b4e724412204e10a4ea7ba30c363
SHA512 26354da76e15ef0797e57efcc813035ea69c8e94d29d588f5a9ca01ba852446608d783325a6cbf8122e69286537112b8c39282216786ef6794a991620d2dbe6d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 aea7b8b0cf50ff25c20edbc672cee452
SHA1 bc739bf175e06099bf385661363a472f804f8640
SHA256 30e305c43ab0cc6a64c0d926677c93cba81293c421c50f20e83fa14040c6eaf0
SHA512 ce4aad67b4cce98194a9c27311c3c62e0f50f1f5055c8fa2ef2833464572c6614d65a0f6cc8092b4f7ddc5bf9eaeff60854be1d8f4617aa3443aa6dc93a810cc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 0ee50aa47aee7ebe1176a33f4beb76d5
SHA1 cc58186135effa74de14acf3aff386c587fe6c93
SHA256 0400389623c7a3ba6da549d258243ea5fd7a30d6f34ef5eed27bd6ed6032a8e1
SHA512 7796055df0375a84b49fd4c515c0677ef1c1ba12e4dd0ba8bbc3fae288f10674e9a2ad6bfe1220663dc77aa68af88c7b1644d1f4d27f05d65c49da064e0a4756

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 916de0a22da55c4ef815577b1c93efef
SHA1 ee6827608dc11134e39ed29656fabcb877b9ff57
SHA256 e344219ef403c9c44af17a77dad16a0e27730118a575e6da9d32b7a476ec52d4
SHA512 2534898d841d2d88d03b4951d64f53d48c5f366dd7c083dbf4933db81fbc29e9cb192aeceb8ae9d428642348b699761c10aacc19446f2a65298e3130fa723efa

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 56c66bc32234b2158be3cefc66f4adbb
SHA1 4767043e7dc486035fca4d70327f413b8dcb16f9
SHA256 a3205c8771f149e14fc97ba1915d77392dd92370e237e2b50beb98b136fd7992
SHA512 9006e339b27ed0f7916d2068aff0db333b8cfa82f913add1f61134db8f1b51d3fbce7cda30eb666fe250293dcad4c8c58344bc1631ee47b6f8ccaa098e64647d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 e936f3c07df31d6f0f1e30dab7f8d287
SHA1 f7ab38623ec6d2db1ae7002923d38f07bd6eb503
SHA256 1c3e00594ad01e99e34575e221ea25c55f459a354c348bac1cb2ac30a28f284a
SHA512 e4e88019ac1b8d8c1a1871ce464dc43b536df098d9402782189ecc59b6b6557ffca41119b38f78ac5dfde0668ce967443c4b00c876aa7e63920dc6d52d00249c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 d98a0ec11a3fe2d6a31712ba007082a8
SHA1 b701afb253f88ff5f7a9b460e5e2d359530effe3
SHA256 a08cb3815b8d4e03ca979b1760504135f4dffc758ab0657cb13b05c9e19526ea
SHA512 c1b632bc8bac9f03c9cb223a29c831b7743acaf5516c5d5e0db33e8ff649ed26b5eadde12128b4dc921201a38f90f6780a489b1cceaaf530fc88f32b299b2de1

C:\Users\Admin\AppData\Local\Temp\kcQC.exe

MD5 6f99c9c956cdf934fb22304b76f935f9
SHA1 127c3af964d609db1e3ec0e9f89a2951faa6fb7f
SHA256 250673b959222cb578ab4b4f33cb079a471987c044e2b3a3be3d0b111786c03b
SHA512 1da3a5906a22d5404133d625b8cda8f2468dcb249d11d1daa752a9ce828e4ff5a5b50637dce63afc2a16121c3144a5632e48d0f30e56f8d5eeef1d23e0616e3e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 fd799afc919e29a3a45d6e49f743a02d
SHA1 189225b87c626e944a09188026668d66fac219af
SHA256 78cdf82fcb973ff9dc83e0771e16081b4609f1dab3a181ca62a1da3c76446281
SHA512 71360a35afa67979b755ec2abd2965c0bfce980d8f9fa5e9462510de26d6ec1ddf94a2fe1596e93726f9d41d11734596e2f1e3e5cab73ba34f105c03e4970c9f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 8133f5f9584c254cdb2e254afee60e75
SHA1 779c00422d8a684f3a419bb25bfa975fe4ac7b24
SHA256 e719a6c3df0ca6e8b4d418aff8e2e8db504ab575f2701f9c796fa734a5b501df
SHA512 2be094336c78095eac48d0ad8c2e38d2f677ec3025bf1502c65d67c33e945689f032dae11d6300514cb1bc605d969762fb6fbb45a9f6eb7bdeb4bb536e0fb625

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 e73f5ef66c63397bf8424e65ca04abe5
SHA1 1bdc88ac34e7d89d66de1b417bd448f585d9e060
SHA256 8642eb26c97d3da1289cc144ea19c793db05a30f139b01b8df0cfdc3191dbf99
SHA512 cd105ce584aae80ee832e6306e2422493d2823511e30c58966a172984fdeaa2bebac27d90004497dfc9b4de8c211666ff6f9c084496afc8f212681130099a08f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 52444f3f753ce8b2fdb91c59cd2dab68
SHA1 24946ff8945b9641df9371f6e890d099e8545884
SHA256 3e1f403fa8a1dbcb960150968e075a5120cbb0fd76d0be64b95b54ee8954adec
SHA512 775725fd7157b71a3681d337ae6b89e49b183f756e4117646fee4e0fd0100320bd0fd0daeef827144845e0bf7134208ea56c21644630f0a4ec1dc2d68b181651

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 002400c474d3a545072a5e148731bbb1
SHA1 c279cc20001a5c9e85a9b467826adb0bbb4d7f9e
SHA256 302516ef1af693cb222fd44f180edea46c33f01003c8ac5eb128d257f693716d
SHA512 281067b43eb137482e492f57f9ec105fc21cf9f5e8419a347154e29d4235ca799d503380efdc004a6c594859125e018d1ebbbc2b9c2ffee41d8171c64758cb0e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 ff5cace72c71f6618a46dc9ef331874b
SHA1 bf76635e7f1458f9e4e7a87d2fa98ee363ffa605
SHA256 3ef6a06780e811532857917a4ff0df3fdbcf4747a21a4ea37264ba4473c98fd1
SHA512 0a6da8fc1953086312db898a707c9f91327be7dbe4b953cf74abc2a1a486a47e9c98cc1200d8a4fceb6124113baa78febfd84d743f6cf0f71e3d11cd24607ed9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 8ad2b876ba65c2f9ee7967c6b2372a35
SHA1 279eaa6a123355d744c6779faa5688face7f0e27
SHA256 fbd9399e0ca0d31764b6dd1b73778255d2d97452c1e4bd6d0c07b71bc3afa06e
SHA512 2c91e518ad927630c34b8f6cdacb1aef01a9a91d42b0c26a6ffc10d9b3aca894ebc811344179ef169de1d86ee302727f6e922619af0e31ad381d613eb12245dd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 3f93db33711b034bb4ab13c9478ed13a
SHA1 ea78560ab140d16f740d82fc1db6f0877711aca2
SHA256 a62808a80907d90cbca9b9d62d5b66fb2e0a0bccd3cafeb72c972d6bb88c0285
SHA512 bf42a537f69125562bc4bef0d22af3494467f01ef3c842cc81ff635175722e95744a87fadba091bfc9c689b90a80eadd12b6b4080e962ae1c7500f0775a613fa

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 328ad8c83ae0f690a189b224f0aee8b2
SHA1 9c933bc6619360a5da5a488b18919611d968bf1d
SHA256 739bb180c60f087385883b2e5deffd1a2e58ce81d43e25715d0c381588168aeb
SHA512 0045968a35c987a81255f86471890d08c57bc10981b209a77d3f0e31f7b787f3e8389928e88099d94dc787a4c68106a3db6fdca5048177d6763c906f942d3caa

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 15c7312ff58436110c9e0bdb9b90fe21
SHA1 dc4cc1da83d6b94a62dca8baf59ff5c39afdd478
SHA256 a5c85546c8f9fad9aa2048fcc0ce4ba1bbae7b0ac084df5786199c692cb56bb7
SHA512 35c9b56dc5583ac40e239bfcdaf9ee22ff0fb2558dcb6afa3599c18be4acb8b421c046505b35f127b22343073fbc4b1faa5028f1d6bc66c2a5655ea7efd3069b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 39ef952d5d1fecb20010d70d6641de7d
SHA1 61c3b70f91653984b552f65edb3753245df45cce
SHA256 68dc8cb790d2cd2d193b870fa4c2525c45bf01bef5a627b3b252a9f250ac82b9
SHA512 b22d8999d24556dda5870aa519e34bfb8e800c01075a2d3f10c4cbc56d5943cf1f877778a8075386f4963777c551b96247c2643999c201f7510a538079e4b1d0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 28733f8ef795350eae64ac967d973a3b
SHA1 82acead5c66b241eb190dc426254e749994f5097
SHA256 ce50652d21a8d0d46678c4222300cb85277b0b3065104442a84b885f91d0560f
SHA512 564185c8997bf6436044a254843f1d6e737e4303c907e236363485c6a25080730193166a963426900c0d44458fd8c5d6e44cacd864e860999b79291da0af6b4b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 2b23eea9382c72da98caedc60032f7b8
SHA1 7b92d8189b55a6b6f915502836a04b0ddfc1502c
SHA256 d9b3cc50c90bfa2913dd0fe60a42b8c63dee94faf2579ebe1aacb6a7b1a980b6
SHA512 965dcf89405d9a8d76d828720362c1aa57333aafb1214db2ecd683bd71442fe51c2b28c227025caaaa2bdde05e3b00dba34cb2af91028f337d635c2cd73748a3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 e39e962cb1dccaecb75b08ca0ef7749a
SHA1 6d6014076aa5ba016ed66b4d3e25c2dc89828ebf
SHA256 c56857032f0b8f0dd7e65b9b4ca3fd1cc55a359b16fc0cf83642f9160ef1a922
SHA512 aec736896aa33fb91b7e31348dbce9d73f32285a26f4099ba0f8bdcb54e4d27d3949b28b34521a4232808ed093b3be82025fd898024052bd86c67f498b79977f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 fe9f80697393489d386cc070f5b040c7
SHA1 60a0241c22f4e3e635b868c788a7942281c439a8
SHA256 5a0bc7a9781c65e930fa29c26e2d617bf13fdcf858f0861a26c7b1badd424e40
SHA512 11b41ca03170cef6ffe08dd46c0270d8380420e2f40cc5cad58f00f517751bae80318ec4dd45c8c4ead8a28e89f5dd8f9028d47fff036a9ccc0de90c4f4ffdc8

C:\Users\Admin\AppData\Local\Temp\wgsa.exe

MD5 26e74d94445b8dd7e278a153c3090244
SHA1 9f28830152afc1299c6d91e4d86ece6d091fe3c9
SHA256 5d15453fe51891c58512405427262c9236c15e8f0beca874ec6a639baa9d5212
SHA512 26d5a5667b6d9d84ed8a2a64da6664bc972c885cb48bbce39038b7eb47fc92267c79ddb10a53f2d8ca4746b859c84324814abc0c3c0ace9ba16d1e9bc4e22e74

C:\Users\Admin\AppData\Local\Temp\WMks.exe

MD5 648344d932b528a828502d5e37381648
SHA1 620d82c6b4a93f43291263986cee3d6d7c1ec755
SHA256 a91c2197a03f11cf81c3e9ea766fb68f46ec6a87ea76a72b752b91f60a2f2b1f
SHA512 934c0a141fa2fc76bbbe75428837ec23bee576c3117018235d0539d66b0a63c521dcb950f867dacd216fa906624e1ec18822ec9ec3beb6daf2da833b43a1c889

C:\Users\Admin\AppData\Local\Temp\gsgi.exe

MD5 ea4130d96c38789e9132c08a66e8749e
SHA1 e84ceacb2c415a37ad471077796813708d24d5c3
SHA256 609903b673298d2b68007ad07ec7f5174992e510295b53e9b32f6b5f5a39e838
SHA512 3a617ef5e5d7ecab5a2ed7dce7e314296fcc12cdb6afc18200fe790b826433bc88bbaa0fa7738b73cb78d44b21a0cdf648217ee23394b079ea37821de59123ff

C:\Users\Admin\AppData\Local\Temp\ywgW.exe

MD5 5b33fa48591c7722b24fa554c11cd544
SHA1 d076663816635d300b7dc1cd6c85994825016c1f
SHA256 388de3b7bbd108cc597d655b9a0b44a588619ca4c87cac1021dc0008ddfc47db
SHA512 3523590cd75b8460f38425d77d5286016dccdd205ce735945fa29d0b439c233a18e6976c48a7168d00b6f533b5517f1756052512d6d4ef37b0e115d5a27b6840

C:\Users\Admin\AppData\Local\Temp\Wosc.exe

MD5 7df5fafe783726cf8fd132d1f4b7c14d
SHA1 212b4d9afd267f067acf417c4e1de4e3b3184255
SHA256 47d2d9d2a3e4fafd67e9c7b63bafc9dcf5ed817897ceb61708c97150c75bc8ac
SHA512 3c396dc9594ace1414ba35243ee62e9ec2cd58d9682e1c0d9f1b5fb170c3614c376f3fb33df27af34a0d609ec220983ae8b1cada518764c94cbd2e110851be7d

C:\Users\Admin\AppData\Local\Temp\IsIS.exe

MD5 724693a4d5c3e3950f9531b296d5b611
SHA1 3169f3992af04560f874960a494e0983627f889e
SHA256 1bad39318b04af1dc9cb0f60b862c3882c9a6ea248216022e5a161d9f8ed078c
SHA512 7ef5fed7770947209f1deab289d1c5dce8b05bae54654d6834d723bbe6540638394aac38bc1a42670d0c56f3036f416a1184ef7103de91035f4b6273957cc294

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 145f3498d270644626b9a0e29070a1f3
SHA1 71c8ced2a0d2ff1c0cc817031c8aa4f02b79e063
SHA256 5496835cd145082f67968322059d586dd0a1425281ffffcf3cf50848677ff6b1
SHA512 7885b85bbb5441e4fa065af6d95f4e9b755b7b61009affc744868d4b224a0d4a7f67c6d062e6ce7db7abe5da755404fc58342e5a45538f9c80e542dbd160cd40

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 115f324f87e45ba3a1586a53faa5ec4c
SHA1 2042cafb07a5b3ee7b74cd0517cc2ccc9496792a
SHA256 caa688604c592da3ffafbfe33d46d1893b96f889673ea92011d5f01b15742dd3
SHA512 6c2f81689f5a76bca1a4cf363c3c922dbb12547ad0ed06c99cc59eb51c220dbdebbff21e7846d051eb892cc75ff95ed065fe97d27e63624c33da303aafb86567

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 5fa3e832ff120184477fa3cb6a8565a3
SHA1 bef2b18eec7fdf5a470c971fba63a162016fdce6
SHA256 bc863a57c7c030d58c5e7f616518ca2f1739b1e0df52ebf7ad1a5da1effb1792
SHA512 daffe81cc3b8d4275cd9dbd4775bedb79bccbcaf8017ea63798cf6f3a1808e8075a0b598e3d7ee3753fee45cd00be572c8e515b59bd6beef7e1913cf94d794e6

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 ba22e0dbf7cc74bde970876dae3787b6
SHA1 fc7f468b8f238bb8d726bc415ea56096e0ba02a6
SHA256 eff3e520c33d8f1bedd4468c9b2333a1a89a15e3d9f330419743b71afeed7537
SHA512 8b1ba4b6e0042ac3c53aa516261e945af3898dcc1634a72dc680d014cc580c6eec7b2c6b75b2f6b3d62bd4b33b28f7dff76961fda4a3b852441c4566f636f29d

C:\Users\Admin\AppData\Local\Temp\kwcg.exe

MD5 99b5a492e3cd06c918110437b3e00a78
SHA1 13e69517a64749556cee4fbec4c07dc64e8790a6
SHA256 6e8946bb3297a5360b21bd075c90a7681211556b8726c5412fcc8da27d93ded1
SHA512 6161467a3d45eb3bf8e6e2e30b9ae8871b277c5b1bd36448c1c0d717b3111660b441b0934acfabbf209532bce60020c5ef582145d8520e7223d5cf896d1a8135

C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe

MD5 c7166b87dc29174ad35ea7ecbc207f8c
SHA1 030330cb1145e8371c3847c0bcee1a556f7ccbb7
SHA256 a990c5af162fd9bd48c777673794d6590f1e91453620b46b00b49eca7379ac0f
SHA512 dac7510a391bc696d6697b2b9fc3b8de6e5c297319acb7905d0d3bf36d1d20a44498d4babac6bb9bdfb3973a9ce2e49bbf68bf37b45f0e421afcb5946da505aa

C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.exe

MD5 7ed7b1424f83d2f1156dccf1715cd00c
SHA1 1b3299cb3286bee26a4e73c8b32cc22f429eb896
SHA256 848bffe1889e878f8565d8755c6fe6f7f942a7ab8d16a085e89e876cdbba0b36
SHA512 b284de3a70098f12b1a53c6205a792923c5c46aaec43b4c3eb3ce7bdd1a9c95de628a5575b25771afa0606d5a1aca4db4c4300830eb3ba483b2adbea8b8e9e64

C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.exe

MD5 5d6080b73e320a71b69873d64100c941
SHA1 80394b77d8b019e495bc1a5639f4135a051e0368
SHA256 81a401e81023428dc59e20bad4624e8ce6080dac1fcf4aca3b2a7d79c0cf2fa2
SHA512 00a58dfabe9e1029c05de7c08c70678127534a5e94260b38844f9dcc9be6ec61cbc9a1f5e1eb7495c9ed99baeeac4a71c18cdc820d9aa4eb9f6976425aac190d

C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.exe

MD5 f3d820c91cec52fc2b43d8a5e09f2d3b
SHA1 1b2ab9060b2860114a17e42bd7d594feafdcfef4
SHA256 e4e3e0b74f2931cf0f33d3397f80bc4595cc30c2f554b78878e852c749835b2a
SHA512 37d2c773fb5007f88aa0306820ef7c2e381767abe6772d0c92d3bf6e09ecdcd246f1968d4e631075a61059d75e9359f950ee57077a1f4244b23eb47ed57f6d82

C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.exe

MD5 499fdc5b31ed61c8fb3db4f77c16d6fc
SHA1 59ce79386d571f497245328b612ec7285a17d9ba
SHA256 07fcbdf2f64cb21d8fc37bad569cdd6a1690fafdf993f47bc6cd3fc2bcb97a5f
SHA512 a11629dd8a4bddb7a493bb1926f2b2944c6d0da521194363108d608f43145b22e6c295a11cb305f49b207dd2614b71a25c52520c85ce27e7cbc98744ad4f9e20

C:\Users\Admin\AppData\Local\Temp\mQUE.exe

MD5 381465dc9251d572967425e070a0143d
SHA1 02dc142232c5046766198c3b7862903c60b2a16f
SHA256 ece943020562ed7d51c8b61fab782e6939a03c3e6c40e5b04cdad5df2bab9966
SHA512 97422f8d41bf9408067379ae1560595cfbdc35161d1c4a0894eb253fc19059b6dee09415edbede00c4a84a7417b529bdd2d70143c64fd1a9e2415f82b675ba0a

C:\Users\Admin\AppData\Local\Temp\owEe.exe

MD5 6c0679f9b18977f2ade2f8e56f868b38
SHA1 940a4d3f2adef85db18bc17c9aa8d599cf39102e
SHA256 39a53c5561bae1f4b201f300a5284104e378267098e5f95b6090da752352a82b
SHA512 6ce12eaa2d40a5d84d2e681630eedeff011fa2841510b71b228a6958ae785d818f71f0186e3f660fde148fbd0cd88eb5a6a243a7aaad2559be9708ef2b1b1d7a

C:\Users\Admin\AppData\Local\Temp\OwIO.exe

MD5 4dc6098afbb676a74e255b561da12f83
SHA1 2ac748e33e8fcc1afe8b5249c4a1a4677fdd0cf8
SHA256 ef30b9f5e0dc3726c506245c42ee3f1b9f5028f31bdc2b0317a56c179ef70e31
SHA512 aedff6277648ac796f90367fdbd6290acfe1ae1ef2ac2451c0f5f7b294bc950b585ccf077e9991ca3ffc92ea4e7745fa8443a975e5d16536f3c4a2ef51c8d358

C:\Users\Admin\AppData\Local\Temp\WIMq.exe

MD5 9abbf54b3650acbae07b5ea1a5ecc0ba
SHA1 631a874672c82fbfc15307e2d29f650f80e3cf5b
SHA256 a6f8c35563c5bc3464b066a8da7c6c420465fe8eafd2fab2defbf5e50ac5b7ea
SHA512 51a5111f7ab854d1cca3a428b0883c33ffe233bf83e30496ac87b6e7cd36888c57874b563c7feed2a35f5dd8baabdbcbfbb5dadeb9e58e1511446c25bd5c87a2

memory/2708-1933-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:40

Platform

win10v2004-20231215-en

Max time kernel

49s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\ciYsEoEg\oqksUEcE.exe N/A
N/A N/A C:\ProgramData\cmcYwEAQ\osMMYcUk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cuninst.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oqksUEcE.exe = "C:\\Users\\Admin\\ciYsEoEg\\oqksUEcE.exe" C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\osMMYcUk.exe = "C:\\ProgramData\\cmcYwEAQ\\osMMYcUk.exe" C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oqksUEcE.exe = "C:\\Users\\Admin\\ciYsEoEg\\oqksUEcE.exe" C:\Users\Admin\ciYsEoEg\oqksUEcE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\osMMYcUk.exe = "C:\\ProgramData\\cmcYwEAQ\\osMMYcUk.exe" C:\ProgramData\cmcYwEAQ\osMMYcUk.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3764 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Users\Admin\ciYsEoEg\oqksUEcE.exe
PID 3764 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Users\Admin\ciYsEoEg\oqksUEcE.exe
PID 3764 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Users\Admin\ciYsEoEg\oqksUEcE.exe
PID 3764 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\ProgramData\cmcYwEAQ\osMMYcUk.exe
PID 3764 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\ProgramData\cmcYwEAQ\osMMYcUk.exe
PID 3764 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\ProgramData\cmcYwEAQ\osMMYcUk.exe
PID 3764 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe C:\Windows\SysWOW64\reg.exe
PID 4920 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\cuninst.exe
PID 4920 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\cuninst.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe

"C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe"

C:\Users\Admin\ciYsEoEg\oqksUEcE.exe

"C:\Users\Admin\ciYsEoEg\oqksUEcE.exe"

C:\Users\Admin\AppData\Local\Temp\cuninst.exe

C:\Users\Admin\AppData\Local\Temp\cuninst.exe

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuninst.exe

C:\ProgramData\cmcYwEAQ\osMMYcUk.exe

"C:\ProgramData\cmcYwEAQ\osMMYcUk.exe"

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
GB 172.217.169.78:80 google.com tcp
GB 172.217.169.78:80 google.com tcp
US 8.8.8.8:53 50.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
NL 20.86.201.138:443 tcp
NL 20.86.201.138:443 tcp
NL 20.86.201.138:443 tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

memory/3764-0-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4580-6-0x0000000000400000-0x000000000041D000-memory.dmp

memory/952-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2944-21-0x0000000000AB0000-0x0000000000AD8000-memory.dmp

memory/2944-23-0x00007FF987D20000-0x00007FF9887E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cuninst.exe

MD5 52ea716a4a4def8177a4665d181382fc
SHA1 35002f63e3048b78edd7e97c3f4b3ec30eed1dd4
SHA256 fb73e9d7795c6e4bada17baa0b74afb759049806ddc264db8a2a902ad4d5c8c9
SHA512 63e3672d29a988eeeabb95783c1c14ec27f9ce02f254f456133bcca42fc1313c56efb2cf2a98ae8601f8bb8d856a0794d435f09094446ec13863727429e2bf1e

C:\Users\Admin\AppData\Local\Temp\cuninst.exe

MD5 367593571081045fc74c9c3293c27ca6
SHA1 14ac7f60aaaffe576fb1935b580992374b79110f
SHA256 d1b70d82753b959bf5d16a1565b5f2b04fde60fd8c8466a01674b66ad78f0c18
SHA512 3a05146f413b704c717a39b952689dcbceca05d3ecf23040f80920bedc5fb2fcc1ec499c5ca9dd1b238b936dc39f0a19d620d86753b0d21e924a29a51dfbb1e8

memory/3764-17-0x0000000000400000-0x0000000000442000-memory.dmp

C:\ProgramData\cmcYwEAQ\osMMYcUk.exe

MD5 50fa2ce45dddb1344c0f79344a77b3e3
SHA1 eecef7e5923627a7add64945331a5301093a7585
SHA256 f2a5c2b24649cb0cc9f46819781c04112ef1db3df4dd1b795198553a191590c3
SHA512 0a183b46e2724284b106eb3ae8e4ca911b25e9f4b82e8815222ff7af82ecebe1b69ee82bb775221c087c84a99422ec8f0051c77ef515131c096fd9d1e1eab9eb

C:\ProgramData\cmcYwEAQ\osMMYcUk.exe

MD5 776a9f608a2307f5f439f7f187b9b086
SHA1 ac8111ed35e605aeed0ce60a6e7a11bb85c5ecc5
SHA256 358c61c97f802589dcecb8f7db9b26e97d5dbed74ee3f47aa6cdb2fbe8891270
SHA512 445fa4d1642423c2be6d74ea1144abf739ac90a81179b9c9a4ca57cbc1298e046e836162509b490343efe74513429316f667b5d162319209d572466a85deb68d

C:\Users\Admin\ciYsEoEg\oqksUEcE.exe

MD5 5f8ed3d12021df83a709d4c1902847ca
SHA1 8424bd20c352ecc2e67377650d2a49680bbdd6fe
SHA256 fecdf274323f4d2ce3f338f75837acdb293b773188aa982a127e1f063237581a
SHA512 43da541a164debb86867d8d4a13c692ea07afe51378ef3ee5fcb496b6dfe92cfb28438360c835dc56b3e8fde2e5c26c5bed4d33e885fe493d692bbb0db7574a1

C:\Users\Admin\ciYsEoEg\oqksUEcE.exe

MD5 09938aa3f1c55a7e660bf044d95d3963
SHA1 fb46c7f00e59a3340e130c281202e5cbbf39b67a
SHA256 bce69c4d2356f5cd46b618aca455e2ab2e372dfc80f6ea249763f34be81377d2
SHA512 8be8b94350a71b55a439d96287f730c960af3089238c4bcf290045c038460c697198de3767725cf01a587e49d7043bc5bd94d4bce6a63c2bef6d436419e226be

C:\Users\Admin\AppData\Local\Temp\xkQy.exe

MD5 dc254e346336506d53fc3829242f9c3b
SHA1 f9176d9bd98ae73ae8806e556cd6bd9c80d6d24a
SHA256 1c316df6458e3c565e009fc05fa2c6f6fa730bb7f247b123f6e5ae53a7dee456
SHA512 722d16a94f04106de1ccc21ac15de6e6f47e8bafb0d41f3b04dc47088b7205ee5a7e7fe1ff6ef5602756d5ccd2030bf32db17abb1759b90a46e4641565c5879c

C:\Users\Admin\AppData\Local\Temp\KAkk.exe

MD5 de2ed303a5aa0ad479af80bb174298e8
SHA1 2f522710e6eca27c36b7fef67379173762a7fcd7
SHA256 703cdbd142dac82495e363bd6da299f6a5c78bd205521cf8b62ea05fffdef7d0
SHA512 6f10d0f020874db08617eaa5c20b6a346bc41355534ac186893a4dc482396c5a62bb545669dabd60da61356fd20ac13f26c601590dc994ba65a7402444cb9a14

memory/2944-52-0x00007FF987D20000-0x00007FF9887E1000-memory.dmp

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\vwEm.exe

MD5 393bde2e42c99db83bd2fa0a20441477
SHA1 47b72bccca393fb5d823f772c98657988059ecfd
SHA256 e7cef3c255a77e35d9abf5775535e1c50d329f2ac6121c3130dfc609ed2835a8
SHA512 68893be1e46a2e494681b3cbe4fd8d9e15d2da526a99eddf3deaced84f1411923d92933118501c881bfe193fd2017b783cab6a79168f9af7d5fa86e83043e6d3

C:\Users\Admin\AppData\Local\Temp\bkYK.exe

MD5 73c297e36b8cf3becaaf6079b689fca0
SHA1 97f5d21fd7d0bfaeb5df9721d0ed230379700fb8
SHA256 2926860b0b41d67440769b7c1b0681171ec56323a944520bb61f9329e7792221
SHA512 144f191e57e05a6a7d590f97207f02583bcb720c21971d5d92497a3337cd981639229f137eb18be838f74666d610fe5eee3d37a0d987f0b215c141d269864afb

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 edcc944bea1f9c3d9537664337bd76ac
SHA1 fa1bca12572f0a2eb7bb22dfde86f3c5528e5661
SHA256 9973ffb5c297c99869623b8bb5233b7add9a8d27303e3b54433f26f79633f254
SHA512 b9f04a57155d047466fa8d1aa78a99733962beea8ef040f832fb7ffa9641dbb746f3285be90549db136ec0152d0f86e1565213516e0403bac4c496a2c37c9d3f

C:\Users\Admin\AppData\Local\Temp\HAgC.exe

MD5 a9954bff9468247c4411f91525fac6e9
SHA1 a19a2caa64480ba887ba0bcb830de33e57f7d64e
SHA256 b2db2bf7319be22b86c0ca9df102f3d6d443aece826457f0815cbcfc4ff5e538
SHA512 4bb561b6f0ae29edd7e3670d628a49865768be6efc7e97de029d0849b6967fa01cdf2ed67cf0c58a54fba91337ea99d4192e1c71a68efa93465f0dc22d634858

C:\Users\Admin\AppData\Local\Temp\ucoI.exe

MD5 87c1aec739f383ed7dac5bba29656c4d
SHA1 9870c62b3e43a0810c84bcbea5c6c386557405ee
SHA256 cf604a547846ba3ddd1e3a9fc397f95a4dd09d0004f8f1fd993f767f45572125
SHA512 8fdb23bccaf877d94f203ba42996280ebd26e0fa6ef39a31bc51e4b9195f29b51cf7a8a35b5786e11e6ec02a601030230c098b1dc98ce5e9ea7ba9d6e48b1eec

C:\Users\Admin\AppData\Local\Temp\ZAks.exe

MD5 b05ee93af1f4db69b4b5357394cf1fef
SHA1 5dbc20fa7827031a6e99e829a4c6c3e3afd4366d
SHA256 a4618aa6a34cac856f59c9d91042636dfc5bcc6d6da6b653fbe4b646fb788507
SHA512 b013e357d48682d95ed4106deff80632c7ad61f46dba9a49a30bad5bf36119b0c73fa3d25073cad5b3ed888bde1333fa5430b09498799b2d0b666439284c6613

C:\Users\Admin\AppData\Local\Temp\sMwa.exe

MD5 fd5a04b77ca6ffcb29192aa473c3b3fd
SHA1 f54fafb1cabf48a69b9a9286273e236316d223a6
SHA256 dc54eb3be63de4312bc5f629452ced698cca42b5af2453989ff5485fe130b529
SHA512 8ff40e73b7b5a44bf080444be5441cba4da4c107d5ca6a10729a6ebfca2f1db0fa2f286799ee9e99d14bf9fe1bde7a552a374486cc6168ac123c944b55f99b6c

C:\Users\Admin\AppData\Local\Temp\TYMy.exe

MD5 9a7dbb72539f76773fdfcb8dfa6eda97
SHA1 d4d294dfb6120aa9923af008bd7189e2acfa2aff
SHA256 63decda367c6d52734c2d2c95ee96c685ceb26952d94fcc039249942aafaf169
SHA512 df20c1026ab1e1805a8758c892b526d6f4dec506ff0c1881bf7979347d2144ecfd79f027c24b2fbcd4fc0648dc16f47f8576dbed3eb76e86f089188863fca670

C:\ProgramData\Microsoft\User Account Pictures\user-48.png.exe

MD5 ccc9b5144e8774400948bebc3161812d
SHA1 a869cb9cbeb2c892d8cf8b8617abe5bb3c022b2c
SHA256 033ea1f0bfb8b771d9ba92a7fe5ec919d96acab211a4168094d1666d45a04a64
SHA512 9f5813e594f5cbd14fee985e4afeeeaa6af4ba9f413eaf41a5904e71c614dff110c476d42d8f0934d7895b599dd0011837410bd82d85183fb2b91f8e0f5454ab

C:\Users\Admin\AppData\Local\Temp\psoq.exe

MD5 2cc95e79418fad3b26d346d7db809975
SHA1 13cd6583e948819472229f02390918efc2e8d386
SHA256 a5d8d5b32d17c8a2d0ccaa21604d725bc43891fe4b50a9b163570ce3fb1a364c
SHA512 a938a1f0a9a6623d358e50c0964a4842a743995c311e2afcc62aba6188aef1628f16cd5746df245e8832fdfdf0953f0e5c27395017c2e9ffd0b086aa200bc2ca

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

MD5 ee12112ead960fc942a652de1a224b82
SHA1 16b6274d15e3f9a033fd8e87c7af88f968dc02c8
SHA256 1faf059824f639e25466b54d9bb309801085ba884e70958eb0db0bcb084447ec
SHA512 ee045459ecf4ea70e5566fb8e7e5dd3cd76e4d38706c6916752f09cdfdc12a8af98a09e37ae73936118c57b54b3639e00509eb23e026d852409f92918ffbbd11

C:\Users\Admin\AppData\Local\Temp\vMEM.exe

MD5 e6cfad21f1370a6b54612f8963065495
SHA1 ca0d86d594a4923fb2b3c5875f28cbdfe1f5c2cd
SHA256 81293e063a399642f637ae273d7f956de811a50129833d557d6a78b9c03040d8
SHA512 e6fcc1b1ea957ae78e89bb41cc61bdbcce6b4f5f475d03fa359a79da76865bbd8cd91cd9080912c097b02ee72e376f2e5375484d1ac61ce8015338288fdc5da3

C:\Users\Admin\AppData\Local\Temp\ikci.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\xcgg.exe

MD5 ae664845a7d835ce0d0775c8f3422ef4
SHA1 1c3f76658c45b463e580402b06e82105c34cd248
SHA256 22dc3f1176286aea3031e884c1801697508759a2355cb95c68d172a898561380
SHA512 94a3bd7c827e345177b1bde096412b2a8adc9edfbcd437785b17eb471b92eaf6ba57173cff5063dd2924f687e824a5685abea2e4563d957da40cf0baa7f6d54c

C:\Users\Admin\AppData\Local\Temp\ossG.exe

MD5 953a0793668212959f5dfa3309b8ab4a
SHA1 63c8d3b81d8df7e7d8ad76d508e82cfc864f083d
SHA256 90dcfff6da40e585ac9f7dac3f8ecc0ed3a9baf8431753226cf7b7eb4c07f506
SHA512 81f004183b9b0158e08892b0b2b669772243bf7871c34ba53377d0d72352e220e22682a68bb8b5a1af1aedc4576984529696949ef18a287303441467db0001d6

C:\Users\Admin\AppData\Local\Temp\ekEa.exe

MD5 f888cc5ab65e93dd65d2950b39f3f032
SHA1 f99cb9e6e1898e4918e1e5808fc5efede31d0bcb
SHA256 225692466e0a1c6a510e4da9465844dc09fad7bcd29e2716dc955bf92b3dd21f
SHA512 7739a03ae04b7137219fed74340a245fb5836e7109a5e5567f50735c3dc11d98620ee30006739bd97ccafb91e898a5da21502f002bdec3b9bb9292317adf6e86