Malware Analysis Report

2025-08-05 09:32

Sample ID 240223-r3j4macb71
Target 2024-02-23_ead34dbd568dab561004d36d88990158_virlock
SHA256 43664f03b4fb5ceb748682c4c8313e45096405b9f6f6ae113d952d104d651736
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43664f03b4fb5ceb748682c4c8313e45096405b9f6f6ae113d952d104d651736

Threat Level: Known bad

The file 2024-02-23_ead34dbd568dab561004d36d88990158_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 14:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 14:43

Reported

2024-02-23 14:43

Platform

win7-20240221-en

Max time kernel

23s

Max time network

24s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\ProgramData\KyIogMMw\fycQQgAM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fycQQgAM.exe = "C:\\ProgramData\\KyIogMMw\\fycQQgAM.exe" C:\ProgramData\KyIogMMw\fycQQgAM.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\WOIMogsI.exe = "C:\\Users\\Admin\\tosksEQI\\WOIMogsI.exe" C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fycQQgAM.exe = "C:\\ProgramData\\KyIogMMw\\fycQQgAM.exe" C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\WOIMogsI.exe = "C:\\Users\\Admin\\tosksEQI\\WOIMogsI.exe" C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A
N/A N/A C:\Users\Admin\tosksEQI\WOIMogsI.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Users\Admin\tosksEQI\WOIMogsI.exe
PID 2872 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Users\Admin\tosksEQI\WOIMogsI.exe
PID 2872 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Users\Admin\tosksEQI\WOIMogsI.exe
PID 2872 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Users\Admin\tosksEQI\WOIMogsI.exe
PID 2872 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\ProgramData\KyIogMMw\fycQQgAM.exe
PID 2872 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\ProgramData\KyIogMMw\fycQQgAM.exe
PID 2872 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\ProgramData\KyIogMMw\fycQQgAM.exe
PID 2872 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\ProgramData\KyIogMMw\fycQQgAM.exe
PID 2872 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2704 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2704 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2704 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2704 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2704 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2704 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2704 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe"

C:\Users\Admin\tosksEQI\WOIMogsI.exe

"C:\Users\Admin\tosksEQI\WOIMogsI.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\ProgramData\KyIogMMw\fycQQgAM.exe

"C:\ProgramData\KyIogMMw\fycQQgAM.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 216.58.201.110:80 google.com tcp
GB 216.58.201.110:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp

Files

memory/2872-0-0x0000000000400000-0x000000000048F000-memory.dmp

\Users\Admin\tosksEQI\WOIMogsI.exe

MD5 d54891d85622a55ab1b4ae743bee73d2
SHA1 917bec64b706ef83826b6f73dbdc606df3a85ea4
SHA256 f80a4aa4238acb592778f3c5e6a428561e5843ec0d13673bdd0302cdffaefa51
SHA512 204e42683d47318e4f2503db0cf964570cad3fc0f7b611793eee7b16ab47e7d7c7e501ee01df51c6f325d91a16092ba46bf9992cfd8920f6a8486690837cb708

memory/2872-5-0x00000000003E0000-0x00000000003FC000-memory.dmp

memory/2872-13-0x00000000003E0000-0x00000000003FC000-memory.dmp

memory/1984-31-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2944-14-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2872-30-0x00000000003E0000-0x00000000003FD000-memory.dmp

C:\ProgramData\KyIogMMw\fycQQgAM.exe

MD5 ed8f4d899b3dfcb40e56598e9b2010f4
SHA1 85b20fc3700b9e3e8c621db5805f23dc2360ec03
SHA256 cc6f1714dc9d99d53e5ebe546ebc8d7a8c558cef32d7b1f4b9b62010a4cbf392
SHA512 239ad5a0edf0fca42865d1e24f4c193a91c52bc5c1bed450c7a747529c2322387d5eccaf4a28eea137e9a261a80cbcdf623afb767cc02e1f0c5a58ee7f8f7720

C:\Users\Admin\AppData\Local\Temp\zwgsMoUs.bat

MD5 2b8637d35ad35a9c641add140f423f1a
SHA1 1e2e2059af4dfa6bf7e51c8a47f4ef2da5e888d3
SHA256 a2c5cb9b09db6d2f96c4ed2cef91ef9adb3c444dfdecbf8c9ef7837ceb9015ca
SHA512 569a552d7723696c7a5b9e89e134719fd5759adfb585b843e877d794ef8bda4fddd4dcab3acee0fbe33c8f96498f65f304cfd359be543a787aa96b7309fe4217

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 96f7cb9f7481a279bd4bc0681a3b993e
SHA1 deaedb5becc6c0bd263d7cf81e0909b912a1afd4
SHA256 d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290
SHA512 694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

memory/2872-35-0x0000000000400000-0x000000000048F000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\eYAK.exe

MD5 318dbbc93e5718b1c6804bd0ea0b1807
SHA1 2284238f02176cc50ac2f1e55b3f627823a82611
SHA256 8a11935e769a0fa662806bc2c14b17a06f45e21e840f88a8088b30e09524592f
SHA512 88fda1be6833590ac26f3b70dc971556580f447c18466ccb22c9cc6dec2812f38996e89b216366bcb178f422bfa6a07c70749921b0dc745ebc8252459aca25bd

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\AEIc.exe

MD5 27b0b5a7ed986c47cfe3c4e0a44b31e6
SHA1 be3b22d2043e0f403136a2cb6394029a25304395
SHA256 58769a4571477e660e59304eb50bb1d1b20e29b94ee72d4ad007f29c8944c075
SHA512 a70c76f47af6b8eb137ae5ee7c9b47c60ba8fefc2dbf7ee0e2fd9dce36c63e4ed0ed7cdc4443d30787234962123a1c9bd37fc52c3320991eb7ae09dadebadc23

C:\Users\Admin\AppData\Local\Temp\CwEo.exe

MD5 9e3bc4397c3f05dcce6025eb724603c0
SHA1 d0fb4a34353f99d6f8ebf35004ce7dcf832b2c7a
SHA256 fd3f865e549d51b7036e23111982f16ea286e79ae5e843b3536f63dc9338034f
SHA512 8989179b7f1ae56baef7e4350c042a6bb1426eae66234d600471b834972724c880045ac72ab870d44de37aa2b9298a9c67676e94444045d93aa5224c2f8d4bfa

C:\Users\Admin\AppData\Local\Temp\ugAa.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 eebcb59d0e1aebc0d409a4c888cced4a
SHA1 7d9f309384758aaf506312fadcb1e4ce6fa9bfc0
SHA256 74a3be5f10bd68373cae0078850a34ba1c446cfd1cc9bcd44e58326ec2c4475d
SHA512 020736943bd36977a1dc55e8cae99b7668e77051cd9dc9e53cb7303201322442ccdc8a10ad9235fd57747c9f07b2993c4e60ab1b85b98d874899d279e7708290

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 3bf1fd93a09cd82d42e88df101e3d48a
SHA1 8a1a20056edd77ac6c3738e2397b846cb25041dc
SHA256 1bcace43cb3bb267bbacdcfb3a5928db46744b33c03726de7ef80098bd879e22
SHA512 28f8a5db85546ea55511fa0e6566af97e23c89c1d34accdc40601e1f408789ac1615f77cac6cc0c96825adfd887260405021a1df791747898c95f9449c929309

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 0bae16a9f8294c0beb9fc4bfe188af20
SHA1 1b5beb722130e4073337d36b76e8d0f7e651512e
SHA256 752230fd2d92b7e8a7bd850382f198e60d6266084261e653b06f428dfcde813a
SHA512 8f336fa025aeee40b4353d35ab24dcf8df3a94af315345699aabc19cd68ee3bf4c082560da038467102121c39d4be1a63a4fe14169a5e7be7f224d4735076bc2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 a48ac32965620bf4cc9326c1fecb6b25
SHA1 aca69f28645a7cb4e4beeff48ebe7cd2b0d3ef6d
SHA256 3f48bec543180734804f0952c154c8c8992ee5389191b7a8bf0de6d480b21897
SHA512 f512141c6a78654cbbdef2ca1b08d932bfe2fb6b83d7748f9b162ceca83a2408d8372a3ca5c35c8f7c83d8a10b5f5583800a8fbf979c5eb6bf418ef298bd9251

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 771e769f129284abc9ed3e6cc48cf69b
SHA1 cfdcfe5fea929540acf0f8129e7ed329b8da16d9
SHA256 eee6761722ab90f6860b9215bd205b94df82b14d8a5278b8ad935385c2fe54b8
SHA512 475da7739492cdf2df2afed5bbac7c5cf38472efa1ab671d538fbeb49c28406626c4c0d2924bcba0127f65eba5abde56565641aa1ea54cecc3a0816e7b0d511d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 204d6723b8a6474e3b58221efcd21c32
SHA1 b1481b7b6e794137401bec2d8447710c39963c14
SHA256 9ce6fb5dac62ae5f6c92487b82c4f66021e39cb7f40275f5ba59e9b0bd4c869d
SHA512 8327e8bb03b71619509a07820ebb8134ed65d0b7f080d662b357aa6b86628a95e47e4cf0208d3cd7d9b35597259a56475ac7ed36e10c38b88c7607e481a52756

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 b910a12a7ba71ccf09f16c4b8ffa944d
SHA1 a389e5cf59e5ead1f7af1df10e4338eac515d5ee
SHA256 a4c12856fb6e93d0805d3c634e363c6d72919c97218a7aa765d75e87c1e5f9c7
SHA512 2c7295dca85396d73d1ca3946b9eda60217d73e15b35dd075ce73ea38810cda1c25aa02025536650db7ad0b3b9168a9bb7e51b8a51c7832c76a9ac1ffe1bdad4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 bc5e8b449f95ae20da63ca88e7f9d2b7
SHA1 a76456502811c5ab374631c5b962d3016d70cc8f
SHA256 db26d85e8aff874aa0a342f90d2551d0f0523465199ad4e781a1a529b3e67f24
SHA512 93ffb00e33d76c536280ab49fb87aeb774f143d4b72449a38bc4017f9efdb8ac7ddb84b5ba60f2a3e4ca0442a717f54d988b9e5bdb99fa1c0a3ee752098802ca

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 f1d6ab038f28dad39a7c7969cfc87c69
SHA1 53c2c94311320d255f047a3bdb5d6433afa47991
SHA256 39fa2b750b0fe7aa298dfa7a7fc1710e48d43fa8b680524fcf5cfdaf3e3085cc
SHA512 d97254634f5cf22ffbb6d5d09fffb0ae8e153b61c19beb72c44a3f98cffc5c459a2b2ad4af74f2237ca9e3a3b506a30d6b8ea39a15f05c92035ecc476214ba3f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 d6175d4150ba92b6efb89f388496845e
SHA1 e872025375623bd12385e9dd893aa9eaf6b87729
SHA256 1f8a8bfb22621e9377dc83799e8956cc5976fb0353866236412e4e9089293691
SHA512 bec8c25c9244b63b73b41ead1b7b1be060082369ff620651515697ba16888583ab90f8dc7d565f6e58ebe82390eddb7fd462adbe2c37401df1e2908d8b9d8f6b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 d38d826fd47c8b238023664984308f3b
SHA1 9f65719040f0615a3551ed1a9a4e2126045e4d5e
SHA256 889159021e0a07d1df6e1ed66997412a7e1d8e8d0f40d7fa48229839ad587966
SHA512 afacd106aeea11de17fda0fb759aeb73789cdcd41ba4060699eff4212c5c0bd27b4ec2bd0ce434069d2ded6b17567dac1f1c961c4303657f0893a79943af8a06

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 e28f20bc2eeb54bad88bacb9e3b05f87
SHA1 9714194ba29ab33dd78af459ffff70f34af355e8
SHA256 d522dd64378ea4c69edd8be07e7a2f69d0a66c3853d9be5b26381e53ea200e40
SHA512 a69514cfd735122025e4cf7a97c62a7ddd53b65989fef2149ab10bb06bb4e48dcfb3fe2f39774897003be27536558f9efef565bf5f0f4077e7b59f2c96185a19

C:\Users\Admin\AppData\Local\Temp\aEwi.exe

MD5 bba1557f2ddb9f20da4f97254cc8bc19
SHA1 cef19d1d4ea50eb04b3a0cdf8e7cb7814f2afbd2
SHA256 1a64c5b49fcd8b943e1879660da1b2eaf8b74e9c312656c8c410a15b6fa7e1f6
SHA512 999f676653b84e880212bf152bec6da876c31333a8fb922d2da957cac374ffec4ddbeeb534b5ac534e3d1a1dcce16dbc7caadffbb36d3e1e2c87c763e27e4b95

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 500c959b6e086de23a7b5f2fcc755102
SHA1 1af0bb26fe7c67cdb15eb71e8c5de0bfef35a7fd
SHA256 3da3216f68b2b3f6a94422d882478a0254f220f7df11ad3f4faeb12db451874f
SHA512 0f218d1e2916a2a2819c1b39966b2bfa1e5faca3f60483b4ebbc531114ca04489d18b243ed10df6e0ccbdfcc5632a0d6a4a59cbd50012302981b43de33906ee4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 045ccdf2a984f3c4018f09ad9544cd38
SHA1 39822b3cf2b1f3cb9c4db9a9a6dccc86db9ec3b2
SHA256 2797ffb14c36abc2a316f2f468c145cc948fed323c276509821e87caba31968c
SHA512 16ef058e837dbb99117af1728bc540b7a58171d0a3e4c5c167aa401e4b94ea162e86329d7aa659bff3a88d6e49cecb9534cd8fb53f84c189a30cd947e4ba20d9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 99e394c38ac17372e4b30f42e83e9058
SHA1 c11a9cf845d4a2c6a3f784913424f57730a370c3
SHA256 04a689f9c88daff009b8f8af276ff1c6442abae13a6bc85470613dc7916e2cfd
SHA512 9584a824df5ce51748744beaff60834c3ad51c1ac6be10025cf4fddc409f45e9c09b53d69f1e276380621dd1b496abf9bc411963ed867161500e6c9a36fa30d8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 4bc3ea46d648eb456d7cb31c7d629519
SHA1 61b96369b172cc2216f53b386e0819961f067ca8
SHA256 689b25aedfed69f7ba544b6d2af8a80c822edaded8a52464dbcb7b2e7eae0205
SHA512 276ff337f272dfc7e474c7fa02008985346fee5855f3b700032e9f12293b69aba7ba64c39a125cf3aaee0f03eddbd7f4ddd1fb85896442556370afa6d0a01ac1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 06019ecc8b33d8836b28101db6fa6bbb
SHA1 fc4b894c1e8cd811e9a6c7bf582e920ba3ff68f8
SHA256 2fffa5a29ad51db6cfba9b4a7eb672a7ad459202d0e29d7d415a77ded0560a0b
SHA512 4e878bddccb7228072f0e930a26c61c118d98b06528b365530e8a1d5e2fb21d2f0eb35e1f3350dfe5bcc72704cd70ca019474591edf9a2d1095ceab5ce0a9c43

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 c840baac81fd375a4db2cd45ad65042a
SHA1 b6c43ac421272a8c1d8360d3c9473d3b308c55d8
SHA256 9b591f6d0bed04b41cb2c60d5010efadc3f7979fea1cc80325fa6eb92b6c2aa1
SHA512 1115fd019abb8ebe443907209089fe99dceeb2714faa15028a6dcf597eca9c94f03987d03bdc4634c7dc385ace30ef8f24730fb91c4a73ab240f8eb075c0e22c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 e19c332adacb050000a1d5de656aad9b
SHA1 bb9278fc647c0a42d9ee7c07bd5d55aab8c06210
SHA256 dc432a98b41b1c2d4d0e1f76c9b200c9f56e8b24095c7cf61f1472e596502aaf
SHA512 fe10982535904b4dbee9d026ab98ee3d2a581bdd5b4c1944b39242dbaa938478977c0a287f1ff937743fa123d586863596d531cf4136840fe6af555d5998def2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 bad0b374cea2828e78675ab45b06d61f
SHA1 481a202a06ea843d8588ce1415aa29d09a9d0637
SHA256 910a26ede934657f020b1a8cb9db9562c2799452e1e3441e22a901bd7967d77f
SHA512 7c7a327fffed23e82dfb3c97c2e2f01f7da0505d0ac5bf39aadf5dafc51735ffdbca0645341e80b839a37959b5e961e72a2697e0204ccaa3059be2918123adfc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 6da26a2572d9a3d96fddbf60d75d3466
SHA1 4e7b0fbe5c68069c8c8ad33d9f3ce348fea2ddc4
SHA256 2faa38b80cf616d9f0617376c4fccb5ff0a58c08ab3487220e21d655b2145376
SHA512 d3d905d59197ef6c878e3b3ec025107f05f81ff06a4be6132724d2c030b27d43325b7470b3fbd523603e42b5d2bbc2661a886e8971c54ea82e4cc29d7c5d1bbc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 bf30b03fa5a1643cc4da8359e9e0a927
SHA1 a57298812fe9583ec98cb70484673555547b040f
SHA256 a4fff43473ebf2eaa13caf6b52587658842b3d1fb3c4df627d58aaae83fbb66a
SHA512 f458d873df49e2601fe9b2c76ee282fc453f79d4e409251ef7c509d8d9b0c9995fec599435572c7ed41023853437daa920c53bec445cbe35864860f3a5cf8176

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 faddc752ce4a4345d00f73aef450f6d7
SHA1 fc348617e136e8474f41cd484422b6cb5adf4bc3
SHA256 9db05ec0eb9c0ca529721a3bb1da226da90a103246184144a3a6673ff4f4a92e
SHA512 8d101d80fb6a137b90945708076a4d6320aea3878b8b4ccc2af0e17793d97274cd6d231f0bfc6dd86d3b286369f28e7886aa0814ae8e65164431a31b2cfcce60

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 dcd4e24492f1019a6b8858ddf1153be8
SHA1 b4c26b146b249b15e4f320f8e92471eef2527d0f
SHA256 5085474d7b856526b7255730918d87c9a5f7c9811db244cc815ea48027e066d7
SHA512 8d0a5974c90c0decaf7b217de27645ec4b9c072e919bb0882363b85c128a92e87e95458d44e5c8667e3106d5cd3bb65a3d52b23677c1bb8dad5248cfaabed13c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 ed506848aafae312f48f756af5fd6948
SHA1 bbe2fbeedfd9d95427608b3f62566fc7ec03eaf8
SHA256 38a3b4dbe0627dd02c033467b35027ee05b0b98625a229964adcf825383c6a76
SHA512 9d78c7633ffd7aa16a4d8fb6237dd9b82b48d613220e8b14c9205c5c76f5dab6ef6dd0e09d9a25f93d5d2e8eee94d0376d68545405e9ab7cef08d5aa2e26098b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 32ecd09cd786493854f6f96cfd775454
SHA1 24d0fb55c34d1f1d93314f9f59954f52027545b0
SHA256 fea78e8d1b1dcaf081747cabab750fe94f0fdf39571f2439671da98d9604d674
SHA512 82b73f46322a0b2b2a23f4d1ff734d0ca9f6e7760cbc3fb79e2b234990632adcf6207926c14cd4aaa326a192a12727afb8b0bf374c77c8cb93a559ae00d9aee1

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 5f27e7b3f89f4b83446fc7f799cc1307
SHA1 ed15df1dfcd40a14744dc1a088cb35cf6a98948c
SHA256 89f8e47b9dd7a33742dada6c1aa89eb008377c730b60b48f3ab1e7ef24d33281
SHA512 33ea87d18755c0bce24eee5c01eb1a66b56210d5da32032a6aba4922499dfa69e0c042d996195db4f01393b573091e269f609a920f64963930b1be779d1d715e

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 f9a7abcac14409c0c6af6f6865f67cc0
SHA1 406e81401f14496581d3b70759bda2c495669ccf
SHA256 4f8817eedcd8990191f61fb75ec169b4a5a75105e5eda09dd9e065298753e17a
SHA512 ab00a6e15123ef792b7bf644dfd7b69118d4ce509b26121e6c915a9b1c69e75ad9b9bd985049710e69ce7fd8688005aa3834f7625294d7c73733d26c3246931b

\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 1191ba2a9908ee79c0220221233e850a
SHA1 f2acd26b864b38821ba3637f8f701b8ba19c434f
SHA256 4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d
SHA512 da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

C:\Users\Admin\AppData\Local\Temp\egUS.exe

MD5 7f51300b828757b934ad26828b0a6ec4
SHA1 420bab2352d432f8fde9247bbff6f608839b1180
SHA256 4e0497229b790271e6bcc9204e53e2fe95441817d370ba190e8f6bca64e53da2
SHA512 648b1e68981bd079459d1d8206a012b82e4fd378b7ca6aa76281b794d505bc93f3e21007b8d27ac61be80a9232b7456f7fe87951556411a54f457a6842fa1329

\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a9993e4a107abf84e456b796c65a9899
SHA1 5852b1acacd33118bce4c46348ee6c5aa7ad12eb
SHA256 dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc
SHA512 d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3cfb3ae4a227ece66ce051e42cc2df00
SHA1 0a2bb202c5ce2aa8f5cda30676aece9a489fd725
SHA256 54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf
SHA512 60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

C:\Users\Admin\AppData\Local\Temp\AYsK.exe

MD5 b121174817770d69c8cd832329d01d23
SHA1 ef8ecc7f273bbe3d1bb6500ac47f092140ef59c1
SHA256 9848f4511c1a655f6c333df6f38a3717c6aaddeddaf60598cf4431b9a1f53389
SHA512 5099737499353f231f67e56fa4a37199f03aa23999e68d50068ab16c045915617e4c5afa77933875e483ab3aa0375ce88d8e7e99d9b99b434a8300cdfbf3d8f2

C:\Users\Admin\AppData\Local\Temp\CwoC.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 6503c081f51457300e9bdef49253b867
SHA1 9313190893fdb4b732a5890845bd2337ea05366e
SHA256 5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA512 4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

C:\Users\Admin\AppData\Local\Temp\CwkS.exe

MD5 26d8c30d9cff78b8e600a81ae76da507
SHA1 8264fe2d343ea5e9a19a6693001f65e99e4f8651
SHA256 749be478fc6841dbaf0b466fde69ab05ac1c296a2d56246011b3ab3116704585
SHA512 4cf8a7a5db6ae5bf56e3fe443fddc9281d0a0179538c6b502ea1eba51c4ef6737f84fb6465959a8f2648195f9328c230d77e202865cc72d58f36c3e41a96599d

\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 2b48f69517044d82e1ee675b1690c08b
SHA1 83ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256 507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA512 97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

C:\Users\Admin\AppData\Local\Temp\WQwQ.exe

MD5 61bc8a9647420549484be510621ab461
SHA1 6ee620c8607dc536fc98c6d12e32b3a629cfb297
SHA256 e9319abecc7116f50fe6bb7b8041b33e29c62f60bdf8e65008549914c1392d85
SHA512 7efb71d41b089936b3ebb3f471b99596838f216e9d3ee34199ed227e36d78c71135161bfac4a2e9eee2e7188f33e1c7d8286948d4ee53a81af4689ecaa3469ff

\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 e9e67cfb6c0c74912d3743176879fc44
SHA1 c6b6791a900020abf046e0950b12939d5854c988
SHA256 bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c
SHA512 9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

C:\Users\Admin\AppData\Local\Temp\cssG.exe

MD5 a316f3e6cb1de34d0c82f9f1ee4702bb
SHA1 36de724b675595f6f281e021f9cfa9a3cdd0326a
SHA256 7d7a1d8b014a757a3638ad6a8e3005ece65e2d34334a68fe0aa9d5f5f11e461e
SHA512 8d4f7ca6bbed01297179334c7dea8a77851a5a3393c79ced55d6418535dd9a994541eb61f756d1eaa7a5f80583399d47647bf90a7e7b429905698d9bc0577390

C:\Users\Admin\AppData\Local\Temp\ugoQ.exe

MD5 6dbd7c78598b523ffe56cbf8b01199d9
SHA1 211c5580cf07b0ffcb85484163725d89d6e589f1
SHA256 c6e7948f2a4c6bf15990655424e66231873448d6688ef96221f0f886e68d2e94
SHA512 fb11d063218825fc7813215d24b9bf93bd6ef1433a0d53c3ee8e8182cffa5a98481efced3c8bfe71158bc878b3669f75807df60fcd608f8880707c311d175893

C:\Users\Admin\AppData\Local\Temp\aUcC.exe

MD5 8895c53c158d224e008c57be593d7020
SHA1 4464348df3a457336893b2fc942b330a609617fc
SHA256 eb0fa963891331706482f89e646bfecf272f7209759d867f0fb831f78e690376
SHA512 2aa82e7ea362973318dc2650497473cba4b9246991cf3b3a7de42d6423fb8d8cc4af4e855154d391adae8a4c92e101eca86a0a6eb2c2ef3e6451def259ab2aeb

C:\Users\Admin\AppData\Local\Temp\EAke.exe

MD5 18149853eb0d255b3e47819d619646b1
SHA1 b517910229bec5d09d36c355de59eb900ccdabd0
SHA256 1ea4198c6651321e1307886a984ba5bd9c92e994b4195d316ed38e87c04cde09
SHA512 ef4ac35b709bfdbc5471fbb720c0f9dc34f06206ffcd8aea0f93382718b875dfa15e5628464bc76804e6da78af7fd856234372e64887f713d715bb25005a33e9

C:\Users\Admin\AppData\Local\Temp\MMcQ.exe

MD5 510d0dbe67a4bbaf93b685666ad65463
SHA1 f70d0ff17948d7b69c01d3d8f0f44f7e54a7bfa6
SHA256 744e14bb5033f8d66b8603ce44565d944142ed9f6e1ae6e5fd7243ccdf88d225
SHA512 200e3794e914733ae4f4c44ece993baf24c5eb42e5650354a49447050b87b1960a4d4ee733df8ed098668bdef0638b28c35621910d7745afc70d81b595cfaff6

C:\Users\Admin\Downloads\CopyRepair.exe

MD5 ab9b848455f0909025deb06f10e06c88
SHA1 9dbfedc0c1c9b952217a83c40a6cc7ae84804ea3
SHA256 80c598cea376662a56e2f562baf54b0f366fe3f58fc2a3795c4d6e0f6d2e366f
SHA512 765b1e1af8588c37d8b1d1315c91fc797942c3ff692ec787b7e148802e49446f89a970e9afb37cd7ec8786a82a21fa82e9e66e4e14f80c0ce770daf2accbc374

C:\Users\Admin\AppData\Local\Temp\icMi.exe

MD5 e2ff16cb4f30f76e7dc7174436405d67
SHA1 b95b2a84c695e06e0d2a31b6db19be6506873339
SHA256 a758a73ccf1a2ae2c7efd624eb402b1d81abf3f5b4f5867ebec5f8ed9bef96b0
SHA512 e11fa491080837da48432c63e1a39fa29cdf7e619fe1cc8df43f85661fe40e33237a61916e34e320e48eaf52af9194da8d9f9a2746ebb4748034499c18ea18b1

C:\Users\Admin\AppData\Local\Temp\GMkm.exe

MD5 eef37acdd9e6ac706379e6e2e78b6c65
SHA1 d0c2d85b9626dfc154e19cafcc72e2f4c42081e7
SHA256 e3b0a0966c7e39bb6334e087784a0f51c7d822eeff7bd8f939a12d10d662432f
SHA512 d641a6748e3b43b07dacf6f115c567393f8d11091805db0192acf7f6787f10b1c2dc33d4d65646a6d98ddb495c353ff182de5438f68b841d958dfcdf2f4b8385

C:\Users\Admin\Downloads\ReadStep.jpg.exe

MD5 761d311f7d18039231f87a8fb318a5be
SHA1 89659d61b6a918b91869a2291cdc44dc8ea8d6fa
SHA256 eb0ab7df299d0bf1c4a45cba5ca74680e9d487c0a69846e078a7a015b57e4bba
SHA512 f8eb8ad74b460241d9e1bf3406467856c437dc5a213119020bb2982be6afaff7f02cd06a5dc21b7ced6ed90af91cf72eab4c4d07beefeca771b17fd7c256b8d9

C:\Users\Admin\Music\ConfirmConvertTo.jpg.exe

MD5 fc2cb534d5f28403e512bbd42bc5d0e2
SHA1 5b265ca3a3f0411b95ed799b3b33a5809fb75b9d
SHA256 14b0277467262102aedb8cd784a6d384f88d9636f545d56ba4666339ce42557a
SHA512 bc44df5286a1b1985ac1da3babea03d74de6380d03fe7013fb516d61c2952fc551fce62e409e7cdba8aa76b5f8afe94108b9bc0ef6507da0d9fe6af34418929b

C:\Users\Admin\AppData\Local\Temp\KYIK.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\Music\SubmitReceive.jpg.exe

MD5 fdef7c82a60daee0f16ad45d0347ab2d
SHA1 2461064b505e045ca204e2b018ba19f23ba51abd
SHA256 e2f0ae96a0a2f8d1c713a8face5d368afdb82c2f7c324d19fe0eaa0c2b3c9ec3
SHA512 69e88858287dabdfdd5e4d8c433ecbb24cc68d90ce5fa1e69f2bec9175316a47c653648a1e5a54ab71884568857a8c7d3497755100e1e77e84f829fce64f04c7

C:\Users\Admin\AppData\Local\Temp\gcYG.exe

MD5 01c165e0cf25836dd8892840b03c5488
SHA1 eec7fa33ec425f280a7e2f0461f40df93a537979
SHA256 6cc4b2b857e21bfe2a0b7f0fddd8cbfb584ea484a7bdb1e7f0b204a397605cca
SHA512 6322ba71c0f2276c664db02f6685ed8e50e2b0b38cf9f9e06ebf3f4831386d07f52890372c63f0ec00a0c182eb9f0370834ff1da8784101f8b2544cf0764ce57

C:\Users\Admin\AppData\Local\Temp\aAga.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\Pictures\SetClose.bmp.exe

MD5 311ab70e05cc791a44af2b263c8b0c86
SHA1 92f8d951185c2091ceb77eba2ddc323fa3dac3bc
SHA256 8ce6f5bd0325062c4f2a2ff86ca03c5ef28a853bbbe44a655fc137ece65254e0
SHA512 19eed61b610e7d6c0accb304e368a12ff487a62fa72232e7513bbac35fe0142a3ccf436fc73f02247cd33f4a5d5fbe0f91a1c45073beed9f233f8d20695040c6

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 c77a59fa2ec87eb1622d01fb8da587b8
SHA1 0fc7696b72e2082e03f50093b13665fc94f249d5
SHA256 7fe9f2167f74dfb55c474bef5517a9d3dd5c5141a3ed2e8a72b9f8115a584594
SHA512 7c763c6bdbbfb7607d48baa87eebdd3d6d667eda7e384dddc6589609f253b03537a3373076e15473612b80a13e1b285c6fa650e44854e594870d794f627451d0

C:\Users\Admin\AppData\Local\Temp\Akgk.exe

MD5 1c7a8b1e24c444d5ffe8d4fdaf20e391
SHA1 1901fa6bbff9aa1c0fbea37355b72876916db793
SHA256 b6caf0961c39b6f82225ec1937f814fac227ac4801edc9910be0a7e1866eadb3
SHA512 2e679a7fb2c00c028631b544af8eae9dca508d4e3934e932e0e0aa7064cb10f76cb55fce736985ad8128390708c4968f0a01587a994c0817e16d569fce968429

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 a1d7cbfb10a978b3269ae0c51276c94c
SHA1 ca416a3fbba51c69e1ca8dcec340700f9759f6a8
SHA256 2a9dd0545602ba2d7a2cda4289a89e7189bb37f0d8db36d06a10fe8ee87e2a10
SHA512 7dfec1ae535b6e4f57a119d39387eb0e786e0810146ac8be09eaa11242eb661ea1aeb72741b39145b4f72ce1e46bef432860eb674ef46f978b6a75993b7c1a35

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 e98d4034d4be552e8b319e3fced88316
SHA1 63a4b63a0b6c39cbc2d16f70edff189c6b66fa3d
SHA256 f74488708de3111281ddd096dda2015965a36b03bbb629b587e90e016d07d0e8
SHA512 e87ed6a09d43fc9861876ea63f2ac17fa1f7f7e8aa0f4b4641fc540b9763db8baac90983320f3c15f53d2929dd59fb970203987afc6fea88b677dd2d0f9fe379

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 dcb967a9e128fc6a7e6a2be7a99a4360
SHA1 b38c7c348c13a590ec269693d139e48080431890
SHA256 a2561cd433085a68fe009ad4b829cf81e5fda88a957c1e55d66d5876f17aae87
SHA512 a83774b0a2750fbdb349f19df14f2fcd990cfe5fef38958bcd497def658203b5b663f940890a629b774841c7d7e28e831988496fc7e4b3434c0da9d6f936f3df

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 547fecd925195ef40b497675c1d18b8c
SHA1 1963d946db476cb71093ea40356fa08395c18c2a
SHA256 2a7d4f21629be0b4232e403bf2b4413a67c7d0084a3e63e72b7d303dbc259ea3
SHA512 4890f7cb34207faa3e504e0ea666d7a07f3e6a0d44a72a84953963389f6c6997a8ff0958a360eabc559430d8c811c494e9eea09c72eddd322b68b7b86a2561db

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 e8e201e8359e4e42ee524b4817e4c47b
SHA1 cd0794e540ac95453b6c43cbdb685952702f1386
SHA256 091b3a7d99c024ef5a9fde7d0eaaabddd83c9c324d1eeeda61385a704d8941f2
SHA512 5d67468ffc0d977eb49756f7e148d8aa12f6941c4a46575c94b6f1973bbfaedf1e5c6ef24be2be71db15cc76c72fa14438bf2ad35183a03b5488ee0cbe070146

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 4c1bc0393f12556c692b5d6618c70f18
SHA1 ca4fd9362467ecc2d6bcc1e291b33a5fc4af7b3d
SHA256 dddd496aabf6763e06c0f7428e6f29c8ff30c1740d5d4003981c0c52c76298dd
SHA512 e17de3654f03e9eba9958045fefc2a9436c69db8d9e8280025232e3f6bf497aca8b38a9c66515e112c03b8fe70220c4bf9ac5985347321db94a22ec4fcfd736a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 518b8ec660e67a3bea33fb3f20fd90e0
SHA1 597969ea41f5da96affc789fc5d3881c47b31227
SHA256 e1a8965707a2c411d24503ce46acd535a8ae793426ca5daa5c70b42abd94cbf4
SHA512 22aaafc7db86d2b462cba23db72f3e65f982aca5f40b5d181740625857ea9c1d78aa0fa46db57a04bd685f7e970ce1f2cc184350cef425484b62f5a522e3bb4a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 914e906bb8825c247db016c03d2311cb
SHA1 e57b5203e7f179f94c1b6040e89231ae805a7f2b
SHA256 6b1e5081f539bfdbef96a6b7f7dd8121b8acdaa0d9d68bab3e7f3d541e2afc25
SHA512 f309790e7329ed4c56f19cdc2a4b8fd50455424be56aef932e957a3ce71b5a89adbf4dc24e5b66e9ff4dec658cc065d6289105fc484e2b560cd1e012401c8e43

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 ebd6af9ffddb551d4c675a0bba518f3c
SHA1 098da2c3263a658edee84b89930dd51e3868afb9
SHA256 e54b4cbb867da03895748254db8250d9e6e0e0ba4f3135bd11bcad91ab3d1473
SHA512 7a544438efd307dc4e26cc081b7d8585440489f087114a8d12480b736a0285b1dc9c51ec05191033fc344b05ca86cdcff08029ac5f2ae38dc7100ed1360f23a4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 73d01e32d7d306ea64422f9a783f1a72
SHA1 4bac6aa85252a51da5cdc157d3a28e7960b4e4e5
SHA256 7e83920b1438917c71120fd2e61831e9abfc6f6d33f07297cb47a75ba3829f15
SHA512 e80b7d54e34c9b6168e99951f303d7bb11120952cdca17db213a7fd032a002ad2cdb07d573e0c2413b7db5aed0cb93d48e42965bc205a38d69f3703e6b549f30

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 28888476272b116c7cfd8fa190e3c47d
SHA1 0fb5740612046550d826def31f33a1fc7b4f8777
SHA256 eb9929410ae27ec67640f3d7ab5c25c9da0c545ad520d38a9e0d16d27ed9df1f
SHA512 fa6f151fe0988dbad149a58115d041feb6dab3e7e853690441aa8971212847534801f7ae9096fbfa734030b190e28a5b358f2582a5d74f8c169bedf3670c0b7a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 5217e5a7260b66a1454c59832ad9ba17
SHA1 63cfeca777f8506b90f1d482e6185fed4a60d537
SHA256 e103f04a64e0de81d41855ef0ef65b9d9031aac699556d1a62209a9a475e122f
SHA512 cb039e0eb145e750c93a7e71766b2d4e4a630599aefb219b11b50a3da5571c71ffc41d6044bb1eb75e90425110fb7b6d6ef149046cb52c2aaabb761fbba37235

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 0c36d91ca19c225d38b4d3f107184dd9
SHA1 65fb4517295e949d7c5a28e7afd8d01acba6a9a9
SHA256 1bb96d6188e92be916bc5b0d43039ebc6927226425a835040cff3d6ff039d658
SHA512 f25305090d56b751307c821b92de74c01fec5fb8575ed25300751df219db0ed8418bd50f4fef1c7f9927c205b762878e6064f75cf08f5d00f24e1cc4d0df1c66

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 3b64d43b402eb12a0da7f872900f1aaa
SHA1 82967ee79bd550bb1f6b961d1ae233ab662610f6
SHA256 e68fcf7f20460517760491bd4927255d788b2a781b06192fecff8c5d2d6e44c5
SHA512 a4b31cde819cb2af3aa8ba2138ba04e835909429abdbc8bad822cf33ac3a9a0cf485fc6377968dcc0c6177766c000f8a7dfd1daf8502c924c9bcc1312b8bd6c6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 d08c92a8e69417191342f62743dfdb59
SHA1 44f432e1716446f93c66ee04a89892d9f4470e30
SHA256 d159d1511c3aa40a98d8b680b065a8b5420b4a961456133beae9ce398773eee0
SHA512 1ffccfda27292b507721fc117489419d6b02b7a7d2a9425d2f2c09ff5b12975c17597d9b4b93c46cf4ccb36316720938268c4faa7118128724ba1a4be4e609c6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 c82bbca57b9fecb6dbec5eb69ff403b5
SHA1 8c1adeedd87d7db1b772cbefdf3d100fffbc33ba
SHA256 56ff89aac01c84af999e4e6090b83e2101ccee2d895c96cc40ce3e897631fdae
SHA512 60688cb707f6d25ce67b1391d8a78e38ff6d388014b3c6f16ba8cb81fd70c28bb6f22af3d5b123e40f5aa5e59dcb0569e1263c530e9e3ab9a192166ae48e0999

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 1b6b6fe7dd36c6095f40db95f831d9a9
SHA1 e24674e5bf4a723c78b99f4a3a9c594a4a956dd2
SHA256 05cc5160caa14f19ab6fda8ad19b529722a83f30ac13371cccfa2efc1244202a
SHA512 807bc21811b6ed0f989cd72402e672def645d2d9642e464b2b14ebc0f0426fa7998c7e34f2866fc8c241e12090e419963d2b9a25156a1b458169edae5c62fcaa

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 0547c084e3c03a08436bfd10def2c5dc
SHA1 6ab99c2669edc08c035fa9aa16f69460f56fa887
SHA256 0e63490e8d93a037476d90ee5fe3c7be1edbc2618ca7612135174fa1e2bf52c4
SHA512 735f1308361849d1991cbf30f3ac890763cf004fdc7d4a1bee616c998909c8567552793d66584ba2937863c0a35be3baf64d10949429b281b8809afec251a1e8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 7377bb6fe7573af91ed16ff775d58df2
SHA1 778eb7dbb88ec6373bcef38ffc4047b18986e770
SHA256 0199c413f0c3725a0584ae0e87273257a2accfa393c152f01ae7289df6e8fbc0
SHA512 3b86b00613e60b4e1528bc58606ad1a0eb1445ca0bf7433ef34e7e075fc4bacbd75d42b827f49aebf0349519fc1adce397768f70f955f0e97a219d5d07d33c9c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 95e55cb3fb9817eb51db39bc9c24c393
SHA1 7af00a87dcc3186584ad14e10c9a361f8450279f
SHA256 6d1dde97ca644a86b4767bb713312b57c95ced5187c8acbe4e0d2fadc381aa13
SHA512 c8a72ad5cb101933252005a5c23e34aa13a23f93b51f3974f045bd2f95308958fc315fccb49e06ec9094e3894b5f1d3519eb9c45e272daa257ecb6ede00e557f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 7a0f3b62435a8f08999e49aff5eff51d
SHA1 eff042f4108a3598ba3decd9b75dbed14d2116ea
SHA256 b9a874d54197500e2504021caa513738890fcff5f7ff9600097194854b3091d3
SHA512 9dc59a8d8451bb804589c85856e07034e9f6500da59cd2e9caa2d469532652c96da7e47d0a1abdd06919cf53ae6ea3b45988322e4e85f144193b4da2e1000dee

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 bcd4a21f1bb61cd084c65682fc07376d
SHA1 1f3f7ef799e223e9d1a81d4805adbc25d1876a56
SHA256 1f7288911008952624b55c3a0e1e943149acb319ca5d6f2f520d0915e9fbaebd
SHA512 cf342631e0c8f60f2f60b36a82271571f296d9b7ed50a90eab2d5cd9ee8bb298bfc76623d41c32e395f3d2dea54dd131e219fd94c9fcb8c3ec01a36ec7ad5739

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 625246b8827e7b2419ea5d6626d80538
SHA1 9e79d27cb03d1551297c98fd9237ae76ccdfc717
SHA256 28381cfe22356ce4f51a1a305062fbb2955748acc799da321524601d94c05ea4
SHA512 6ae1bb75c97cd994ed794d43aeb742e8d3db741120bdab9a359354263cb6a1ed46127caaee120ecb9374f1f26b4b47939441699af91804c193ee63b1e9741064

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 65d1cf2aba0c474fc11e2b65f03d4c39
SHA1 22c03932cf363e56cbfc588d604b2b7ad7abac7f
SHA256 3dfa83cf3a64e5616ae9682205cb7caead8fb785e646d9217e21058abddb5a49
SHA512 49ed23f03dc27a33573f3c89fa338c7814aa731fbafa530b0b3cb5dd1e62e8c00181e18be803c3100471fb2fcd6fd5600e9d88a4266b2df0b6ce0cbf8e7a74aa

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 cd3848d58001b62018fff1328878686c
SHA1 358b7728e4f1a7bbb51d66a53dfa15dc4839a43e
SHA256 907491514f2476445c7f1c4f7f682b66ffe7d370e456264c918bdb68816b2b2e
SHA512 d7d1b868728e84acc68d024ba769e081d2bc093a8641a8ecf26758838461c0b5ec1bc9788bef689649c5c9c22e528f70c5e26d337e5f3626b21e06d8e0c9da3b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 df882d33773e2577f1ec3748617128ac
SHA1 ac82150e1eada645318fac2dbb2724b0e716253b
SHA256 bb7782eb320e6d21f7c6bb220000e1430e39786df2575d9974e7b76cd3d23968
SHA512 09fd90c7acdaff4c1aa622d2491126170902e6ef14479ea01b3f3fa8ebbc669abea0455727184d196757801013c61b73b3f084a30075cedfba737bfcd677c028

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 ef48092771873985225d5432fba9f276
SHA1 7b8bb739d89d5dcc0fc7bf38cb4ecfa6b855606d
SHA256 338c90ca5c6c73626817291330a5b2cd34b03a56b7fbda12b178e9abfc92f80e
SHA512 42da1d048af5ca0ba030888e3af8f60dce54e94d140627a18e9e755a260d7098fd28ffcacf0e375a9229a4ffe31463769a7da6f78afeae77ecae8753badea231

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 6ac57e7f8b0c3306f1232b913bde0f8d
SHA1 3a60e63e045e5c3e321f7dd2cced10260da62e9f
SHA256 b0d32fd4f7e0b5ea87d90aadd83a203ea802083d00a2d52696ca590a9437611a
SHA512 db179ba81b4d75f5e9e8f98c6957ceb49dee6508ae484c0acb305544cbc32ab4d8a0baed8d17be0dc5ba26107ad97e9894982d59548b343cf54e9297f95ba0b6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 8b420ebcfdfee140ab8e74db852cacc9
SHA1 3a882d81f258ed2d0e2e9af741cd8b01d157208d
SHA256 2c729c88732b3703ecbb97ccd3a69d10ecb2db1b22a246703ca56f73afe7c1c2
SHA512 d50f228ee4f1a8fb5f2814d726c93bffedf5bb42227f99122a34831d9583329ff5cb0b9605462f40800815947afdc5afc400f7d942e5ed585d728d65d284d74b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 c0cc322e70324a6c38cca6b5105c385f
SHA1 e2ad849099c4484117f55a971eb8f0e399a89d95
SHA256 f9f3e54e857d4ff7ce38d8a920a023df78d0187725357a21ea64494f7408a671
SHA512 073832bba39a7f3d4c5427df6b65708be1f6536a3bcd5683f770e805cbc89f2150ab3024f072a428b053a99f9b63e534505734ce97945dbede20cd931fbbb175

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 f461e2533caf471d1bbc3a3fe2704f4e
SHA1 0ab43d39d49850327eff4fc36c3a7010e9bb3021
SHA256 32e59e1c4c89238b7ccadc53477ea85e98db25c6e06e702c85455f569f7c3167
SHA512 34407161fc1cd12025549d125f25cb22707291a9efbc8ec35d273c9fcc0c8dcd425b1ab4cf101c699ea1d62302c9c635a2e3320b6adecf51db5295bc59c5815e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 0d2712c59df12f6843efae9f04c4aff8
SHA1 cf5d14d59dbcb0e191ef4bc0f29dc3e15d3ae670
SHA256 f1cf7c348b2721ed2855763af1cf85330fe1528db55e092132152e900d00483f
SHA512 10ab7b8b36c2cd82ec9674061f91154621337d90b6acf3fdc2e72a31c587feba688cccdc7df588024580485295414ccd6a61fe9586941269a892f031fcc9a819

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 a26e762d20d95284c95d9b2735bfc5ee
SHA1 2ebbfb4c94e2e127c464c78c69759f001f6bffc0
SHA256 d33717bc9eed8b635aed5896501ab30568f7e4a6ce31bd81886e1f57525ffcec
SHA512 de7fb0ec248e86be1c165d48f8f4f28926a4e962191cb5287455a2e35de2a9c38cf4cf0841bf93d9a8a54f48af074948f187775594bba66dd4db653dcacb199a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 d8a125368eeea528b0280a52219b81e6
SHA1 73ddffa143ba4b83dbaea01645c53a38bb1ccc15
SHA256 c4525859ea86a080762bce7efa6f2cc00b4ad1dadc0f6e5f528e4274ab755f9c
SHA512 9b542e299c0c28d96d670e40305713cd9e97f69bf7476c6871f5ef71a390aa730a160283166431eef4f3087b8e6b4835a4908b7e28945c14525704e611a3096c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 f535886c23d662796caf1842d680c8aa
SHA1 64bd914e455f2da89b25bf7aa00fad47c2c55a71
SHA256 1729d1653769426f20cf7dabda8961d4da67fff81cab581dd7ecc695e7455a04
SHA512 33d7e6e68daeecec5a8633c0d62292b01737bf8b3fae9e119b5253a7c8faf50f371fa017da411141c9cb691a9b6ecef84734265ade7227882b7e449d66e4c3d2

C:\Users\Admin\AppData\Local\Temp\KQMo.exe

MD5 f28a851a110cca70b83c197a62c3ba1f
SHA1 12e0fb849eb4d49a84fbe3529d163b535b8fa15e
SHA256 40640acec09ff75a5dc34418001c55e504453a82e35a347658229265df525559
SHA512 ff023ee003687feb600439a1525c941ad8a18077c5fcc04bbc00cac0b48e65b7cf5414217fd130e62096a95fa67f5f8bf96a4db355cecece83e21bb8ff483ec6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 db68c3f3b44c94d502d4118e8452f5b6
SHA1 73e09c7cc22b36753805a1e61fac827f95dc1d96
SHA256 09b24bbceada0a9cff039686dc3176f48988febd79cb1c02479e04646df5b034
SHA512 3f893ceb82912b4a4d3fa1a70eb062a050db32ac1a02e75c751c060041d2cf36b0c60691fac0d23f447771af34fd1c6526c6ee339626550065def9189499ab2b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 362b8458b547beff90d9fa3c61a2cf3b
SHA1 07aef778a28e41ff94109c4b02d85d07ca0909e4
SHA256 38e8437dac19ae74992d819e78fef031693de91308170a4140335a76179b1267
SHA512 97dfb8f346040da8c7f5202fe55a94161e1c1e5bbaf59412c7fc174dd1f6c24853eab339138cc354664fec2dc4bfef4938a83159c31b10bdd3204e1a33cff993

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 9c260ffe0e01fdfc4c10cead989ea88f
SHA1 feef0678d2a37aa389a369829f35b65b69f7993f
SHA256 9d95ff0754f6bf136df3d4366add946a27d2e78d4c8ce44e220b2321d135d68c
SHA512 d55fe1f84f88b2588d571f9192e6c60f425b3e8af88b9882da2965cc9c1ae315586b8c388a77f0c7ad70aa49a89f1e3f2c9188f300ade564428d405b2290d700

C:\Users\Admin\AppData\Local\Temp\QwEW.exe

MD5 b5272cd1c58f169093ea7048bab763b2
SHA1 d171b04aadfc3cd2d28148f089ae2977ef1320ac
SHA256 7dc6b222ce47bdf2d75b40231288d88ffd2f5c3e4c25c3f9c5bec650313f0e5b
SHA512 d391f9409ae108d663bb2a1a6e55c5434c8e41333b986b82a66d0cedfbd83923bfeb22d4878b5596a56f19244c565a4390b4c6aecac5ec29d44e4311c58c64ec

C:\Users\Admin\AppData\Local\Temp\ogYQ.exe

MD5 dd86077df872b40ed9a3171b09175dae
SHA1 4fbc53e972c27c96af521e7cfbb606e66c280a7b
SHA256 f1d5f2c588b8ab7909b7c36c8c9fe5e8032063096d8b5e4a4bd7f2027ecb643c
SHA512 8854e97045457f8740dafb6cdfe6441a658e184aaace3a3c4015ecda408172fb877fd896fb2b848d10ea4d07f7717b968a8d0543495247af564f3cf98a3696cc

C:\Users\Admin\AppData\Local\Temp\QwIE.exe

MD5 eacc6ccf5d1c0d0ba6acdeafe4433e0a
SHA1 9f1cde7eac3517023432637b6f64f329c1d7a378
SHA256 7cd3ab611d7cc0f0ee927f28a3685c26bfa5792b2176d1e15cec7faa52a73c36
SHA512 0f0f00bd2f57219d6f8b03951c7b42d85953aeb3655df9af1399201a31cab24eef21c0aff2c9ecd579e046423e46fc5f2d1ffb79b9f2139ce7c89935e69a4571

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 cfdd1094af766bc9c38570e18a596ef7
SHA1 c5ae7ee85a9c17c2a8e4d2e9c7a6cef881ea3409
SHA256 a7ce4e3b4a38e1324b7ac904be57790ab7a4204d08939212f8e045f4158fcc93
SHA512 55ff4fddfea41bec7896317d875beb1e529a06b5a2cc989a4fcc956cf720723ea5922b8ace0ec21ab4e97d44d988f4d46407c844be6d11413cb93d12a5b8d6e1

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 4e10c4ec98cdd95d07c34c313900e24b
SHA1 9985443ad5f15c404f255cf870a64d354206ce96
SHA256 7974cd1d1e7c987eceb474bc1d5e35e897ce4cc822f45cb38714df13bce82af4
SHA512 6f2686fed80cf8512043fd88b332e1ab0dbe0baf26debc75febbedae2e559a9b36fb6a2785f1f2d9467d97287234a30f3886c07b468ddc0359ef7bb8547ab46f

C:\Users\Admin\AppData\Local\Temp\ewUa.exe

MD5 36d81b195eb0b324c92696a22d3b5b39
SHA1 a18318018289ba282da47bb78e11f878938d54bc
SHA256 d643b3fb242c3faa4a2f6703877f8c4a22c9958b3be6305b4c1a069f864b686a
SHA512 f2694f7f28365f9a33f9e0b6702fadd40939bfcb6c853fb3113cbfbb457d79370d9bf74fc89300ccc68a2ba3878eb2718f5c5dcc5ec8dac520828ba4df7b899d

C:\Users\Admin\AppData\Local\Temp\oYcU.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

MD5 9d5c0a2a1cd93dcb45300eb94c71cfb3
SHA1 ea7978fb9ae0485ee6f3761580e04607fb0b8983
SHA256 319bfa4e59df20ef5eb7d79ef9bcce8da5f7fb93472766502689de748953b180
SHA512 04f3248540367f64127ca097e221f959d5a75d43542e3b131e75485c28077d908b8d8bc8129e7acc56c705460d345650351938b67153ef4c39e387839fde029b

C:\Users\Admin\AppData\Local\Temp\oogo.exe

MD5 e0b690491838ef02cc989bb8c7d2d906
SHA1 1095809edef9dabd0fffb805f4b6ddfaef220ddf
SHA256 c3654a2b08a5421767ebc818276a3110b4de95705d583196ad207f247ed95df4
SHA512 088ec622e03457d7e0ab61a0abbef27cb82486663e7bfd8a5dbe8a435d538c43a220cbe496849a0947c43f362b1aeccb8e763dae707ff573d6a949fba215f66d

C:\Users\Admin\AppData\Local\Temp\wgUq.exe

MD5 2e1d0d6dd74576067f7823e1e08f2aff
SHA1 0a050988e265b6bc332d574871bbbb4abe8c5957
SHA256 8b0330e3bc3b5322496520ad9a5af3b816a1ff35a8b4350514acb823216a2cbc
SHA512 b28720e584cd54bfda489d14042a46900583b21df6db36d34e01fe520a1135d7a5e6b4976113e0b47d4345a751af0e50a66f41959747f059f5f52287a4e4288e

C:\Users\Admin\AppData\Local\Temp\YUIg.exe

MD5 6bfd76a95da0b829d3556e8ea5518b53
SHA1 677f6c406b83710b3b76d863a7df3b4c12066cb6
SHA256 c591a3af2a3540cfa3ca1f57dd8729e9649bf5472801af8478e4025c40fd1624
SHA512 4b51a9daca39f17616dadab21682019283f2c1ef0f00e0564c48ab16d8184f8179805c87f6d73ddc2beb21086852992fa5ac5a61a93e848bcad1d191853ab95f

C:\Users\Admin\AppData\Local\Temp\OcMK.exe

MD5 2b8be99e7b262bf9435267b5d53994ad
SHA1 466a4199ef99bb60e6fe35f65555986a64038bf6
SHA256 6ade916a99c711eb49d6ef6b37169d926857506dc62f5ed82bd014ac71608fa1
SHA512 bdff257cd9acfd590acc885193485ac4ce60c7ad3332bf08b5ae92bbcc676389eb52af23488bac4c3ec4d69b3825cf531c3bbe0bf8c30dc0547ac1a00e6a2090

C:\Users\Admin\AppData\Local\Temp\SYYw.exe

MD5 6caba2e5c98170135ea41e301743a8cf
SHA1 25c469cc1c9da0fa7e1f0baf476e00c3b6635163
SHA256 b222f29b66f53d2d48927e1f82491bc65874048944360482533382b284c77e23
SHA512 e07c8044c9c40a2895311d6901b03af55cf4e7b7e10df109f314ace85ef0fa8b23ac1471fd4b5d166a07e8a7ae8a7616e5304394b65923e05e8788f9ed2d7939

C:\Users\Admin\AppData\Local\Temp\WUEw.exe

MD5 fd95692671c75734741ca013084c1692
SHA1 fc487f5fcf42feee6b62e23f0dbd3424faba47b4
SHA256 809d5c54ada5bb2d6c99a2bdbfe7fc6df76c43b20f5e3f14d8560e95a9450ab3
SHA512 312fa53e7dbb879d461475fa213c2cc3bdbb5a5659a97f9ddb4b5e44815a1403eba2802b877db80694d1aaf9a5285d3db25ea678998b06fe752bd36e6b569dbb

C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.exe

MD5 51f186ee3619312398bbbfad76793d3c
SHA1 e3085197a0a32da9502355f56c6a1b0019300918
SHA256 22a9a6b6aa27d3590d39c67e2895f3e83431272b0bc2d41d842ba0e5dd19893c
SHA512 4051774b6f0a8d6a5230041ea43668c65859b4f407a79e8748d425011f8175f3f1cc21ea984841653ed38b9058c34019ae95ada8ae4a3881eca83cba98c279b1

C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.exe

MD5 2ec2a57ff4c7e473839318285edc7197
SHA1 fb0557463a54239a761656c071fb2e5e5f8c384e
SHA256 a2b4069e2afa7a01473c60ad194f1c40d854042555ad665735f676e75bbdfbde
SHA512 f79f64cd593b929799db3eaeafc3bc2a8b4524c4af68e8b31895989ddb20d2501be0efa55ba453a89ede58aa834865795bae3278887f1c1244ab8e5cbfbdd104

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 14:43

Reported

2024-02-23 14:43

Platform

win10v2004-20240221-en

Max time kernel

22s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\QgkUMsMw\QCMAogAM.exe N/A
N/A N/A C:\ProgramData\PKgsYQcw\hYAQEcEM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hYAQEcEM.exe = "C:\\ProgramData\\PKgsYQcw\\hYAQEcEM.exe" C:\ProgramData\PKgsYQcw\hYAQEcEM.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QCMAogAM.exe = "C:\\Users\\Admin\\QgkUMsMw\\QCMAogAM.exe" C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hYAQEcEM.exe = "C:\\ProgramData\\PKgsYQcw\\hYAQEcEM.exe" C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QCMAogAM.exe = "C:\\Users\\Admin\\QgkUMsMw\\QCMAogAM.exe" C:\Users\Admin\QgkUMsMw\QCMAogAM.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1052 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Users\Admin\QgkUMsMw\QCMAogAM.exe
PID 1052 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Users\Admin\QgkUMsMw\QCMAogAM.exe
PID 1052 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Users\Admin\QgkUMsMw\QCMAogAM.exe
PID 1052 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\ProgramData\PKgsYQcw\hYAQEcEM.exe
PID 1052 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\ProgramData\PKgsYQcw\hYAQEcEM.exe
PID 1052 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\ProgramData\PKgsYQcw\hYAQEcEM.exe
PID 1052 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1052 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1052 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1052 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1052 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1052 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1052 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1052 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1052 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1052 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1052 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1052 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4648 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 4648 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 4648 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_ead34dbd568dab561004d36d88990158_virlock.exe"

C:\Users\Admin\QgkUMsMw\QCMAogAM.exe

"C:\Users\Admin\QgkUMsMw\QCMAogAM.exe"

C:\ProgramData\PKgsYQcw\hYAQEcEM.exe

"C:\ProgramData\PKgsYQcw\hYAQEcEM.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 216.58.201.110:80 google.com tcp
GB 216.58.201.110:80 google.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp

Files

memory/1052-0-0x0000000000400000-0x000000000048F000-memory.dmp

C:\Users\Admin\QgkUMsMw\QCMAogAM.exe

MD5 964b90f2db0dd5c4b85781d369b6455a
SHA1 a48dfc72e9977184e1a2f62b36e838718ba7bdb5
SHA256 7c35adc1d0490297cae58c274d471f6f904148e6371ac5157fae71feb2901713
SHA512 6970f95f882756d0470c9910f2bc41ee1807623da56130a6ab8e4b76910dc19fe0c228691426c9f32100e879730d09a09cbed1361a2f4a46baa407304f6d020b

memory/2980-5-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\PKgsYQcw\hYAQEcEM.exe

MD5 dd5d7e59e3d854b1159923a695235671
SHA1 204770ca2a0cf0cccea880b509f6991a4dcc1557
SHA256 1e365ec41eaec79b58631f676771c82d6284a5906cb92e4aaa7a1e812e806713
SHA512 cb166cd45905ad6a124eeb7c728ea1fdbcd1d39d4bcb9e8faf3185df73e7e0774b27cfe6ca18626c7facd68332ba8b6d7bfd82c65cc7d6d66a78f5a3090e9c08

memory/3196-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1052-17-0x0000000000400000-0x000000000048F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 96f7cb9f7481a279bd4bc0681a3b993e
SHA1 deaedb5becc6c0bd263d7cf81e0909b912a1afd4
SHA256 d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290
SHA512 694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

C:\Users\Admin\AppData\Local\Temp\yEUe.exe

MD5 956be78e6d949b51e19f2b2781fda4ee
SHA1 41f8d9ec31d9b3dc842077f119550c494bcbeb4e
SHA256 8970d864ee4b9d236aa6c8d781c8319e8df16a4e46fea1e0b797cc5c0ef55afb
SHA512 2736995aed5671ea08171e868d26f1c7c5d3fca93761e108af9232a9d7ab65b4fb77b6f1feb91dc7096030db339305d2cfd0e0f5d2bbac56a77a477a2b31913f

C:\Users\Admin\AppData\Local\Temp\zMoi.exe

MD5 4af31e5a2b3dfe116a1a840e8dbf5d89
SHA1 18ab6ed8717dd2a4641e82ef9e7c0657da05ba28
SHA256 4925a4becef95cc3843f29095eac39cabcccfd5928877f228bd0fb12a18e6350
SHA512 411626cea27221c8670a578db0136971f96c414234d4b9516cfcfcc657e35cc9f2ee94c426c9db7bcaef2bff077bfa0926645bb22c535acca404ac3664642910

memory/4256-52-0x000001948BA70000-0x000001948BA71000-memory.dmp

memory/4256-51-0x000001948BA70000-0x000001948BA71000-memory.dmp

memory/4256-49-0x000001948BA70000-0x000001948BA71000-memory.dmp

memory/4256-56-0x000001948BA70000-0x000001948BA71000-memory.dmp

memory/4256-60-0x000001948BA70000-0x000001948BA71000-memory.dmp

memory/4256-59-0x000001948BA70000-0x000001948BA71000-memory.dmp

memory/4256-58-0x000001948BA70000-0x000001948BA71000-memory.dmp

memory/4256-57-0x000001948BA70000-0x000001948BA71000-memory.dmp

memory/4256-61-0x000001948BA70000-0x000001948BA71000-memory.dmp

memory/4256-62-0x000001948BA70000-0x000001948BA71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OkII.exe

MD5 4c7fbb5feb666f006772b286666522cc
SHA1 5eb191c71ead9871f984b7e758ca5aa35d51877a
SHA256 6af78a1cf913e2e378bf980b28846cfb343889ce55507220e2b078ad885f1c0c
SHA512 866399b72ea6dba6f30bd5aa1ffce299923feb2121fbea6746a8d44a22e179c3472e95ed8d672e2bc1b4def32557e149bba6a74b01b8ff17ab1969ff9cfd15c5

C:\Users\Admin\AppData\Local\Temp\aUAs.exe

MD5 9bb8a74fc9660a6f70e0754e40017ccd
SHA1 4a99cf9fe5bfcd25054b4e4e7052570ce33f77c0
SHA256 c4fd998911a0f55895b42c4ad692114563bd554b8d71b2af9278abdab9d463c8
SHA512 464aa1dbb53723d5643a029c50cfb4d8d1cf00bd85284c120903d070b7b8c41056c8e6eb08445ea7d740d7e07f4a8ee49a878790ff58e6940217d0a25b2e7c59

C:\Users\Admin\AppData\Local\Temp\jUky.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\AIck.exe

MD5 66402a37e70c7a8f3dcc5b2c6b7cce3e
SHA1 870e1c670fe2732055576de22497aef00b16986f
SHA256 6eb1ec94d3bff72f9cedf703315bbf6946fb35983cca651f69e36add735eb17a
SHA512 81407c0fee9029b2e05bdf9e2b93451f46dc7b7d6dc5a815c544d6b0130f256ce1e63d506319e287e73ceb80413b24b8915eaa91b34703bcbb19b69c097b36d4

C:\Users\Admin\AppData\Local\Temp\WsAe.exe

MD5 50bc539068a8dd38726f4334906f4033
SHA1 3d3590cb1a9377078f313d45731dd265c0995512
SHA256 0b38d7b484061bbede6f81ab435b9543ac39b5101de81d05ac22213111735bbb
SHA512 32469e4f88e496b8aed308631b0ca644b8c3f88fd035c43b746e9ce6cd698bfeec12508d996809d9b362dc2332b7fe729e1a781062f67dbe5ce4cd7b517da1b0

C:\Users\Admin\AppData\Local\Temp\mQIS.exe

MD5 de0d526d2679e1a41721dbf458696ac0
SHA1 18bfec5c0ebec39dd84a8c00002728c4f478f15e
SHA256 34fe26a443d8b5ebd3823d28f11c3bd2f823ad2a7ce819bfe875309cd68cb4b1
SHA512 8bf45c8ffb033b674bda128ec95bfcfb7089417a9519a79fd797d7255b2c8f948038e33ca3fd6290cddf82158d3064417f0fec8f8c550acc518de9c79be5e27e

C:\Users\Admin\AppData\Local\Temp\yIgI.exe

MD5 e98ec52b56e5856a8f0fde2d17b15c72
SHA1 d7a5d26134b56de3ac1b9d737642126172e14ecb
SHA256 4f5521a38f3690b9ec88eec9d690ec89f3f8918168bc666ce760f7f27fc6f14c
SHA512 219fcff013e9ad2c7bda4897986eee75b87e1b2de39ffa6b6acead67cb54af62dc41d454c15e2ec8cb66333f92261bed0b870601dd01e650d6d06e7cd599634a

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 2d3ab29a3bd0dd341125f40beb91c299
SHA1 ce6e0341538d56596ce68aa20cead489f1376686
SHA256 519b6fa861447bdbdc4c56d64c0afd508e3bf582834dd899016d69db755f6593
SHA512 d4b932e02d522aef4b772467cd2836df4210713b87aa61c11f003b8879d966604dc748506d610798ec8ff4bc02cc741041f624c2efbfbe2028a3cf144644c3c8

C:\Users\Admin\AppData\Local\Temp\IMIu.exe

MD5 594d2e26b84f9ceebd5416b7231a0139
SHA1 5e554ed6bc989770f6445a6c763616cc91cf31d4
SHA256 1274768ecc4fe9767e3a7e9e616e0a4ebc999fd3726a7aafa1fb868b0834796a
SHA512 21b663b863a576d67c01952805f682d8a2997fa0dd260103a446118e63293cd050ead98c93d6f2a8bf4e80e35ecd9455511b026cfcb29b551e901132d7970d18

C:\Users\Admin\AppData\Local\Temp\Doga.exe

MD5 b9a99b24891abce06ac5ace0ff6de8b6
SHA1 2228084ad4b4ee8d81b0cb1e929068ceab3ba69d
SHA256 a991042a13285a0fa99e230073d3a61b72fa15c6d75249842b9042cfb4282254
SHA512 366b12ca1e6f4775af9bbb05342a834ac6ca4d5e9534bca7554fa1e2a2eb210338432a5ee7c0e4ab5aced6db50f4a25af37e9b8400cb0cb771dbf42aa10c9dc3

C:\ProgramData\Microsoft\User Account Pictures\user-32.png.exe

MD5 a87555ae15a376b63f3e175819c7aa2c
SHA1 c4459dd6753dba93045c4a9fdc9078e6aaf2b8fc
SHA256 7b53afaae1cd5d8d697b883ad046be38913131b358633b6490cb70cdf3034fff
SHA512 b10b57bbfb4516c423f46f3a38a7970330e4f64179655f5c298dec37f9738b61a30c329afe36d02624024036b3cf5e7b3ed4d7da1fcb9cc2da1eb8e7b925000f

C:\Users\Admin\AppData\Local\Temp\sgwC.exe

MD5 105025185f6b36d165ad0f9318efdf81
SHA1 002fdd38624facaff2592cc750d6dcce7a0948c6
SHA256 7ec6de5cd1c2bc3a41d9e3d666edd26a9d8b004d0426090fd52fd83a758ea309
SHA512 f76a3a279c8888d39b5eed3e29086f45d59d608c36562f6a11b58573f923df57232c04785b6cf5828a7974c80b22651283d19f5f936de97f1f9ced0c30814628

C:\ProgramData\Microsoft\User Account Pictures\user-48.png.exe

MD5 c3e5a83c08677ece6f39095b9255ec5e
SHA1 f1b87bfe2301e58c6356add1f1366b27d5c2c08d
SHA256 781e3a5e071c2820a68d4f49bbcc95497d725d468834f2fcb4422926bd24ce9f
SHA512 6c9addd5ded7ec09505b943cab40b59abc123a91ecb4900828d2595fed87ce40312364f13721803a52b7ce00964029c43e54a8ec8ab2b73c39bea1adf66338a0

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 ea8e91463476d5f08b0b7e20a79f74ae
SHA1 159c49c6054247e7e1e73e72f3c457558bf28d68
SHA256 4ee6c92fb5a2d18a29382d9cf530ee2e63f3e18956c7f6d3705d56518b4606d3
SHA512 a7c0d683eef5b66a10bf1ff1501ebbfe76fb846d8e9dfaa7d803e3f65a1d14d890bdb68ff2393ccb8294d0b69a9766f17ec502d7049ce581fd143b4f65e4fb56

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

MD5 3fc22f8e1b6b7c41e10c586804a95cc4
SHA1 7e9f1ba68315a4feab679e9b4c46d35d8bfb0922
SHA256 4c5521c348735fd543558bcf067c39df429b6a1f21236bd839d6966ce677eefd
SHA512 099bf92130509bb6cd72c1ac38495148509cf9415f0f20c417a0bfe8feabb98d54ef3003b5cf3ab00eeea710a773a143a210cc6400baf201dc8286ccd03acde7

C:\Users\Admin\AppData\Local\Temp\rcws.exe

MD5 9215bd6254f1f36528874903e542e142
SHA1 42ae0e8d201e49c3c42e29e2117f02cec3c7e2dd
SHA256 6a6c3984be6a18966f179f03e7b8d48e684b66596c1a0b206df1e82b3e546f0f
SHA512 b8894138aa0e3e9098627364a5283aec0f3acbf289ab899017423f2c29b1a59e39217f575bb78884460ed57037a4a5819d34adef4555f2d5df3d1e0f83062465

C:\Users\Admin\AppData\Local\Temp\wkUC.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 fbba3f46203440a7b3bf0b0a4450cff9
SHA1 d9a76aa55b783c52bfc518290d4cd233ef083e3c
SHA256 b6800196d370944550737a7736342e04f832667b2ff3a4d66fd5a5f4093e8b09
SHA512 9c9fb3749de76cb4f957f6d20918a30688cc3fedcdf7bfe5828c650403b827bfad77f43b47317152b636904a72e0d0c81d294f09db5fe8cf9dd792a7ae71eefe

C:\Users\Admin\AppData\Local\Temp\tYwA.exe

MD5 2978e01538b4cee3b215929a2335047b
SHA1 cc6cac163567d12f5503402e227cd4fc76df8da6
SHA256 ac35054ad25f2c55f7107b71c9945d573a7ad6f65e3705a3b045eacca8cbd7a0
SHA512 2bb24c47ddc7f9effc329d886113aac6595c7b434756932abb9b13adf57b231aa35d312d4ff8f6550cb6fc482b4a945c69864920f8d9817955b443ddd5363f75

C:\Users\Admin\AppData\Local\Temp\XgAK.exe

MD5 4aa191b363a50ced3aee259107a1dece
SHA1 4f88fdd1ed9ea51817490edf2adec88174a842c5
SHA256 77f08bdef88cd2cdfb67fa275abcc2289ceeae905a15117ddeb6c5f976849dfe
SHA512 621be38033d8a731bcad520a3b264806a7e473bfde70b5085a9dc567b7e4c8b93708865a9e27cc1432042c47b349a1b8b8cea259cc1b531ace2bce0465e940c6

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 94d19fba05f3788ccf9353c75b77834e
SHA1 6c6c6cfbff86889bef5742e5109a280b072601ee
SHA256 d0fc29f7d18e2fc364c195c5e808e28a3705327bcf969bbc1ddb7e17aaf5128b
SHA512 1f1f4f97a7daffdbb05cca9f175584090aecc92637273c0d0dccaf41b57f897ce3c4f708faf7cd70fd255456ef788f72e5e8e379f486269ef22499635270e6e8

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 d7fa4f645861a08509df56e1fab01b8d
SHA1 820096dea3ca601a0d9ee00279635fa37b6ff42c
SHA256 6096caebc19112de20b2cc911fef7dcd087ebb42151eeddf1b8e22804964ea96
SHA512 94e650876e15cd3feaefa56d1c39463a937acba764be0374376590748f16fdcd42b5d225f7c8b1c73c24e92b4a2af0e5903c05e11ce0a83cfdbbfec73a92be9d

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 4642c7f2462e3e15f04fa95998df7616
SHA1 1151eb4a42ad000cb952e1960cd20e207d122cc0
SHA256 d0fffa53ff2fdab381131259120e082428c75926197bb907511063e6a69a52e6
SHA512 deb00fec5037ae16cacd3b1618cc0ba1837c3ed2d2e230b7121ba63dadf8d82b0165c6891c0c6d1237961fc92c3adf75ae223056117abfde87280d9ccd3449f5

C:\Users\Admin\AppData\Local\Temp\OMAQ.exe

MD5 789fbbbdc08d4164f73627a84da2afc2
SHA1 01f20760f210b6c0bed375c530355c733b001a1e
SHA256 1d6ae3f8a373d3bbccf6e2e90893d8ae7ef2dd438965c695cbdbc85aa57abe02
SHA512 29036893e80fd9f62e2423fb9880c9df6b7ba97213fe299e660834e4f2817ec14c5424585f3efdebd6c94cf0cfdd70650f363bc165b64affde3c10441a98bee0

C:\Users\Admin\AppData\Local\Temp\cEwC.exe

MD5 c14d88d2b605a91bc798486528b0afdb
SHA1 9bdba6de3e60901a3540d6a44f72423291fe26c4
SHA256 2dbd85907607ec6a5a5e13c49dc06252d38ecc4ee1b8f2b5e634856b8e46cb13
SHA512 96f8c932a3417b1b2d5d42fd6090e08a2b12a14110bf71539467f9200603f760f5359f43f5f2771af4b7df579648d8c17f0a426c0a4dc2b60ac30c63b4c2c071

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png.exe

MD5 7da51134820fce80a48dd2ba21fdf9ac
SHA1 dcbfcc4ddc72b2bbcf8a384889033e0a111a8b0f
SHA256 124521713c4f98d83a465c98edba43296867858466482d6d42dd6232c450c8e4
SHA512 febc8c62cd92f8b253cfdb3d5fbdf0caaeb700a9978d131308cdc94be16dc1599202ea500b3eb25065042efae324d4d73f3985b5d91a918d26c1e291d64ad7cc

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

MD5 cd8071b15fc717a3a95f149edbe9bb7d
SHA1 956764f1d943c96144d6a2a543aa2fd6a1cc5ade
SHA256 77d9442e961a4add9e728e8933cd5873a9182218241abd15b86ac79347443db7
SHA512 47fd3d30984bdacebcb0d163d5ed180dcd3cbab3a080b2b0d2a36e4f8e3b1d9539fdfee3649bf78bc2d1a09af2cc6a7ac336c3d10fadcde76c6708a892bd49c2

C:\Users\Admin\AppData\Local\Temp\wYIW.exe

MD5 83b9cd02fc4f0e9c5766cd75e52ecf45
SHA1 ab09debdb8fc18e41a1fa0176deabee6ffad57ef
SHA256 5616eed8ef1daaabd77496f84c694c32d6c2c18bb70c13f7568e61d05b41bdb8
SHA512 1762d26bbae83ec8c57d99fd78d3c302844233d1fb70ce4e72675814faf2e836d117208d9575dd8f8f9cc75538ccec2d6db32436a57b676bdbf4eeb5997f5fc4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

MD5 722a04d1f9208e5e48b1400bf395f6c2
SHA1 10c1ca123ec4a5c652c981b83eaa2eab3767f535
SHA256 59c155336d21c7c4a7ab7c79b439e1586c91ff20d5e224cd6a326b7273f127d0
SHA512 7212c32aa7568309f9e8fe5bfaca2d57625f78093cd26d9477c247d1c55b5934c4963d5d4d279771278be406b754105066386ea076d3ec1e32e916e2790bbcfe

C:\Users\Admin\AppData\Local\Temp\CMES.exe

MD5 0186e6ba33ca5a04eedec1cd3c581c77
SHA1 8e7b79433241cc5d2e21fd03add8660fdc5f8210
SHA256 c1a1720bb8a7c06676e41ea2977f0e3842e5b963e59f64ea7626f477414c71ce
SHA512 d2b832cffc7da08694512280af2f8f465ec4eb9b3bc403abcd46bab41be3d7b4bfeb2c8c433b02e9c8acfd383f72059a1771eeb7d7f1efee795b0a0fa031d2bd

C:\Users\Admin\AppData\Local\Temp\sIIu.exe

MD5 55b52ff0212d42e72a12f972e1eef83f
SHA1 1119fe747bc8515390b1c99c5899431c4d030d3c
SHA256 ca552a7da2adfb6e9602768caefa7b85d278420b859bb49dbe32891456086c49
SHA512 53a6cdca858fb0f968eb757e4f5b260a67cf65c364df628b4801c31f0baad031fc0131758082f06cb92a957278c29a643cb27b7bad21aee96b5f833b765539ec

C:\Users\Admin\AppData\Local\Temp\IQwu.exe

MD5 b63d4da391cd9b4e78bb125c2caf8c09
SHA1 db6e71b23392d96c451154e8d7040509279c51bc
SHA256 38e924575dc706963fda8fbe302d5c46b6f7bd93c844e2d707931e686e2fb413
SHA512 0d5d90e0fb839c07200f4d117a6505c3d1bea16c8250010897372af9f194ae606b56b7c7ee9ec9a77990022b8a6831f5a78e6d2888d4f1be5f3705b5b2cabfde

C:\Users\Admin\AppData\Local\Temp\fUkw.exe

MD5 02f7a2431b14bdab7c71d143b94fb6d4
SHA1 609e17abb864822220cd3e7ceb18f84378603988
SHA256 98008b62b9c735ca8c13f5d3bf4df1befbfc9bdf98fdd04969e0248ce3b5570f
SHA512 8fe9a9bac868c40ce72127ee4e45dcd47ca057e3f3a0b0ee4fed10e136cc8f72e04671620fb04e94fa7823e4790a8e74accf9af9b8105b1bedec652c58f59b23

C:\Users\Admin\AppData\Local\Temp\QosU.exe

MD5 b293b0f3c1ae062c736b123a40c561d9
SHA1 953da4fe26bd335fc21f6bb477ab250864019e76
SHA256 f1e838f2cda6b74ada2890383e17b761c0f1938109bf954693e8d9f142392b71
SHA512 75307ba12a7b95a941636aefc51d44c2113e3036cc8a7519c8f35025aef1a4a516e6c4d445264e54d1c0d67d88c848bf0a39c93c8f197af1c1531cf1af43ff07

C:\Users\Admin\AppData\Local\Temp\aoIA.exe

MD5 6d32b484459b88e5d18e6902498c51ff
SHA1 80d70a2d7f505a980594b9fab71978d005923616
SHA256 55336c3f60713796d031f7f599fc020004fb9d67e289abdf196370a0c57afdc9
SHA512 4652a8d99c5fac253d46f77b7c6c00c5556e677f08465b921a13272773132c90f90ed85ea6b881f9efa423be21a4f93ff650a79cc1fa5da0c8be37248a772064

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe

MD5 bfc805df6c0b651ba9c64da65d0a4f77
SHA1 b6397600fabef404e4e1cd35627527b4a7c23ba3
SHA256 c2d3404acf51451b9274567f8cfdfa6c0b8c46a92dabccbb86dffde1423a8930
SHA512 fc48fc97f0bc18432cfc311edd16cd6986bbcd7b543c36eb4d0276e92da637a912fbb1353cf8ac63367c15da51826b35e58c65c1bfffddf05dc107aa2cb01d75

C:\Users\Admin\AppData\Local\Temp\twMi.exe

MD5 696e598b465165c1ade195a2abdf7643
SHA1 99a8abc36b1f49113a12cca02e9e49aed4322095
SHA256 a786b9798aa9778cceba9a2fc053a36547d0eca036f93dda84981816f5bdc69a
SHA512 6866b85188ab60e8a1528f48ec3ee049d92a0ae1383258f49ae10b8b4b2817640547650bec35509512b2ba02112b70afdf0e35d6634fd864a4f234ef322af690