Malware Analysis Report

2025-03-14 22:35

Sample ID 240406-2dwq8scg9z
Target 785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00
SHA256 785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00
Tags
evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00

Threat Level: Known bad

The file 785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00 was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (54) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 22:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 22:28

Reported

2024-04-06 22:31

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (54) files with added filename extension

ransomware

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A
N/A N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A
N/A N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A
N/A N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A
N/A N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A
N/A N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A
N/A N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A
N/A N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A
N/A N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A
N/A N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A
N/A N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A
N/A N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A
N/A N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A
N/A N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A
N/A N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A
N/A N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A
N/A N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A
N/A N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\IYcgEoAI.exe = "C:\\Users\\Admin\\QwEUYcMo\\IYcgEoAI.exe" C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QUcIwEkA.exe = "C:\\ProgramData\\ZIwEIgow\\QUcIwEkA.exe" C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\IYcgEoAI.exe = "C:\\Users\\Admin\\QwEUYcMo\\IYcgEoAI.exe" C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QUcIwEkA.exe = "C:\\ProgramData\\ZIwEIgow\\QUcIwEkA.exe" C:\ProgramData\ZIwEIgow\QUcIwEkA.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe N/A
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2880 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe
PID 2880 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe
PID 2880 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe
PID 2880 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe
PID 2880 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\ProgramData\ZIwEIgow\QUcIwEkA.exe
PID 2880 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\ProgramData\ZIwEIgow\QUcIwEkA.exe
PID 2880 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\ProgramData\ZIwEIgow\QUcIwEkA.exe
PID 2880 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\ProgramData\ZIwEIgow\QUcIwEkA.exe
PID 2880 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe
PID 2532 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe
PID 2532 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe
PID 2532 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe
PID 2880 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 2880 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 2880 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 2880 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 2880 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 2880 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 2880 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 2880 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 2880 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 2880 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 2880 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 2880 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 2936 wrote to memory of 2216 N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe C:\Windows\SysWOW64\WerFault.exe
PID 2936 wrote to memory of 2216 N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe C:\Windows\SysWOW64\WerFault.exe
PID 2936 wrote to memory of 2216 N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe C:\Windows\SysWOW64\WerFault.exe
PID 2936 wrote to memory of 2216 N/A C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe

"C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe"

C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe

"C:\Users\Admin\QwEUYcMo\IYcgEoAI.exe"

C:\ProgramData\ZIwEIgow\QUcIwEkA.exe

"C:\ProgramData\ZIwEIgow\QUcIwEkA.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe

C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 732

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
DE 142.250.74.206:80 google.com tcp
DE 142.250.74.206:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2880-0-0x0000000000400000-0x0000000000479000-memory.dmp

\Users\Admin\QwEUYcMo\IYcgEoAI.exe

MD5 b4884630eb4baece97e0b0bd6bb18acd
SHA1 b0b413dcc8c18ffb2707c919f1a164fed7640d9b
SHA256 05ba11e5ec4babfd152bc16794961250b70949a10cf288f6f6603c6b0e12b096
SHA512 91aad7894c58021d4ab04d7ece07c569c6d644a77bb1b9427b8cc9001aa7925c6b9e9312adf64e5f4f7f0b67e48aaeb53b51abebb402855e0dc1e286ca85439c

memory/2880-5-0x0000000003D90000-0x0000000003DB5000-memory.dmp

memory/2936-13-0x0000000000400000-0x0000000000425000-memory.dmp

\ProgramData\ZIwEIgow\QUcIwEkA.exe

MD5 a39ae23cf0d2bf799b10fd43df80688d
SHA1 d50aa9572ef6e7064f9e2a42e335850932140e43
SHA256 653cbb6297da77883e10d7c45293a2fb198ab8678d6708f7429816acc53bded0
SHA512 0da863706b1351a3108aff535a2696964aaf36fe254d961f3a52bea3ae21f9052e12a21e1df6e7f06df26de0c117fb2e42790f3c0c78d41c8947f749ecd1ffa3

C:\Users\Admin\AppData\Local\Temp\PocYAkUc.bat

MD5 d9e29060d4bc12957ac2e0b8d03acab4
SHA1 859ea9c8f8b8744ff936f892b9820d9928576cb7
SHA256 4a73ac82162c52fbd09ead58f4fb1a706a59daa62ffd6bc0e451706192ce6e1a
SHA512 3d666b08a78867a6eec7eb5e83eb723264b2e6459f72e5d5dcf7d4c80d334b5a5e0f39af2fc0db1150a617f6ce0f3b120290c9004649cb220787ef1f3ae4fd8e

memory/2872-31-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2880-30-0x0000000003D90000-0x0000000003DB1000-memory.dmp

memory/2880-20-0x0000000003D90000-0x0000000003DB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe

MD5 383dcbf7e816408a7bcc0a2c41634356
SHA1 8179e5d4f88995a92110e4341be44335fa6636f6
SHA256 1a4bd956c34459258c85ca9c81dc547d2ef3e276c1f5d07f93902b4a8c74586e
SHA512 8b0b5015fc9100d58d73c1b331318f4568cf16529205b127c4ff473df95a8f0a52d5271cc4b66640630ed633449eccdf025166781b67834cc04d8ce23d79554a

memory/2880-37-0x0000000000400000-0x0000000000479000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\eYQi.exe

MD5 1a0552b3a474834bb9fe58d2ae97ffc1
SHA1 e7117db73ab32342036bdc0bb0c0d68e32531c90
SHA256 4f7fe77a23aaddf9304e8cc6bfc94b61c4dad7a33d22656469ff106e5a3df6ef
SHA512 f191edb5b84fc70175a4841e72d6ec27793a09fc824174335a3cb5c84df202b34af7e3e55b012d55a2bc5b0f32c627a9acd9399a150593024c9d35f695d8ffb0

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\sIMa.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 92fd79dd9a87a207d776c509d9810412
SHA1 46649ecdefb72f9543b47e53aee07e61a012cb83
SHA256 49fde8620a6892dd740b03998fda835f906d555a62b2636852f03e4d9f165df7
SHA512 514e949c5d2983e316308b74a9d1b8bd3caa6c95d7e9a88012a5517209ed34f463004eebf95c1a0bfb1ed33d3ea7be8d5dc03fec10f3c3dd8bfa74d60bebc5ce

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 f4e76ed90b0e4993653125a701dbc880
SHA1 56420ba9eb9f69bf7e501da46292fc2ff6aca2fb
SHA256 ff0b856a951ade351d2ba011f0e96dde5e706d8e40445fed6c7af1e43cd3305b
SHA512 ac717f123d35ddfad941d24e9277cf51e0898532b8b99486a55b37dd2a35d6aed89adcc7bb14489077000a4251c415750538fb60c40bf8fef92a1d734dd15573

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 55c8d1bcd4224c4064e1051c752ba425
SHA1 5a19232aa80c494878e25ca8c00b59a4f7dfd67d
SHA256 5bb285e0662cdbce057df9de9930c7cc529802c7304dff103aca1afba974f066
SHA512 3704054f59fc1a1019d627310610f81b23ba98286b8782c9fb557d1935b7ddeeeb89f88ebccddf478b2db3f9e4bd0575beb09bf2b180b28ee6dbdbf0ec053ae5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 4e2b90ef648e4b7bd9289a95fedb7cbe
SHA1 3ffdf1086e28b149fe98eed05fdb5aa79305a55a
SHA256 204a2337a3049b4699ab8722248a4bf3215b0307afc9374c1f8593920415b5ea
SHA512 c7682f5a58d852073e68cb4d48dc48f782bdb562c908d8ffca8c46d9eac96faeb1409e8804000c3ca6fe7bb9da46225928d1a34b81b5ef9e579935634dcc63e1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 1b56078e3d6f7666966ace82a5e8c443
SHA1 514529c241f28c920969abf14685b967b39b4b89
SHA256 d4c0a20444097c1cf40ccf36403e74a4264dbc1370afa08d4c13eb11d3fa6ab9
SHA512 b4c45797d36b2033d69c1d2e367e2c92491ca3f5646a4f145f43e14b15a5b210168a118d4eef78db553102f461fb5050ec4a9c74fc50d3a70c8a83fe26040a2e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 964b874d714e8e871026b411e6ce1a63
SHA1 1ed2f7cb2ddc0ba09fdc6ce4431d3c2a914a031c
SHA256 2ff08751b38c127860c4401e92961bc9b66e8c8f339a6264003cf894411bc049
SHA512 664429622634b76164552a7902aabc49105b97e3e2d35343388d68a2947b1b48be06790fa665eef5d34f7cc72e6e66f2d6bf8291aafb9cb7adb9a06e14c34665

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 0cba863e3c7b93135b94bea562d5aa12
SHA1 5e13264adb84ded1b471091ca7282ad1a8081d21
SHA256 4ebf0ac4a39d6cd603427dafa622c5afca4ce4563bae27dd1c43d5125760bb44
SHA512 607dfc1ad8a2aee3dbbf551d1686250e71046f3e54df6d4aa2d36a12b258731964db4248653516d856a59cefd2052a93cd05d92d11a05847572b379cb90f4071

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 b47578592fe44db108e9ba80c8d0a895
SHA1 da192d7c4ea3bdde664e6509929eb73cd0913eb0
SHA256 ac92cfb3f29d21af2caf49cae540ad80866e6ae3d129956b61786b03df6655c1
SHA512 258ef86212c92c06172a45b8ccffefce7a1c6c3d3e55ea3ea80fb8ee5ab2e844071dd5ddd130619b74a0f804e79024e2e2c22bc2c9082e554f5c5f1d68e2b38b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 b4173038121eefe749cfca64c0b9f643
SHA1 5bfbbd3c0bd21e236b7c73780e280282799d9c7b
SHA256 da21569f38a152ce96b578b5138f8661c991ceb9339904ed2aabc1a55c1e9651
SHA512 40ad701244c0483bbf3c4fcef567e635868cd27e83dbe8f8c694b5b8f7f989fe39f2148a39bb9502f3dcc9f6527db29f6f41469213d8046798472f2131da10cf

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 1f84b66c6bf039ed92fe901120e25845
SHA1 14f5f2170f0141d3154fb6cd64350bf7231f46dd
SHA256 e55596f39c870c6bb59f6dd253fff3fb821f3a355c3d5460b744f1fa152d7251
SHA512 17e747529475c77dda3a808c57d0d8d795e4326f8437d5149db28e76352b1155c6772e50b7701b80038276b11739449ab6b8cb584775eba76d98b95f6842601e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 40b87b530fa1ee77d1f408a97fc91226
SHA1 deee4be11a25f75e4ad562ec28f7e1a6282292b5
SHA256 1692a14b0be2a583482b6b8571ee5ca9856276dee555e040462bb75f210b680f
SHA512 170d77e251e59e10b63b9c1e9b91da205ebca8795e86d15b69b7af85fd338740b4770b707ca10a1d6478923953a6117fbaabeb3f3f0c7382b2a8828e689f1ed1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 afce56e36d66d702123de136003c94dd
SHA1 2f3d980810bfd05734f9a1388e7c8af2337f94f4
SHA256 f3ec856eed66aa42315135c9934d0d608287f2247ecc7fad9b4cdab38f3a3293
SHA512 94fecbbffaced35381216c7a01bdf9f7dadb454f3839d15f742f65102b6a9a1a7a270df6c915b466b0e0ef7a5227026f79a0f8a6403f55ca6934fca209222c11

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 73f15287ce4b9ebedd5edbf7a079825d
SHA1 6e5202da91f631567c86c86f901295e46597d75c
SHA256 20ec970236c1f70971e190b23e2c3b8bfb3977a74dd23af19c4179f6a6588ed2
SHA512 3f48bc291147f247b3cc0e8d29b44305e6160c7683b3cc4a0fc8369945c3061adc6cd31e35e511a37d798931bc82fc051afb1ad91c17a4d8ccc5c9e8d48d40e7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 1ee3e4a04559f024a289404addf85514
SHA1 5c748df837f5e763e43134605f0a8ec61d38199c
SHA256 2313ec8d51027098b522dc44175c8f5df665e754b9a9f474013a647ae1d33257
SHA512 7213305d34f3baa206deb819402c670e2b467a9baf5f7c702ad5333e035d466fb2b93fe8318ebad7c61c1be12eef1826052015350c3f114b021c1f469bbeda1a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 8b8a35bac7cfb99548d36a391309b19c
SHA1 fe1ac3ef21e87322da9561b6bca3384c2f1e7be4
SHA256 36080f63b508babfc9fbe41d313c04f2b36edbbfd37a32388c1bfd9070a49ae3
SHA512 dafa224a3a10626bee817b3bd88e425b442e0d973f262194accf7b9a9f302b4f87b1afde0d21d3faa59d9b49af6cc27b506eaa49993140686cb9ec51df5046cf

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 2b1449d5df478d908e8fc9c2c4663622
SHA1 d3c74a8342145008669c0577f279d6f03f50ca75
SHA256 2f63b5d96c89e9cc8a8a87811db7ddd2c9d0e2b54527a68a8355faa1af6ae15d
SHA512 3ea54bf4ef409389965572fd12a96c43372054c4c15c37254d383252dcd047f35fbb3b5160eb5f2c62ec4a511b0779388eae1c277ccc4bd38eb00a17b102b7aa

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 a8e4fc662268d1ca2b0fcae80e419cc9
SHA1 834765113e20533ac653f56ff49744a2c12aeaa6
SHA256 f3a7f2e92e5378034c2b927e58935728636c5a413ec3a29511d3df50f071db83
SHA512 7d7e93ec27b213f9218c666951278ffcd5509e1359e3a4e7b887a81e81941fe06d1d5f6a8421daf97e0209f0dac7a36e93d95301e52bed5acab911dd2ce5b4aa

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 09075a19aa7a16cccc3be228583a7474
SHA1 1d9b1db978d7a9c80a112ae39b5c6cdbbb9148f2
SHA256 540d36b8c7e258941c977fff5cc12c3ba87bc133fa86bee006b9d584755ec36b
SHA512 eb916ff1e8b78a87fe7d35b67ff3a46d83204aa3661bcb064d5869c59d1dd572c1c52fc5e68f048fede9a91e25218c07cbdd05278c9917c18024cff954baf170

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 a072bcda440fe0da0dda257a5f53108f
SHA1 171684eeca3f2b4b5159a75e42002f6a42872eb5
SHA256 0ca7f7b8f2775ca5c0c5544e6d0bd6167677d82ac78a5777cd9f26e31eb950aa
SHA512 8e2672b3d194669d3d514e9b948038550f207b8bd7b8d1e0b6843b69c3cd0e78a2093dc58f58b450d84fa3fe082b6701447543c43aa7ca7bf5881acb5f1f178c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 9cb1e3714c13baa081bffec2feca86f6
SHA1 613a2c353cf6232d30ad5bf3ece5de55377087e1
SHA256 7f45b155c34667fea66b37f4cb51d1369c7934015238a24009e4ee3fa1e9be6d
SHA512 1fbb0faaa06f6318604e505b97e562a7c3260f632397e484416fced46d631ff3dbbb38656db8b22572bc03b765a99e2a87735d4267a80ba84db16f3960b3364e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 ec0e2287e4251e355cbb3f22035743f0
SHA1 c399aec9592650b13f5f0dda4729926a67bcbeac
SHA256 f810c9b2660e0f6bbea0a6ebe13cd3d95621262ce43133865834baf2b525a645
SHA512 95f0a7c7f691dd7ca69a563dac6366478fef97f86efec649e133b37ceccb57a7bc1ba40be8d50c3373bd1a21b03c044fdd7b9d3dea655dade661cf1f0ac5df7e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 60fc2d95cff7e24d544b7d24d95198b1
SHA1 1f70bc875e76c5b7a28adc0aa58e350a67fbff6c
SHA256 6d67e3b1e8c8eede3d077d29230ef7ecc9dbe4b0dd56362cd4afb711f8b3fc14
SHA512 7aa8b99dc57c9d6f208dafa05f77a484caaf3cda01b790020c508c5a5dcdada48e8abff8d4b9b4ca2f21c51b9d5bee2ee20170d5378155414d7788e5bf37687f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 3439a2c35c5d5c0af7d4d86149bf3a3d
SHA1 feb6b0be151b04eb7247aa05551f518b1950b131
SHA256 bc320892bf6d979ace66170891421d209220b47188ac571e8628e7e5dc99fdde
SHA512 2b80fa1c543d0c74ddfe8e7952eb9006c527f524bf209db4fce02b3c38833b747f0e9c1ccd2f69964d1c0e213a9f8da8896484092522fe3514d57173c1118007

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 f5bceecf192bed2fc8dcab81743d4fee
SHA1 89dd3c4b44957ed972865852cc337433efcc68e2
SHA256 2dfb761bc72bde9054b33e7158bffd6303ce61d6c01bbf31fe8710d5c8a109bf
SHA512 f926bcfac1d80a4e2ab3c2e786462116d9d2acc2461b632778817c631c713b4e964863374e9308053616c0856d8a7239762f2baf6fe415e9c6ee7448fba60bc8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 d89a702c5edd4e83792f44c5e0fa1225
SHA1 bac1a033aab82a39ad6eebc7f87c92f26ac6eee7
SHA256 28f9b35202a54d76eeeef6aaa9ed1314d9b4b3ebb2eed92decc5622cb71db8e7
SHA512 86411b851f71eb88fcc38465c062755c3ea23694b2d43afe2107d78a113b5a0378b9915b398134392c6667fb1554453c13c03001806f995b57286ac332d80243

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 e52e9dd7b423c9e7cc083fdf12f9f76a
SHA1 ae03cabc81136af5ef7c49d31a90c316f589ed6c
SHA256 06d890c84743c36796f90111ba4424fbece7ccaa09d9f7cb6d5eedd0caddd9da
SHA512 fdd1563c9fd5331e0885b97f7aef5090331ba28616bfe17df5c8ef494dc3feab356f7849125556ef047ff3db4154c83ba724024a2dd3478f444eccc4f349ce05

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 1088266253c0bb0ca701e6a3769940cc
SHA1 7a4e355b239f5ab208d48e51df030cba2608281c
SHA256 b01d4a18158cd28d065bbea94075da1a76f3293b60e1a0880cf6ba2362f069e9
SHA512 738ec49ef466c44b76d6b1dc14652586ed7f2c918e68a3b3e4c0f3aca40a456ca977795161de9c4ebe3075ce28668436cca294a915e15e40d82d5691dde2a641

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 79f4a4bda08b86f66f20975aff8af604
SHA1 e4b88afd93f25af95723f70e32ffc34d12c9047c
SHA256 c76f4e25ae7ba76cecbef4410a772a5d35da176e67d8fbde39e809009d3de798
SHA512 b65723c36145f4af7edb80f11c1d5bdc93e8ee08d5482bfc3f2684cf75dba96cf13c7c1e00c321f7969e033292a5613b565c75b89d07cf7ad2c3e0c9addb99c3

\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 1191ba2a9908ee79c0220221233e850a
SHA1 f2acd26b864b38821ba3637f8f701b8ba19c434f
SHA256 4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d
SHA512 da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 2ee43dabd8bf4ea1b7c68322b635b4ec
SHA1 730ce605dc1d293894469f41b4ab0b419b4b7da7
SHA256 19315c1d9ae9d8996483fd66cd151f2bb2e8cec473d1bbf8c4f6a6d44e0a4cc3
SHA512 20e25e552a2174da6e1928a8a016ae7afae3dc681fdf7f57310f17a6e4ca50231a0107b8e662b3b11cc258d33bbdca6d3062b4520d3cf9357c5580a6bc1d6929

\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a9993e4a107abf84e456b796c65a9899
SHA1 5852b1acacd33118bce4c46348ee6c5aa7ad12eb
SHA256 dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc
SHA512 d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 230a270a9e5e3030457fbe46e6ad4bc2
SHA1 1a229e3c0a5f57226032f257325dc768a5995819
SHA256 1386f19b64a7bb7e9857b2a5bf0e0c83aca500660f4e7ab6ca3440c597a0cc1d
SHA512 65613bf2de87c937f9e55de1689ef850a3ee68d6143848542487c0eb7d665c6f9076841994e0f05cc1aff82d6c5df505ab16d6221062fc852ad0253cc962ac0c

\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3cfb3ae4a227ece66ce051e42cc2df00
SHA1 0a2bb202c5ce2aa8f5cda30676aece9a489fd725
SHA256 54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf
SHA512 60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

C:\Users\Admin\AppData\Local\Temp\cMYc.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 570edde1692973242f8a197a6721827c
SHA1 dc7cb0b49328d60753e830bc6979053e222ed144
SHA256 3809aff1d1a77774f073895d98d357bc157675693fb2c6dae2c21a984deb4b16
SHA512 adf4ecc7dff255947ae1c70249306ffce85cc9759f63d3b3798634dc2917cc4a1891a98927e2dd925430e43d38e23d45de1e3980a8fb329be308c81215c40ba0

\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 6503c081f51457300e9bdef49253b867
SHA1 9313190893fdb4b732a5890845bd2337ea05366e
SHA256 5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA512 4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 77a8452c7ebe50ce2ee9a5a081853eda
SHA1 e318c231b4516624ea0edd1d4d5337cb3607665e
SHA256 7fa6b39d96055232c3ac2ecdf3202fe4a82df98c45196e61bd449e8952dd8b69
SHA512 2f6033f1ebf92490f84e4ea9a911a4b42bf583f482cfa8214ee8d903abbd493c3198fd68e1cb8ce30800b54845cacb8ea8b375ecc398858b0e2670159f18ead2

\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 2b48f69517044d82e1ee675b1690c08b
SHA1 83ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256 507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA512 97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 adfa9368b7ed594439e9d8f01d3b5c25
SHA1 6a2597a4ccfce24b1c3f6096d64f869844ee1951
SHA256 13570a334bca0f3c452408503c8ced0fc4ad03bc8002009eacd8e2c4ad2f26f0
SHA512 6d5e945d30cc5ef2c19831cb43ab408fc5e8a2d98613ea84222844c4c23c1afccbe044a49fd278b2fc11af88a9f67811f83280fc82686a50505fe776102ba73c

\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 e9e67cfb6c0c74912d3743176879fc44
SHA1 c6b6791a900020abf046e0950b12939d5854c988
SHA256 bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c
SHA512 9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

C:\Users\Admin\AppData\Local\Temp\UggO.exe

MD5 ae0a2a6a6519d01a3c6b6c4a4b054a99
SHA1 9bdb8c40c079a5a4c9273007513d031ef9b4669f
SHA256 73b2aa7653171ebb42b0381f50338ce5d4f85e29f9ed58d42490925c523a4162
SHA512 41eb3b569909c39baa394c633a311c23a35c3b78a500d7cad8be24d69520d4469439304f99735886de2e103f6a215163e9d33be730d1649efab42699f4680e46

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

MD5 af1effa64fde028b459bd58cfc9eace2
SHA1 c431f32ac853b0add3393187b9c9bafd44a48061
SHA256 c8163a06e4816030434ebd923b6683d14f6ba037f0444ec789c0e5c745fc6662
SHA512 885db96916c7953cc48a812173f32bcdc333558b9b03cec219b90517a1c1db87550b2debc143651990321d73ed228ab58c6678c001f37abecba5d4a07d467a9a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

MD5 0134a7d3c970ec895d15c7ef1543b8f9
SHA1 3fa95961e0fd9e0e88de0553ad83405764a273f3
SHA256 19b2c9ce0558482dfe2f28013ad2cd598686d48cc2b8cb3ac584910e4856dd36
SHA512 98c52cf85b7a3044822b57ed8082a1a8a1c55ff22b9771d2fb49aac55045e97a6d6c47a911330c4d00a3a39ad9d7369a8973f6adbc59e89c790d70ea38007c95

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

MD5 754c1a84c79a57e113391e7ba0fa672d
SHA1 c13c671305ed3cbfb14f94f04bca327d0409bffa
SHA256 23b98ef4fee703f19a1bde84cf862a8b2af40505bd617571923d1645af2bc0d1
SHA512 d19e0e439c49d0e6bb57d5e0f90c3dd5d6b995d82542f01f42a798ac55720c1bc51bed94e60963a92ed4b0d055fe61017d01cb8bd76fe24a5472e1d64ff9e87a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

MD5 c2eaf99565e75f353472da964e3f9184
SHA1 2d82540b717d3303286f79ceccd17d3ad36b0790
SHA256 236c5f201a77dc09135a123ad104fb7822ecfbf04375a010b68ffb1da10f2611
SHA512 28240b99b73a68360a02902a424769aded125f2e891bc5bb96a911d20b96bddb511ba4347a6d464fddc242b7ec3635944284343aa9f18b9919a0b6e8d09799ea

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe

MD5 4c77cebb3cb4efc026928dfb565fc63c
SHA1 b3b2c5e8a0de0dba7a6818659386e95cc709eab6
SHA256 9bfb5c62512803ebb38e61c9fd9e074029c718a44c7b0ca5a15b9ea88cd98f11
SHA512 30e50160e885ea913b0b1b0a5dbde34faa35282aa24ddfc3613773265d05432a63f237798678a628b2727e8c24014cee8249323edc06c24b7ea0dae14080476d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

MD5 bf4a44340701e8e3eb50c38775ff0659
SHA1 09d13d657b960614efb8a3e8be2d0d7ba9ebb3ef
SHA256 542fce88af6d5ff8b322040c7dbc5d8cb40638863ac2286ef55023fd3deb6dcc
SHA512 ea3f2e8b4bd831d6349d9544862f7ef5005cd1fa2968b1b0ffd6cc7891f82fb716f96ca3c0cc6fdd39033d187a29e39cfaa0749f351f104431b52c54374429a3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe

MD5 f51ba1f374be8e8ac9a0a4f7e8aa1096
SHA1 f97ee17e31c15843928d84ef86c5e3c4b6d085bd
SHA256 0f0820210238ab826dc8a929ef8eda1550eb51986864de178313ad7407d5ea3b
SHA512 0e88c86e28330d6a4e095fb5ac7fc25ff5d4991ec76dd5875bd5eb71a3cb5bc78b872ccc15017bcd7009911177157b7bc4108d7a8432455a3905c79905e4c010

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

MD5 4902f44943a2c851c6042c390690e433
SHA1 1f062f2c4f48a6f73b287e037b422a79a1608944
SHA256 f0b27eee173842b9601f35b9dc5d0a399c4e09aa4ae1edde94f12e74269a8e30
SHA512 d23d2dc0eddde7551817eb96145aa713e74fcf19b2978ebe26e25fe80a610d84c912233d516d76be1f313c340c4c6d72e1b30713a08e9ab39fbb6bb93ada948a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

MD5 f2a4c8af52ee4621311f59b41c02da98
SHA1 702ed1d95890dcb00cce0be5b52f66256105f383
SHA256 22979d53d36536bfecd3e6c9635e77f54db0d80ab6308f3341096c180215ffd0
SHA512 216d628311b92851d56ae00396bc948d38f37fc598b31abee4cd7a6587f41581441f80246c9534311a548a0c51d4613b19a75cf482e7be709d8d2c7e4ae042df

C:\Users\Admin\AppData\Local\Temp\OcQk.exe

MD5 b6d3b8288a0e6d1f3efc33c5737bcffc
SHA1 121fe60384c3753e0307afeb595555d9b2e61d77
SHA256 6bbd4d87c2fd8a3813885b37a1bd60c3d8e3e83dd5f05d170505b2437add2b2e
SHA512 46e199abe74ed640f3f05cf5d569cdf58bed0ccdef12dd2c6ecb131903fdb82f34640be9954042d2fae1302de3c9dd130896a618e40d0fe3b77745aca4bb9cdb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

MD5 4114d9b3dc81fec95826936440851f51
SHA1 ec06a3ce4e52c00ab3e211af778e667b0cf8637a
SHA256 56c9eb9e71ce5b41d45b292a7597c4a2122bd296999ed13938ff32e5e5b4bf1f
SHA512 30d3e7b28c0a4ae3fc69a4b0384b7df54a4e50a0e788f47f861cd1e518ce6be66a36e6c32c3869cd681fff8b1bba36a8c39bc5727601a02770f841b125d54957

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

MD5 d8e2701c3f7a4d4f0de7b54d15a6fa8a
SHA1 c24dc9a7e82f5cabcc3e057c4b6acf148c0fe276
SHA256 f6a76edfa9f199d91c532fca91a6f71a0a01f3525d9e47573ae59323b6cfb424
SHA512 509c5e739f1f17bb379c12fdd43df8f2aec211b9e21418df130c531a86c4efeef006e08f7fe3501db44090f624b1863803db3304c7722f85848ea1996e6ac2a0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

MD5 3ce806d27c81a6047bc3bc7369b3d4df
SHA1 660477bd904ef913702c153f93514aa7e7d89c95
SHA256 bded2082da3e28fd98a04297851c8a510c9aa35ea8b53ec32a578a5554597266
SHA512 d3c5c51c7f2dd5e51fa1a917b0914c3831346e0801e94619baa60a57507b63fc82f36f9baa060453362e454f3c98eb66be4aa9747eae3d285ed940824e377973

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

MD5 3628bf29271fcd315f24af3158085da5
SHA1 b5d4044ec458423536aef5a251875dd7285d5543
SHA256 c71b41668f8979929c810580d47d67624af50cb00a541597739d2df7fbe9e623
SHA512 33bc6e28f5f5d531b99cc8e22554b4bd6514b8cd633b972c5ee6ee36f6bcc94864fbf228f9c96811e2d143bf94ef1056c7169dce0773e3a765c95482afe0c4ee

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe

MD5 d10a8d3eaededb4d076e2b70cb62d36e
SHA1 68da0699efce11b9fdc2424481b10e2fe95c856d
SHA256 5d5b0ae7b2578966036bafa6607a92253d48f2cc7668f959f3d34fabd5fcad74
SHA512 610b86acea58199c02ec2d33bdda134103a125527413a2c5d8f50ac8afda3a4f19130e2c221bfe2b5351d6d6ecf9fbb34a8565f8cd21dd05a558fb4865b199a9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe

MD5 822d638d05b0c508b98ec5cc1b721baf
SHA1 078e9b76711dafeb3e62875ce9bb16a488909ef5
SHA256 fcbc0a47baf3d740d16aa78b4d3848a3ebbd3b23ea32069aac9a585b1594e4de
SHA512 bbae7b552b0e96ef83da7ddfb2a0e0c3dc7ff310376811201ab8f39275a437609a85b0f32afbab96d9f5908d40b6012d8b82fa0160e185ffe54284f4d9294d36

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

MD5 6117e9ac56a3c93bbb5e65ffa95fde72
SHA1 e896ee992bf8eb00fe9d4d9ec1f08d41e682f4af
SHA256 92157ac9f760ea668ff8d110d3917e1de54cf79c6b688f5b23900bfb75fd51b9
SHA512 17cda3d4c8c22b381dcab5b70f70e1cc6404dff67ab09e732cae9f02bb8aa4e00301b3fa01d54545b226f5aa471d7fcf7afbee2cfecdcd2cd3836a3ddd020ae0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

MD5 bfe361903763e893b4019b2946c5b358
SHA1 00e3e100279017c29be73bba22dbc8fa368a186e
SHA256 515107966640d3ff289d9382bad0585de7bf71e169117bc95be356e98bd8e375
SHA512 7a11cf544e86a380922b09550d1bc1786643616b20ab0fd830a2195c0c34f3e3478d7f102246bd0aa167bacd4c7cfc91986c0c5850fbe377f6de2d6a038178ba

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

MD5 f1f3a638021de67ada7c233d8893ef2b
SHA1 c9087985b314214bb756f92cd9795014fda7d4bc
SHA256 0cc5fc981e91682ec940d3823c3ea3cf8fc5f80282498c07d8fcbb95066ac6cb
SHA512 13d412d9b3a30e82b8c2c2f59bb08389ab4a12c513aa0d2cc67fa553375b08c71af614d13e5d6663b71e899ca3acb36e80bc28e52522d48805c61c5ea808430e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe

MD5 6d4cdd44b0b5063931123af0613d30c9
SHA1 f63050f0e037504db47aafec6bbf92ad4f01bcde
SHA256 c986dbbbc4a29fdd2f53872e153b0f0134b974f854e13a5c89018ef46fa4bd26
SHA512 488a6663862958dccf3324c3643df1842694118a3b36c5940e0dfb4042b653347315bd799b1a4d5b0cf1bb5002f488b1c7c7be226bc5947cd9b9639724befe83

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe

MD5 bbc537a15e772bd3dee68aca590b6f28
SHA1 7bede04d3711c3a4ce5522fcb8e4ed8873ecdcf1
SHA256 8a8fb8cbb2274db5c3991ee477054f8f2e813c819d9744ee355d68d11fa36f5c
SHA512 f8587559615c30c9eef9229d532226a1a3f76f0e58e6ad32a0b3860db72366d691182c3055d473e7dd0803c59077a51bd28c588953e45d916a228773ff6642f7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

MD5 64624188be7cdde89e84681e9e908ec4
SHA1 d6ba83f1fe9c98fae0370ecfafebbe3232ac9786
SHA256 d2e4c558d1fa7179437e5e209dbc8f344e9401d4a0f126541646260d10119010
SHA512 521d3f6b05ffe733782941b5b0e1b8169c898ee29775f24147322eda3e734cf77600e9ab26fae1e57dca2758137aebac9d3501edfde9b648466e4c650a5920d0

C:\Users\Admin\AppData\Roaming\ClearWrite.png.exe

MD5 38e517805eb14c2e85587f1caafb85dc
SHA1 2276689bd52b8cdda1d0c789671aad3565debcd9
SHA256 f934fb4af752e37192788352fea8f677297a7e21ca8474c4946e447ca9cc9199
SHA512 343212b9a6b558b6e95ba36a0d596888e92ced53ba215327cb5ac3f8695c94820dd8f397270e826ba135999b548d31a2add5d16921d6c1ab15ac079b9a590196

C:\Users\Admin\AppData\Local\Temp\Sgsk.exe

MD5 a57dfb37527af8ef45adcdfaef73cb69
SHA1 5c0fa463e99f6c0f3ee5c96f2a639560f1e80179
SHA256 190229ab02ed28be24bdda6fcd8663643f3dedf67a28c2be938ff5296edc6b00
SHA512 09354c9cbcb147820261a5c94dea262e7b6802a1523c1437117b4480066ee2d77078686555af49c547b08aef4dce6cbb101ee65e8f3b317cf63d8aff7f654804

C:\Users\Admin\AppData\Local\Temp\McEi.exe

MD5 9003454e8550116485833702bbd85857
SHA1 1b140f609434b256be59fd5e18e2b72bb17f1496
SHA256 65fdde566af317db8ae54a24e7c557b74ceb6f3ccca804787f1cf97d4c2eada4
SHA512 728fc4f6a1121aad6975d0d2d29fe5faa885711e0ff6e10cbd085f27d613f7fcaddf5982bbfb9fe8b157678b841e39c971febc052293af865db35eb4a97d3f20

C:\Users\Admin\Desktop\StartSkip.gif.exe

MD5 e3d96caf25ed580c02acf38472ad7833
SHA1 e2eaaf45e534082d825c238ebec07dab507878aa
SHA256 7bc2641629db9144cc98572186fd6d30920a1e6261b8afd4dd19f9383abe4a41
SHA512 834f453cf623efe457129925611f3966015a84a6ed4bbab4c19ac7c21fcee11584233c9f5608fe20e057e1ac890974f680c1c2e04233dae0fd890f5e10cbb80e

C:\Users\Admin\Pictures\DebugPush.png.exe

MD5 5389d0b7ae09b9c07d234a91e41734fa
SHA1 1e9b18f8466a18018ca97c02313f8d10c17dd4ac
SHA256 fcca52cd8e5ef22eafe504f84ee37699c8f741a7af675838842b853a90bf376f
SHA512 dbbcaf23a4af9d7689de6176d3f33535c838652e76d297c7955baab1081cfd4dcf2cc91a0517320a5adbf9b7cd905e92405e83c9c0443825edd43df5a984882d

C:\Users\Admin\Pictures\GetMove.jpg.exe

MD5 6e2af821c3d65fd0ee3e14ed4aff3901
SHA1 45b8881c58c39686d04336e0fc7f41219dfa1bbd
SHA256 166f79e73ef72530afbab751767c8c6f2e00f2d468577f073756fc43d4365960
SHA512 624eac361a7b8cad0ece35213f617a725b39c307ca260372bd2dae887d3bfabe938876f769deee8dd88605207c932e2455d47cd9a078d19b59e74e6035de3dfa

C:\Users\Admin\AppData\Local\Temp\CoEE.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\Pictures\InvokePublish.jpg.exe

MD5 ec45db0c430e9daa7cf68672c9503dba
SHA1 a74a4f1825bf1a946dfb2fcc72efbce1dadf2a77
SHA256 457bf7b6a924d1591d2ca00aa38caf0ba8a032890731d67114e26ac3a57b75bd
SHA512 18ecf3d1dc649233f1a0d513ddb9b791c06dc39a8f780fbe93341c46cc5b8a36d5fba5fd1f8cc7ead43a767eab32accb3c66fc515f2f8cddfd6592c140cde0e1

C:\Users\Admin\Pictures\PushCheckpoint.png.exe

MD5 20ba2e2a3952636a984d5e18ae7d064c
SHA1 8eb01742311e4e146dea334815cc77c6f1b246e5
SHA256 62dee8dcaf783f363649ff38e39ca49f3f9288bd9adbb7a612babbd48e3966a4
SHA512 6f1066d873a6eef2cf8dc2e352ab0dea721e1ebe0ec91510e468f818511e373b1579580664a19080a04a5465abe31282434c3e2ba23a7ec9ccb1efa9fa6137bf

C:\Users\Admin\Pictures\StepLimit.bmp.exe

MD5 417326521d9be5d43d4ced2e118e6c60
SHA1 99e1013dbce5339f82b6ba25f3bab0984c7db983
SHA256 8b977b974a958f3a424df8911051cdd75f6cfd7778cbfe212560217dfed61c17
SHA512 c13b87eac099d0f2494d6f20a299c7c21d0528c84d73a64f9c59c45a7f79610366d0bc07443925ad3ec2d599d0f00b278573349fbb7112327c2008d6a0a7525f

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 ec26572493a3053500e2f0c02d6086dc
SHA1 12050b51f8aa4cbcbf96198a7f97c13ee82f645d
SHA256 1fe453e2e346b3389f4c05fb168b1d39867fc7a6bf4364fa20fea07bea5cb155
SHA512 cfab95b204950061d5abe1b06adbea94db66cd65d61b8f955f79a81056e0638deac4feff398af24b01efb3ba3465f49f0cd2e49e10c3c40c7896e719b9c8b699

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 6232a46099e9ab22fd9ecb8be7175822
SHA1 f2c4d0fb78fdfb2612886fc7432ff6eeac0bd0f8
SHA256 0661769514e04caaf74317c7729d1f254ef467f1681d855a0ac35c1e57d58ff4
SHA512 8c136a8f12e09c315ea8390cf9e183f7b72fca6c4ca53d73306a5bccde38642eb7289e294f1d2f55360def97ba5d096b9b26ef561824621018e52350c5de6542

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 d6317a3c0a1064080d7f4cd15cf57809
SHA1 2ccfacc0e816195ba2c3f2651b477f4f7c3fee27
SHA256 147f5fb78b0a54d9eeab56e240b83f55730ceb1023ba49c05c48690c018d5ced
SHA512 46f10d02960e0fc62aec346ad4cc2138c1c913238a12163e42217a3767a286b90e9efbe4d94b1361c5dc6cd640d5f671228c106e6f2542b07493a1dd4f0c6584

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 29220cfcd9a144916b977ff23ea2ddd9
SHA1 66096ef26f3d61cb0d2b3de602578c92939ebe2c
SHA256 41a7927cf28513dedf1ff4eb02151d4d8af148431043d7c877bbd6ca5bfd0f25
SHA512 846cd6144757e76b506676321b1f7332dad47f2f1776b55f7d1db6dc90aa29d975d69018ace889d958f77c973fdd69ec6e612e56a36c9136bed600b3e4da63be

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 f14efb949fd4e8cde42cb4f54fc218ce
SHA1 da15d2b784ba30356dd5597e609d8d79be3070b5
SHA256 c5afeb0b79acaf411044d87b1cccb22b71c76c0fd3f0ad938a218f47b721617f
SHA512 97457449d845c5225f836e6e9a807bb0ecf3653b261968681fdfb908d6402759492f104ef6f61655fd2054425d24ad4f9a73dfa756af6e5ec6e2e113ce1aab3e

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 d8934625cc2cfad7400c8967f0a188a2
SHA1 137c1ad99de128e73b4c7aea4f388b635ceba699
SHA256 457dcbbe10902f8175cd5f10de883479ddc732815de37f74c7cbca5b9ea3d545
SHA512 120f3b9a2617a47d23fa5ef024d9855a11799a69c5f552049a97c9bb32cd61d6f7d13abcb2d462d0ea8397d9477be5af8869f99aba5c354da8c45d9400fd3303

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 5fd214f8989ff329254b6c8cba10e130
SHA1 61ff929e08adfad1c557ac3317b66ac0dd7fb4d9
SHA256 afccb6bb275fa58f301a4da666e48160854561716e133665d8a029b3e864406e
SHA512 e222a56b12e5bd1e588ecfadd9425fdc601c51491f706c24bbb35782aac983dcac5066c0e11026054c400b452274d6d351f510606dda8bc13aec7ffaaaf5ff81

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 254107fa455e6b2961ad3aeef967cb82
SHA1 607c58861e757bef5d4195c92edac6dceb8f7c7d
SHA256 42f38f854395cededa765b7624662fda622dc7adc5e27c427c660d3b150f5641
SHA512 927fd7fbaa80d40e54fceebb791c97da7d552031e151bdcc36ca78b246dff8e8ad067b0122a2003e6744481702626c71d1d30fffcf6a7e5dfdb816e45d9c07ca

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 3377e5787e718a30a6ef3fa8b6800be5
SHA1 4e4ae62b56f6b95680052905dc441b9cecb7b340
SHA256 adeccf6aa4a502f0be8c9f86ac2094c3707a663e4eaffd75f840eca0a29bc731
SHA512 50968152fa5db543fde83533a2beb2ff3141fdbf9662cc8944aa7563c350c304d2cc43d2b3a7a31487d92e123616beca4a84d14fb49a9d1f6b2f88a3c1f2b47f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 32d6c58e2e0b92f75ef04273806721d5
SHA1 8513f4b7b1de811f602ca01caa8329d6ab754f1d
SHA256 362acaa3b60de3029bef3e96e8b957b259c9c9b59ae31e62eb2ec6938b691195
SHA512 23bccc37f581fcc9418bb4e415bef6a39ae8f8389b0cab85daef09b9e399a9d069314e18e4c840549c8396aef1cbd451f39bd9699810e4127493bc8afccf5a69

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 8870803ad43ab76da19c307a44c00b51
SHA1 86b0eccffbb3b1e51320ce86342b6ceb2946a223
SHA256 e0f32656f783922e68d45ade2c305664b494432b81d2cea01fb628ac921757f3
SHA512 963a28e35fef943a299f8af76aa63b0d9c06797bdf54b182f898599593312d75e971f1f3ffd5a941e5df8a491f8764289945af12cf0faade12c9bf6231811079

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 c209fd9742f6f8a5a69ee3a0091693ca
SHA1 77885b199457abfcc9def5063e99174d1e2ce059
SHA256 2eda952a5e5dbdec95e4e902729785ab970937c38e4e4c4f8a3bfb1148c99530
SHA512 ac9481f71ab942a8f9a852a2d59e67b95095bae5e55aac36d93a87ce7dec3b261078b626c7ad079794086c3d1d377097d1b112d23f287799f51d7da0a401ee01

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 efff5d91787cf7ccf42c6ba3832294c1
SHA1 b26f194f88ab2aea740d905a6752eba8fafa64d4
SHA256 4b8188393a2e7739e2168575473eaed9c2f9f3f050094e207096b96436a5db7e
SHA512 1c6ca4c8fe8ba8beb3cf4ae4a3daec96845419284ad2c7feb0dd05c1fd832a145376dbe2c634f3752c21a92aa8cd97908fa544d74df6690431c3964393eb03e1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 5978f06805db6fc0772381ac0ee28259
SHA1 82d8cb7de52b6d8a6a8c35b73adabcaf714eff2f
SHA256 0f3776b83fff4d7f05d2eb16edcfee87fba72e03a5ce3ccd24da65cf6391b1d8
SHA512 cf296fd1b937f776932ee4ae39cc574b69bb99a612a10668bea0cfb6ffbe39949bf21aad3e084032444711ba5b96f74fef43a25b251b5233e27135de3326275d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 36ba75cf081e4495b99fdddd79587cff
SHA1 a235db3452bb997714dbdc84170595ba74bb3600
SHA256 f06b1615a6515ffb820d5c946aff51abc1332bc858615429bc0bc195aa8dc297
SHA512 a7a4e88daf7667c4910bb277f412ef5ecb6040357d792ba921dd60b5b3d836122a9b7dba4f02c8b6d88e30a784a819c580ef174657272c7a0861a533e50f630f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 535c2a714c33a7d7075ddad63b94511d
SHA1 e9db6de99a2b2cd22c1b01cdbd62789645ee9f2f
SHA256 3709e2a2d25ee920196e5b61429aca75fc5a705d608edc0cf5714347dd6caff6
SHA512 33a35720c78ddd2766cafd88cdbddba6d6ed2fc2f3440e5773473a4df6eb2799387ebd5f472301114519ed728d10ea24f35e8497b66775b487f05065d39172bf

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 8a79b8b3c3380798ffd12e64e5445571
SHA1 c06189babb9ae17d36ad3be7eb809c17494c65f5
SHA256 3ad28943ee3aeea081bed288ba83fcf187f2167af3f43a4583cb81dbb6804615
SHA512 3cad8a7c807fc6ea019d20d20d99d9788aa951967ad2beb7bd8917e866cbe141a81f6d9f6cf99c0ab256cfa4c8c193edf711363f0cb776ce10e9f4cef7d736aa

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 bfbae104c9349091692999cf64799bee
SHA1 62f65b28623b13b603fd14a6dbeecb45a4a97b1c
SHA256 ca31779a52b81ddaea1702d2be1345143f3dbf31ed32033c17f660fc6e03c4aa
SHA512 34f1465c38c59e735455262dc2d1d6d109da1ab8b118d9cab276bb466aec67c83b44240770d6b12c55f2cf7da47496e0d732bff43d22a579d4c6006d0e4b0652

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 73fc57e2bf62ed78a52ce6829a857e94
SHA1 98a65f1a65915a70874e8cf14c1d9572d5da03ee
SHA256 335ed8277b311e27c99f2d3a0cde7ec67b57a8199b5a0c76da8d2f5683e06193
SHA512 12b53c917e278d939ab51012e809627652e0ec4a596584820b37c36279a1889aa6d8df09d60a569604af8e57145d69bb4e6244d30c2287b877e607a50b9d1799

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 f7c60fb6ebbcadf5762ce580ea35b141
SHA1 0484b87a600d167ebdb94fcdabdfafbb3b2502aa
SHA256 403b30226ec42480cd518af1ca42e50e0e68957f2c60ece7afb9748af5e6b4c0
SHA512 d15a02367b4e025e679d2d9badabbea09aa86886dee042c38a3eff0ab9c3d51b2068090f4c8db75f8f553448479aa3fedcb282e0c85c3a2807dd94a8d34e5971

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 1966660584367a62cece0dc16171595f
SHA1 84e284ecf63e4f83fd1a5e9638f673ebb98a44f7
SHA256 9b87119247c51fe4a9da2682c58bd77da372c588bd2c13d879470eb5dbf48949
SHA512 898e627416fe50136dbffedc13e91b280649d1df982cbb8e056188362cc9527103497641776b63b9cfaea552427abe5580c74a8acc628ec22608ad70d316f9cd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 3d3c89938cfd19d428338fdca418bd8f
SHA1 d708aca410b8d54f976b5399dc3c70388d913cbc
SHA256 2a111fa2d3386e31108de501e1ff57da0d6f12cda4b29df9a49ee1b708dc167c
SHA512 349f9c51d188643a0eb043641a168e98a506c2fe18876b41aead0fa9022440e0aa54928fd8039b7bac33a7bdd9110af5b07d69c3d7d5495d7571ab04cd3370c5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 004736e7215b91d2e6f2f7591bf0bcee
SHA1 0f593f9f73b6a8e89d49308de87fa64e52517946
SHA256 95040942d9b7d3c9a8249c4e38b83caadc6e0d2654a5b761b61ce929dd3c80a2
SHA512 0484a9e663ece76fb8129c12cb52c8d680247ba71a37b3efcf756e081a203189e8330f15374dd3e54d1b1e7faee7311888709f74e31899c67c0099096628dd51

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 d487d86b87e2d4fcf88b25f601d37243
SHA1 93700d3a93d850c4bef168d9822a8683c663562e
SHA256 b083d024c82a7ef3e392af70d86a928128d0a6160e03babf65154c902d4bae56
SHA512 ae6eceadd714695b66d01a7c0c77a4948c34da46dfb38c03037ac8a6ca471fc48bc501bd3e960d21ea8583062e8fe1e0ec43e8c8982d1a6980a8c2fa4f2cef62

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 ef3ceeb74b889f643c51cc18c883ffe1
SHA1 f4d4046390e534f9d10f06cdf57fd636dadbf98d
SHA256 9d23d053332661f36b56a6b9b6c0467c80cfca1f61b806cfb0f7be2605d675eb
SHA512 be750f3375556c8a462e8f5ed1f3d277f0ca0a06de522f2f06dfca8263d00f08cfeb83d9ea92024e15b0279c7f47ccb4b3b2c3d3408b0c771451feebf086ac2b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 3ed2789e3736ad675c56462ba9ef7fb5
SHA1 84d9a7b8b6835b1b28cadba0db967f561f1b5fa8
SHA256 45106f8d8830d1a0a1dcb84c47cead86b6b0bcf1291db2b520d9c2e03201eb3b
SHA512 c21468f98752cee6a1cfe69c3a2f08fac12abf22046697a31709b2fe63377da6d680ac4557f3120944034eb9343518eba3c0c0ce8defb1e9673684ddff2bc03d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 5d0bb72b0b539d5b07d61d398b597089
SHA1 79205bf753d3644f0074b096d8a8a0a4c019814c
SHA256 8c358688119185a56ef9b658875fa477e8f44221fe0db2a3ecdcea57ae532505
SHA512 99bf70b70cbbb7b22454334101e5cd3c2ad446bcee72deaba2ab89c56019485c80251047a62b0b319dd85d8a49d76ea1f625403eee1d53b6fe26216a9e296e28

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 870c80ec3acfda73f7d0aeb2f5cc2515
SHA1 b7702ae49457e12ddc66c0a1c3b1b059b0368727
SHA256 4286e6e15241c26e8677ecda652ef932a21279c64d3fe23f04f4ff007daa9a7b
SHA512 0d2ee1c569b3165560c351fb60c3969646501a1070c69e88d79f54df308544388ecae3aa7f6c700d7e85e8ca60c6bf5269557cb218ff6115d195b3c1160099cf

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 6e4e96bea1986586d3daf442cf6d9af7
SHA1 6b44b2e4363dfeafea23bba0685248b3f283762d
SHA256 2ad1b6f3dbbdc533f1f1d209719dfb3e4a2b6c6f0b759a7f3542b7c12e663c3f
SHA512 5f1c9662f1fa0316346cb9d4a394224d6026c5a05431ce6aa68a112924e452276c616a2d7f1f8d7d2e37d7d853f24724c108edf842587f232b4f20ff56475275

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 ac4dfecb7e8802ec84cee2dd348df329
SHA1 36fbb1cbef23a4bad73bbd506cad8da16c9d842a
SHA256 bc8792622c8c3415a867516fa65ce1a54e2bae5b27d13c7912ed93cefb030c83
SHA512 659d548dae28984990a4c8add6515c1bc01826333d0543b4cb530c5383884dc8cec23782369d5ec9e71c3eda4ce79ff45e8dc5f3e1803226460259c17e807a2f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 b7e06c9dd7db7fd243ec0635573405e8
SHA1 dff1bdea3a6c312c2271a5c3e6eab9127822133c
SHA256 fc083f989cbf849db23d9fda9986689416b8573e3ba648b4376ac59ecf170826
SHA512 66bd0519009738db7aaad027cd69db492b23d653fc72f3202de5dd655bb15d723eae4f712ea9882b1e4ea0e66f52bde272b709960204744a513c67b9780726a0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 b3e1c5c425f85a20b0bbaee1561b9182
SHA1 b2ec3f2d7ea5f8b19d226681bf75e845c60b01fc
SHA256 ba483d8819486feb52de87d093f07045f3d51d6647349552c91bdb5d3bafe23a
SHA512 e39a3a24342a75603021bf16ecd84ae67e1cce9507a4372a71d281e47140d58746db0bad5cd4c3de18d6e91241474acd5fd3e616cef9fba41c985386a279996c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 947dd7c03e5cecee8eaff2d784186e25
SHA1 686c5b5781b524361d6f75a98812c7c12c4cf81e
SHA256 9ba0feea487f24213fd1d7fdc17eaeb17696ee22bc270a885d9e9c6b3cc8a00f
SHA512 6e0ce124a1a798ace3d9ef9ef75478921ec0d18ecef6c804d8af2c3bbc2c8aebe17c6c86cb0e8ca8b845b1ca1466fd7ba82e41c737a5abfd3068d3bf460d9d42

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 59a4bbdd5c4a0d5548a2388e929cebf8
SHA1 b8595286f8d64e287f21e0b9a0a8e72856891709
SHA256 a50e401323c1bd7d393f3d335390d4b6e5d4577a698c5aa99ce0516ed2418816
SHA512 4ceefe80beccfad751c001221c358fc915069bde599d605f7c3034b179a9100351be6080cec84a8415dfeb7472e6f8324b0ca602c7e49559d3e2eebf578f1525

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 0b0e10247ad7826672d1663a76e19c7b
SHA1 fe7230bb7c90c8e7cfe0cd8e19a009243dd787a5
SHA256 ff4e2e557c64136145594abeccd14455fd0e6362e3d1df5ceb13e84086389659
SHA512 647d40dc5d94a0985740876ba191ad710381d82a9a99b8951774aabb215031ef15bbf16c21eb6e80147eefabaaec6e07a2ef5f92d31d03ab315cb26c6247e77a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 8107ec69d1b82fffc90b7b23158e65f3
SHA1 c764f9c6529c76b9b75ef1cdc5af9ccbf3aeddf4
SHA256 42b0bf6759be23af2dd21c3e5701e8c5f281bbcc9881f8162990f4c60a672a34
SHA512 6201e10161ee88255f29018d1c6390bb20ebf0426f33cbbdc4be34185f94abcee22762d53b4949de2346745f536e8b96047b98981cd9acc597d6d1e306ee8c9c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 e67e6223f0a1525b239b1cc073a564bc
SHA1 8a4395bf40ce25f74f017dd51739322d4e00b864
SHA256 e5a34726000d417cb7042f9aa442539e784f2ef44bcf2b68d3c715d1c9ae1b68
SHA512 d0eadbadc717b3d5afe5a7d659bdcb59da44243a6b6211960d7ab92d6abb629fc2253650d37eba01dbbedc6a9a9e651974549082e5f22222eaaab2422e8835d5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 cf90f3358007411de262deeee1682dfa
SHA1 2d19e5d46314e12946ae2ceffdcbf1e82854ed2e
SHA256 22b80fcf33d3c3b5c93899900da3bf4881b76fd6402a9fc7e823820ddc028350
SHA512 bf6db064c6041e9d75ef2213cb27bd865a1c0570a90885c85fe6e3b04d7b58af3d3227f3633e8ff2cd26fe7bee0a54c9c520ed692d55e184d88a1729a1dab486

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 f1cf499eb7511130073415c78c33c4c1
SHA1 36bff81c5b01d3c2d151a324e06a82ce1ac72578
SHA256 4cf97ed1c85fce0f15e50aedf95793021b8f37e2f4f9ec434b06b55fce5a1f94
SHA512 6d3dc897801cff064a609d6999689b75843288f09bd3bf848de74e8521f9fe7e99f40aa22b2321cc012ba5c824d51487de1fdd13d3908fa9d494fc31d5f95341

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 2e53d43a009216b117bf2bc9470ceb3b
SHA1 04d41f38e2423fc991b21b0221cf7bd95f58b4c0
SHA256 514f2bb3dc264f0382d44bde44bd939177a78a3cad15df1c6609ce3eefd69a7d
SHA512 704620eca018092b581a2272f594bf75c66a89696e78b1672dd4252f19be6439803d46b18d476767734818a020382ce45d207203dab4b386d22ef9803b9d6136

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 e9a9fbd9a6ed54cdff05ff854df9506c
SHA1 bab04093920df5d461f5bf359dff68c5352e8db0
SHA256 3477c3aa6b20a8264d417881356dfe0218f17e6812b5f77489f9a16716be6501
SHA512 f2c609df9f455d043c82e67ebdc276c00a29907d57954eeb98a537a5c5392786e287ad2cde01dcfa174ec4f20993f4070bae3ebe7518f5d60d98ced07eb7f91f

C:\Users\Admin\AppData\Local\Temp\UYUK.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

MD5 b2731882edeef0c5d6e75e36851adcc9
SHA1 ee68c1ac3aeb1dcb187af298b3174a06d35ba53a
SHA256 fdd4424746ec04d6d0e648f1197884479ba5db3f64ee008343f734091c78d912
SHA512 4f06e13a10800cac0868fedb84ac97dc6dee808bf508f2df2ba090bb4e6e773a7986823d3e8d99eb15b3bf7c266b3127930bfd08c1c025a4989516fee10c9cbc

C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.exe

MD5 ad28ee60a0b08d4e6358aac5823fcd2d
SHA1 11b896d9d562da3f6282608897fd367b5606f79e
SHA256 4cbdeedd5b25ad53a7d8607120259cc6c1f3623427857fc3aec6d0ba454d6493
SHA512 ce28cf3800a347d71a7390b96efd0eff1b1a7712c0ea92c4427109f40626f4fedf44f379c57e5b2eed9fbf4035e15c4d0ca5a47d6c1773dac97c05b239238348

C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.exe

MD5 ff96b709203a9887f81dc554da62ded2
SHA1 281c052ba78e525ba53ad0ccee2f65227147a806
SHA256 cc019993246bab28e4de9a0d8e072a9ff273cbaf0866c04942b14ba52045e4e3
SHA512 832bbc4d2a5475298b24e934e7526cb25ccc3a5c92f783bd4d5887561776fc8c2719ebc2a05f2f68b0493174535976bce57573b9d6c5dfd95a6a3fddeaa2a80f

C:\Users\Admin\AppData\Local\Temp\AIUW.exe

MD5 6a74f0131ef8917a5df2be0255229cc1
SHA1 ec50706226610742185c4bffad5a6f46f07119e9
SHA256 eeba9d940dd7666fa190d9c24795b9ff79633e4348be1c8c9dc4b0b9d4871de2
SHA512 2c67400a1bf4bbe1a4c83f33db7646bf3da87133c0f4f4844bec2b864934b5b427ed8577d69406e0eac1f237ec34bc060b176de7d6ebdc37005751e5041026e7

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 22:28

Reported

2024-04-06 22:31

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qOIwgEkM.exe = "C:\\ProgramData\\QGgMcoUw\\qOIwgEkM.exe" C:\ProgramData\QGgMcoUw\qOIwgEkM.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xMkgscQA.exe = "C:\\Users\\Admin\\nuIIQcMU\\xMkgscQA.exe" C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qOIwgEkM.exe = "C:\\ProgramData\\QGgMcoUw\\qOIwgEkM.exe" C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xMkgscQA.exe = "C:\\Users\\Admin\\nuIIQcMU\\xMkgscQA.exe" C:\Users\Admin\nuIIQcMU\xMkgscQA.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\nuIIQcMU\xMkgscQA.exe

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Users\Admin\nuIIQcMU\xMkgscQA.exe
PID 1340 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Users\Admin\nuIIQcMU\xMkgscQA.exe
PID 1340 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Users\Admin\nuIIQcMU\xMkgscQA.exe
PID 1340 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\ProgramData\QGgMcoUw\qOIwgEkM.exe
PID 1340 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\ProgramData\QGgMcoUw\qOIwgEkM.exe
PID 1340 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\ProgramData\QGgMcoUw\qOIwgEkM.exe
PID 1340 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 1340 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 1340 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 1340 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 1340 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 1340 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 1340 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 1340 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 1340 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe C:\Windows\SysWOW64\reg.exe
PID 3128 wrote to memory of 4144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe
PID 3128 wrote to memory of 4144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe
PID 3128 wrote to memory of 4144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe

"C:\Users\Admin\AppData\Local\Temp\785783f280230c7a56418f9723fb407ae84b1f6b542b03a47002217f05cc7d00.exe"

C:\Users\Admin\nuIIQcMU\xMkgscQA.exe

"C:\Users\Admin\nuIIQcMU\xMkgscQA.exe"

C:\ProgramData\QGgMcoUw\qOIwgEkM.exe

"C:\ProgramData\QGgMcoUw\qOIwgEkM.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe

C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4732 -ip 4732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 992

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
DE 142.250.74.206:80 google.com tcp
BO 200.87.164.69:9999 tcp
DE 142.250.74.206:80 google.com tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 206.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.138.73.23.in-addr.arpa udp

Files

memory/1340-0-0x0000000000400000-0x0000000000479000-memory.dmp

C:\Users\Admin\nuIIQcMU\xMkgscQA.exe

MD5 f2d966e5834eb04fe24e35041cbdcde9
SHA1 990ec91a988a2e527e459e809840f25d4283712d
SHA256 534b84885afaec31e695162922e672271f011fac57ab713783a8e59db14dab61
SHA512 da54d42233b16709d044b8e3a3ef1df8da4dac38f0b8c787fcbae6b4ee7da0056719356ea6594730c0eeb7c7f936aa4c875a4edb7992fa2a52b92c1d1b1b5065

memory/4732-7-0x0000000000400000-0x0000000000425000-memory.dmp

C:\ProgramData\QGgMcoUw\qOIwgEkM.exe

MD5 a04fda3b8871effe80c090f9a89175f7
SHA1 57d2269b3f8eafb55f3a9c6ac7069d74a22b5ac6
SHA256 de5b5dbefc2ee44a5721f8f787fb0f0a549f00423688b5c2fa7687939ef3e1f5
SHA512 b85ffb6aa6c8d4ab2c10241fc23f8540d16a13d55b1ffa45ed978444e8950906144358c9ae717b2a80d72d64878b2f95c893d18754c969d8b59bbc2cb06c2808

memory/208-15-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1340-17-0x0000000000400000-0x0000000000479000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mspain_avx_clear_patternt.exe

MD5 383dcbf7e816408a7bcc0a2c41634356
SHA1 8179e5d4f88995a92110e4341be44335fa6636f6
SHA256 1a4bd956c34459258c85ca9c81dc547d2ef3e276c1f5d07f93902b4a8c74586e
SHA512 8b0b5015fc9100d58d73c1b331318f4568cf16529205b127c4ff473df95a8f0a52d5271cc4b66640630ed633449eccdf025166781b67834cc04d8ce23d79554a

C:\Users\Admin\AppData\Local\Temp\IIku.exe

MD5 05a5c139e70280bcdca6516c5a1245a2
SHA1 094b5aaa8105f6047db2be8112bff27aec2af909
SHA256 16c73fb18387ee9475cc0b2b594d7b515cb2381b31ec6c60333ad7e26ad03a7d
SHA512 a0a1208c54e4a854138206eab0df0e7bb7c53bafdbb12a31f0f34e137d3fdb7a9d835f8a7087e187bd7b7085984b6cb935510e9f1cf68a0960f15a07a179519c

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 ef633c3fe4570ca5e546a228057fd53b
SHA1 45cd0033a548fb14c46ee677f756ed4ce479a275
SHA256 35b30dd9128a36f7e90598f94e9f697608e1cd3591b83a1b0bb81d505536bd9d
SHA512 e3a0d213c078ef85057332e7b97a4c1fe5a21ac80185b6676096652431cdc01b2450a0ca856d8a80e924b3bd713d2baba6677f32081f963e7f0e48d61670f2aa

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 13c879318cd302f576bd41e4462c8eb4
SHA1 4660eb1a14706ea231f5a7427f6313d8b4d474bf
SHA256 fc2e9175d43f81918373a15a4c50f426d776c565b59eebd2f16fd148a6036267
SHA512 dd9c716d1bfee925c50307c9511b2e093e9386c34e2a6cd32c45d711c9f62fa0420ad15fe1e4a168c7a825f60780a86d0fc28ff28b708dee7050f1f810539a5b

C:\Users\Admin\AppData\Local\Temp\EEwU.exe

MD5 7d2e5b2b2badfa148974fb22696007a1
SHA1 bd85f9516a604ebe15fbda0dc2929a3906c543d8
SHA256 f692f6cf72c575363e046f6b9cc09306c59c478913c31f34cf6b16761b1f424b
SHA512 f0bba485b7889d0d284c76a2c6454b6f5c8a2cac085763e57e0f98f6b71be15aca12f52ba191d839f33208ae15c355cfe8be325f5df64c24a872137a52f62927

C:\Users\Admin\AppData\Local\Temp\OwMu.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\ScwE.exe

MD5 6ccea5e2c22aaa971e59cbf85a25d811
SHA1 ea47f9648df34c1b9c18f4c1c2c539940b75877e
SHA256 73506e9d8b14f45e37c48017bc914b44fae84f8813c05a8b54d91b43c95b921b
SHA512 cbfa0dfe084304afb5280b18ef4d96868b6ed671eabe04a86f9aa48ac3c4d0329319236f7e14c10878439505d202d965e7e38266b747a7922921c48ba2fbb948

C:\Users\Admin\AppData\Local\Temp\igUQ.exe

MD5 f9b0317378439cf665be7c409e1240a8
SHA1 9c784ebb0d7f3f20812e614de27560d30fdb26f3
SHA256 e9ebe657890b28ca547a3522e025fc388a1a881f010e4ed6a9221ed71163f1db
SHA512 0d60c47767c5ea837c01180247d97c0a073f5c0f020944732047ffc2aca473dfb42a62c0184e222b985962006687cd4aa7878752a54fe5bfe6ab64c1096a0dad

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 8646ecafc8a5b6bdda86e616a89fd6c7
SHA1 9868dc85af3e4cb37cede460a03711beadc73d9d
SHA256 72ce355ad856c444bb237b4ed5e23b34754214ed07c52cf7026bb7e7c8023102
SHA512 3b4eb723764fe2a85b132a7644e32db1f771210d9d0c696bdd354ea96326955882a21821aafcd9cc9873b10cf244a48c6714e2e5feb13ab0497b94fcdf711c3d

C:\Users\Admin\AppData\Local\Temp\qsci.exe

MD5 0485f53d226f900ed3be8654b61e61af
SHA1 8800f577ad8e4f452f0b3145056730afe43c0993
SHA256 043e7abbf70fcd1bd1f62ae286012a4327ed610384341eb72ef6c256b1e7a0cb
SHA512 ae5d59dc73059071acc12ab3429485431b7d7a1f388ae24ce1923add90300a68eaa2e0d7e8bc8c495d0ee401cc7a3217d27f19d31693b84ed683b2b8b29a09e1

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 dea454831bfc5a69b8fc78eeb04be498
SHA1 31de858078529ddcdf584b2c36dca50e6fe4d66e
SHA256 3dfd178dd36ebc67846354fad7074feff469336bf1155da074954c74aec0392a
SHA512 511c4155af97afdd37808309ecbf515dcf7e7a366e40e55b5f69179aa0f51d5fe25ad2bdb472b3f733ad366db0a43e711f41b9389cb5968ddc996dcbf60693f1

memory/4732-147-0x0000000000400000-0x0000000000425000-memory.dmp