Malware Analysis Report

2024-09-23 05:11

Sample ID 240613-es3rrstfjg
Target 5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe
SHA256 97d7359f3f22d8c55f216eb2d7a3593efe5765235bdca2102a11136f1ba9d107
Tags
evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

97d7359f3f22d8c55f216eb2d7a3593efe5765235bdca2102a11136f1ba9d107

Threat Level: Known bad

The file 5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (78) files with added filename extension

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:13

Reported

2024-06-13 04:15

Platform

win7-20240611-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\ProgramData\sAMMkgYc\WaEgkAMo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\wsgcgwUI.exe = "C:\\Users\\Admin\\tysYskUk\\wsgcgwUI.exe" C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WaEgkAMo.exe = "C:\\ProgramData\\sAMMkgYc\\WaEgkAMo.exe" C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\wsgcgwUI.exe = "C:\\Users\\Admin\\tysYskUk\\wsgcgwUI.exe" C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WaEgkAMo.exe = "C:\\ProgramData\\sAMMkgYc\\WaEgkAMo.exe" C:\ProgramData\sAMMkgYc\WaEgkAMo.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A
N/A N/A C:\Users\Admin\tysYskUk\wsgcgwUI.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Users\Admin\tysYskUk\wsgcgwUI.exe
PID 2032 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Users\Admin\tysYskUk\wsgcgwUI.exe
PID 2032 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Users\Admin\tysYskUk\wsgcgwUI.exe
PID 2032 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Users\Admin\tysYskUk\wsgcgwUI.exe
PID 2032 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\ProgramData\sAMMkgYc\WaEgkAMo.exe
PID 2032 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\ProgramData\sAMMkgYc\WaEgkAMo.exe
PID 2032 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\ProgramData\sAMMkgYc\WaEgkAMo.exe
PID 2032 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\ProgramData\sAMMkgYc\WaEgkAMo.exe
PID 2032 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 2760 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2760 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2760 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2760 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2760 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2760 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2760 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe"

C:\Users\Admin\tysYskUk\wsgcgwUI.exe

"C:\Users\Admin\tysYskUk\wsgcgwUI.exe"

C:\ProgramData\sAMMkgYc\WaEgkAMo.exe

"C:\ProgramData\sAMMkgYc\WaEgkAMo.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2032-0-0x0000000000400000-0x000000000048F000-memory.dmp

\Users\Admin\tysYskUk\wsgcgwUI.exe

MD5 9f48a92fcf7da5c34bd00d903715ff40
SHA1 c7ade204b44f672d48ec9e1c8f88bbee3ed9971b
SHA256 120290c1ae897adf3dd4dc3a6c44ad4b3d94d1dc9cb4a43a0f44381771e9fa00
SHA512 6eb83ceb106d2d9d14fd1078621b610c76ca604f7ca98179d117e43ebf044743b0f41a0288fbfa8c0dd24786481cbca3ffed7f1f00e8b98c1e4694f2b7a147dd

C:\Users\Admin\AppData\Local\Temp\UqocgMoc.bat

MD5 050fbd2b6cd5eb4c31423651f54418b1
SHA1 67f7e524be365c8b81243c0102f52b13862d85c2
SHA256 53aa1f0232ad142b6e6564ff85dc192605a7a029da1b73fb0d54bddfad26317a
SHA512 f0462ca90471c98c48148e34eafca51537cf0ea3c326216088fafc5eff58d257590605f8621ddcfebebcae855aa7d667ff4ebc729f91826395c2d23a9172e877

C:\ProgramData\sAMMkgYc\WaEgkAMo.exe

MD5 3557c1a4aa84df5c700f3bf39d1e24c2
SHA1 82989367ef9068b36ff3a81ebef7c3cc3936a3d6
SHA256 d9a7a5bdbc31efcd77ea10db55fa6ddc737312b2398cb436030ce3aabd4de2ab
SHA512 7aa74268cbcaee35581a3c9bdcb719b9e32e34ea4da6ad07e26f24bb627bf2b524c236fa0b97c54b8c64bc4d0bd91ba381f155dae6cb2c82bc1ca2123cca2cfe

memory/2220-31-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2032-30-0x0000000000320000-0x000000000033D000-memory.dmp

memory/2200-29-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2032-28-0x0000000000320000-0x000000000033D000-memory.dmp

memory/2032-27-0x0000000000320000-0x000000000033D000-memory.dmp

memory/2032-33-0x0000000000400000-0x000000000048F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 96f7cb9f7481a279bd4bc0681a3b993e
SHA1 deaedb5becc6c0bd263d7cf81e0909b912a1afd4
SHA256 d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290
SHA512 694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 f799fab3ab16baf6ecae1d71054473e5
SHA1 b838b578b30178b92bbbb9a14c130fe2f997a758
SHA256 1e1cf100ed9fd99251442cdb4abbb0eede1ac5c04d89fe808e61173cd45913e6
SHA512 c02e67bef5a48605463dc3de38b7e4a99f0d19c77ba445c818981bd9624cb5b46ef1c52e6d50f0b0a1b376b4c9f67dcf675c4fa1883d67b1e4101756305e27a2

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\kEYU.exe

MD5 82c79e1110b8e73a01151a03fafb01ff
SHA1 a6f433b8aef75837410e0320c470f4ffb82c3d6d
SHA256 3f5e07a0f8c6fea5049d0d9bf0ae674af993e89d4cf8daf7be670285cbae510a
SHA512 7aeb85cffda99e5b00be45cb9727984c209eb80d6baa8ed79566ca8aa73ec8c2721075157df12b2722fc09d968f3893599fca57609b1e7f666314349c91dc130

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 f66c0dd2971cb6986e27384feeaf7360
SHA1 067f1e3cee6bb21563f4f7933ac191e2745a5585
SHA256 e0192b9c5d7886510d54c75e16cf420f0a758a302bb72be6d09a9d00911ff3c3
SHA512 c163eb67e2e89683557d7bb7f1176b66679dd6d4fb6a8e8224fa624f41e118e5ab9196697d978ac511ac6b748914c1e1c16dd7d6672b888057bde236028e7516

C:\Users\Admin\AppData\Local\Temp\ckws.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 5dfd0aa4f77fcd565d89094ed31a8172
SHA1 aa9bc326c5ad494dfd9924989791136ce66726d6
SHA256 cb8e441ebdeeacf3f62308aebeccbd4573b9d24777c7eccb1c2042d55afde1e2
SHA512 88133f40cb3ce34b64c24177c2f633fd8f87d5ac57ef2f5e12b1873e35b8143c879db16c892f5d1e59c3b00b9952fcd6633b2ea31a78f4d3265e66f132823c07

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 0af319346c636c2f540f2fde7b755a78
SHA1 824ce240ca5b8b7a42b22b1ae748fccac17e54aa
SHA256 c119fba1615f32f43a7f333d0e2c3916f70758e9f2b4b056591f335f0dd9ee82
SHA512 1f6c37c939c1a5a438925bee9b056304464188f64821465593bec8d563dadadd5418a8b597be5e6de82463a9a8ac4b92781ffaf408c08885051448402f692106

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 29865e771cc6c30b059bf2e6b30aba53
SHA1 6357e45af006a6fd2bc02b19fb5be424b2bf5468
SHA256 8f6c75754d130cc0e842bd837f0fd2a1a6a654b129e61f1a4b159867bc818435
SHA512 7a8a5cd3722439c76cb635680cc8bebf33b5f7910f97ea3ccd99fbf7b2cc7c96308a1596633ed268f530b986a680947d583563aefe5ecc83113f87a31cabdd0c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 fb4a8feabb909a37a4aa06ccb193ba30
SHA1 c9aff1967aa9d3f01a16ef26da22d47ed2c767a4
SHA256 f2b6d59eca6bbe8cd6172f213477fcaab2e7e44c45d6533c91cc74a3cd46435d
SHA512 2c8b1bdedebec491e37b28796db241010fe381a8fe3ada9b2b3f436d782cbbebb14a1a01d29f1fa95b792d5025b18ef1bdbf143b5a592eb0f1aa9bf148fe8bc3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 0842f8bf57d35363ca63feac14f26436
SHA1 25695fe1726db7dfb3d5bd2e9f175ea2bbf1400f
SHA256 99e8ce7a0b489150a9e371f8abefd77c60108499cd8dea053d2f7b221974d21a
SHA512 72a64c4ae13653ddd06e82655b524f6921ffa35a96c81d3fd5bf98ba0e1c014fb71942c570a882ee5da34967e69db9d003f5f56431436d074608bcfdf4541014

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 a97f6231c0fe8c69263598cfbb5e50a5
SHA1 2ee1c9e4f667dd4dda23919c24e73045ad861946
SHA256 e571e9c111c4ae8bb98bafd50143f49a3ed7f361c59d0034ab246e5dc7825aad
SHA512 b15f015674d67f2a0e906f265960ef1556affd77ec0568adb675132ca990c47ed5d24bae6631e19cdf27692320321cd1ed0156826f5daf178e9d5b677c6f1a40

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 1c682ac3adbcb95980e2e44a9add090f
SHA1 82aaaf13893654f494580a7a6207f640706f9a9f
SHA256 8fdb13d82042792e837bd9c86df3881c33e831ebe9d7129eea9c93edbf071572
SHA512 c8d5ae8a097c13cc9736c1800ec6772eb2f0254ddaaf9a4bcaf795fa4bba7eabb54a43ccb2a08c8e11ffb7cf825e7ecebe7164bd57f554a334ac10258be0782e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 e323e59da19fbe0259c12043797b4f91
SHA1 ba8808f9b08039cfcee5cab40811154e36ca5733
SHA256 0434203eeb7eb79860b99fbc12e6ef1b95ca9e0b61b103939866d80b625b50d1
SHA512 eddf1cbfbdd4353386d0138ee12c4615b6c3dbc5b5ce95806b2f0fcf8e8f8b391edb6e78affd99425463bf1ec42bacd686fa8d559935f60e795b40b4c0a1020a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 637bb250ce2058b4a9e9798e027b69ef
SHA1 371340e21fa21c6525f69a01797ec1c816e4be11
SHA256 ffe3a9a690e5ef83313059d6311c9a899bc1380602a2aa7a69442832b777181c
SHA512 b75d871aff17ff9cd3fd603c4ac3b6eb0e7452b456d4570c841be385f198a349fea5066cde57c914350e060b041e45264a9a02c7b8b85ec3ae5d77d030fa8624

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 6a812f2692460f7e2f363e372808ecbb
SHA1 a75dc0dc81d5f97d1df834999181f4331f387390
SHA256 aebf8e8391461ca1285bd974b66c29c2d09ac98c4de2d437e760b42edd977970
SHA512 fbca5b64d3346e8a8a689afcb4a2815b87d307bb91caf5df68ebdefad3df285f7c291adc9a1e8298f36126d3743e35e63b1df15a05bc6e99e07d5fe8b8c4ceec

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 c149b602de5c42f36c49ad21a3845ab0
SHA1 1cebe851e1eab9568a177c9b7b2567b05a4c5c7d
SHA256 d3aeb142094d9fa298ba1db2a50f92db523f0872d828b00f7a902c3f2debf46b
SHA512 6ce8ba05d7e1f4a7ff42e3941c4da9c7bc68769ba9c80c3a92f3e5434c61eb59bee4897bd5055c0f46f59c94b5a2cefd1bc3e052fa88798f7c2f40562f5ab42e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 6242589d736c13c9eb2972dd5cd46e65
SHA1 a61eaae74427bf43fee1f248a39318ac77928480
SHA256 e7de5d790dc2f8af59c9bb2e7ba7eec40cdb5a00a294f292aa1e8d6e0d73bfca
SHA512 28b95a2986cf7a7a64668589f160890f5fc25e403eb149c35fa4a7b7acc8d25fd219e20eb2be937370bb408eb4e7d08f0f70d3c1296b09de2ee49aba3fd742b5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 48683c873f1078c2bc844fa686c6344b
SHA1 1191e7c641ac87973cda187c05aebb65d5cfa3aa
SHA256 0e1080ff4fbdefd2d289ab2738566817cdd0577fcb6183c671afaed209eb8d2d
SHA512 d614455ac6ce5994fb4777224c9b7d3235cb934c4429c008ed5da901531fbf78433ab7860bcfb3b47edc238e045f4d9adc9f799d3c47511074d73d5d652b7b8d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 5a6310830c36b062d3a8f323ddd9e209
SHA1 31270be17a02b191b5131e08ba0f3e2d1acb0671
SHA256 39d29599ece38db8c614f4ee4b0cc0a07c0f2abbafaa549161c7242173de34d8
SHA512 29a4827338fb1aecfa0c8c7fe2a4938112580402b67dcc08b737100bded48ed261f6f958a5f6bfbaac9d948e4fcd24844ba2a530bba1145f7b5e8463c645173d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 ab594366fcf7b8bfb73a6211e341b387
SHA1 bc69930035302f0466b63e03449cbe072729b7d1
SHA256 cd1f545b0aecdbb098838dd6269281d8badde487dfc56e0278590d1fdf2fc0e9
SHA512 e4d32a1c5fcb8bae4a60b0782fd673cdd71561d0658856587f71d0a3647d36ceefe097c48712bef368de4a32bf98949c0cd99b9d5d7ffd2724e0553dde8cbf1f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 f99c4a87ec6f1feb38034dd7e2d2fce7
SHA1 1e90cd3bc8821b8088176dca09fdfd3eb170de5c
SHA256 756f21ad5b9898d8c40a041a40f169d060ac5f4e328df004910b49122dde9b66
SHA512 326f11dd23ccd9a82f5e792732324cadee2c1ed401cd28fb7444f72e270788bc88d38692f99961140a914b7bd72377d703a7c8d372d2166e307b7d2873088b68

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 91971f604be77b250e453d7fe1f90b94
SHA1 c99de6c08dece7dac693177546acd0860cd160f5
SHA256 391ca59d7cac9b4e13a3fd496ae3e2582347a34fb09333fbec0591a865e1cc7e
SHA512 39ec6c016594c24dc70b2ad54c3aa36e848915be9d6e46cee6e42708732f9326575b83031de402eee35d7fd9f9996e4b2215da2ce96f4eb899addfee48214abe

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 37388dbf8e6950647fd8607cf9c151a0
SHA1 225202b5f74a9ecbc07804e3162040c2091b0ea8
SHA256 8bdf11d52959aff3c9f6837929f12d723d1675f837e57b65117979f8d6000fd2
SHA512 952f39ac686697c2dd5b8277e5273c03918990b08817f5dc9611a8f5cdff8e439647b8645605f79757e5e9c233ecb4e3c89f9e6c58f53a098912c62e92211458

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 f72accc30f7e3c795f4aa12a193d8fd8
SHA1 cf93a9ab3ba9867e81bb5f4906a701aa04bd1e37
SHA256 573054350c87145c8fa2279801305c10cba01336eead5e3c2268f9d52ce62e25
SHA512 60c2ad2d23537d9e9ba3162c27b88ba481a4527593c2a9c7553fe5a7cfd0df7b80706183ecd1b6469d4035812a8741ee3145e35e465adad393cc49035a1b0c68

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 c1eef472603783fe8f85b5b8f44d64b8
SHA1 a5ce562983cd1a620895b185f5d14728ded764b7
SHA256 16d7ed90d4223d22279f7fa45ac6c94e2afd171a6abff595a37725fb29010d72
SHA512 4cedd7299f4236c5f34d9f60bfbc0c7070f73ceedd03226fef6b23984536c3b7b40ebc1ffca41240b854554e184f2174f74241121a4afdd6893c09d5519c9ac2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 71b9923df74f4a29f61ce24e06e34179
SHA1 71647ebaa6c2474d395bd696ebd7fb24b0a4500e
SHA256 5e269b73b37dc277c2855f2d146226b58256cfcf108f356421fa995a44ed5f3d
SHA512 e75f538cb955d793b7c68fef63b5e2cda15c248df34ce811a3004ab96be29f7e3971ebf821c6588a030dd98bfe0b81250c35dd9b091704a3692e68fd080e10ba

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 afa7b6193847d4e83949fbdca9ac4296
SHA1 dd06a5ce1d8ce910f7b219dee77b451eb7060ea2
SHA256 d640034f74c516c0747b5f47cf127059ca48751713c616450687ec92948769fb
SHA512 3b890cf019df18979ea3492acec0f3236846dea49e484b972e52ee89fa02c10ccff287ec1c8e0b1664f339c206791c3b6d5175c3470d5e35a7f68244c30cb80c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 3edcaff49b03afbccba9233bd0635483
SHA1 f0e1fde89a1871bbab8223c749ab95f7d32cfb96
SHA256 a3aef61ec951313a4b6ea00e3c940f65a2606994277d6f2dc72d7f3dcf3bb5b0
SHA512 9b33f53d8faa8b3fc4c4b61eda378246bf1dd78b3ac00508808c87d343de5b4d9a6e35ff8890d85a95724f702d1fd750703636211b1edd0b021a54cff3e8b040

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 3e344dec0a16165a12e105a8406ebb28
SHA1 973861f1f7c4b4e5a52fbeb19a126c14f0a82339
SHA256 24d77ff108260625561e0c653e05c00dc745c986d28666b2ffbaf92873ae7c6a
SHA512 467555a4b0f98f21b8abd55798e0df6e9ece385f70d2a24833ab068596a61f9379934703d81591373797ffd9ee7211427a3fb8e026cf8c589d5322898d15417e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 bb56796c435bbca1f6b03bc97c91ea5f
SHA1 61cf372dbd75ed007d5bf21027a96ef5849859a7
SHA256 59ebcde7ec51326a39543b3a158cbcbb1532a688ba1bfbb24fee792d5e70719e
SHA512 5af8571eb7cc5eb19245334fd4ca2c0b83685389a91940c692cee87949b86aeeeb12eba8512f1980245cda24625db6edbd13aed1316bcf442746d45a0cf5fd06

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 6553376e7071ec3ed1d02e94c1c82c4f
SHA1 cb45a76add183bdc267c83ab066d8c37ae123567
SHA256 bc4ec0252d569950ca478df9558ceb4d9188bd0f51d1f14cd52f27166ef201c6
SHA512 3fd3006e730d65de2626d99818bbb9efb7dc93179898807d589191ad33f39ac7e76437d86205e5eb2c3574cd50c32a08aa4ecf0a17652ac2274ecbd978138670

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 729cd6b8f7e7a4db6e7995ee5b0a487d
SHA1 ec2e82cb5921646428afb967a91a4c97ca116f3c
SHA256 21352a9af47b18e35319296b29aee25d989922110c7fab6f026a8cc5435ac761
SHA512 5699986703ee8d0dca11be07e31b0f565602fdf6962cbca364e011e1846cf0366a283d57e2e9f0564bf98701e310434042ffe71de92313ad6aacbdf1d8c70ac1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 4112673046dd531d2ec6c5226dcb0d3d
SHA1 d797ee445e4080835af2c007dc5807d3eaca59d6
SHA256 e0104ec0f9b21a044ecc346932d29b9670b7daa1f76eb2489581867917ff1934
SHA512 050dbde10c1ceda732a02c0479431a4714d339a99fbf9ff8b2fa19492b42f0ad79e5b96c55240d67a6a7d31de6b719da54de5f388174648b720e7dd0fd5d4b98

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 d09db4bc4ea4d7b3559bc46ba6e49bb6
SHA1 90761e9eff97d9c311d0231e7e95688552038a52
SHA256 a2acd7b00e12d07b5e3edae516936a3b03b984bfd8a7719dd26e91a6a87cab3c
SHA512 1729b275b1b5725da0b1547993f72be109193e3dda30265e9f92a9f84636b056ccb67c4b1e52b4b7ffbd309596ad2063f609961d6bec875d9af52a320e0f67a3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 b8a1ea70891c9719345772d93547ef19
SHA1 59631dd8eee378628c3d9ccd420735c548b06ab1
SHA256 c04ba35ac45ce21d3ed160ef2683e5bf9697670dccbef1abb5042ddfc97bcdf8
SHA512 8c80338217fd0fc97d4533f595205d8f3a4796ce027e2321cc8b955cbda08046d85a66c2a532d4e087b0fc107a8580d04f034affe10e09e1759918ae2a22b17e

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 971abaa358001edd9a8ba37d326e8453
SHA1 f044a32ed68518e001b6e2a39505bd28e9484c74
SHA256 208fad833f9680cc97061b3180b7628495d4958bd40f38ead4113f6ea718de17
SHA512 efdce7e2d6a01f7e804a4bfba831cd50c94ddc0ead341cecfa245ed3a65a99b12c58fccffd2d17559ffca2daa905470a0980ad251f2eb92d77a19e670ce318db

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 67a4ae5c14c1cca62b6869774a40c671
SHA1 bf7d4b20d6b99c4579855dd731199a9477113b11
SHA256 9ffde5661e5054053cf76e1f9e1b1fac70248e1e93353b0c3a6331c88d7b9e97
SHA512 b68edce4b583e8f4c1d6b80b42e0765c27b882310cb79315ce7ae376d1cfbccba6370df7d9b8ddb79c663015edd1e704b75e95178611aa95604b3885a6fb3fa1

\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 1191ba2a9908ee79c0220221233e850a
SHA1 f2acd26b864b38821ba3637f8f701b8ba19c434f
SHA256 4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d
SHA512 da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 2a8aecf2efdd67bf5f07fe83f1b88cb5
SHA1 2a799cb3383c2107a416097e335d4a2c80b7b9bd
SHA256 a947a4da22384ca90bcd652cb9e44701b0c722ce282f2c79fe683a02636c4abd
SHA512 d507915297d3e70c039c9e82e969d89f660c4c18a5605bc9cb6ecc2fccaebe0f5951fadfaa929c878fe97d72817d3974a0a688c43a7efd529b1dc643a2472122

\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a9993e4a107abf84e456b796c65a9899
SHA1 5852b1acacd33118bce4c46348ee6c5aa7ad12eb
SHA256 dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc
SHA512 d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 c90d3d0b69f73e45655f7fc5e0acc0b5
SHA1 7a1571cb1933ebbc3f310c5788d995f569ecd194
SHA256 06eba1d36e8d13e593197a36d496f353420d2f219ce1f29b208a8d22b8228c85
SHA512 0f909017afe295d687fffd4b2cc7adf612bbfae4ce35a4e284cb6db08ec43049c7327c97a916b99de048f0fe675dfa0c85fd4b6ee773793655208d506d21583f

\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3cfb3ae4a227ece66ce051e42cc2df00
SHA1 0a2bb202c5ce2aa8f5cda30676aece9a489fd725
SHA256 54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf
SHA512 60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

C:\Users\Admin\AppData\Local\Temp\icYi.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 6503c081f51457300e9bdef49253b867
SHA1 9313190893fdb4b732a5890845bd2337ea05366e
SHA256 5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA512 4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 d6b307efd4427ba4b0f9f5e43b48ba3d
SHA1 b533b2f7c529b9805050d114625b484fd9116c0f
SHA256 f9b7be2cc5b4df0ce6331df89e32c7003fef6ad186b90508cb8bbe55985b72d0
SHA512 a28f86a0a88be071e86c050d26744378f178e8d3e3cf3fbb8daab4bf716d563697dcfef87d5f2692b871a59db229798042fc1f9ff1a9d7223cb6f1fe33221433

\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 2b48f69517044d82e1ee675b1690c08b
SHA1 83ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256 507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA512 97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

C:\Users\Admin\AppData\Local\Temp\Scwy.exe

MD5 03febaf1267210bfe66e0edd1de16dad
SHA1 9e198e97b39d2065a9151dd1e50cc7a2cd064d99
SHA256 9c6ad56ca316b78d4014a7a4579f9c3d16ee14784a69a3e6ef4bd302baeaf192
SHA512 9c634f0345c56dbe4fc6c73a0945cb5004869b1a047903188ea90d6e373d02907feb6b18c2e80627adf8db557dbe04f05b8bd1c5e813ec50c5f4063625791e00

\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 e9e67cfb6c0c74912d3743176879fc44
SHA1 c6b6791a900020abf046e0950b12939d5854c988
SHA256 bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c
SHA512 9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 34e8eefaa3987aac70493d18360923d2
SHA1 c6751370fa07bdf07ed9a46e989afe655428ad8c
SHA256 9c24b0fd476c32b41fe0997ed91884cf4bcf4e5eb7ddbf2068402d88205cf075
SHA512 92911ea7bcb50598ff46a3b8949aee51721d586acd7a2fe6d4285984694163143ccd70a11dd3e6b6e2a4d5d6bfdba862bdf64afa8903052220696f0788c0ae9b

C:\Users\Admin\AppData\Roaming\DisconnectUndo.rar.exe

MD5 7b5471b1449aa64f26dfde76e77fff52
SHA1 eed066f1921dbdc15870947b4875df03bc22d216
SHA256 42b44a4f000f0831723a881e2826ff789a9362e8888079540bd04d7724fa84ec
SHA512 0ef92ba7e98e162a29d2b0844d365efce3dcc6ff9ef5cb6fb1dcd09a4045beb5527aaf463a783984e7370bbd5852d7d6dcbccca2c95d1aacb82b3fb5f44ab6dd

C:\Users\Admin\AppData\Roaming\WatchCheckpoint.doc.exe

MD5 97cbe36259e13207f6beb589bf6dc2a2
SHA1 c8404da104d06ed738967a1e9e43229d055b9601
SHA256 a2858ee0bfb9a78362b1922f802340d58a869c3e1be9f83ddaadf5b900220ad5
SHA512 4550af075996b202f9288f2b3265037675c53101e3e5adcabd5b87197181a036413c87415a6500cbb664edbc93729010cb96c5eb1363a56d817490da6d3bbd2f

C:\Users\Admin\Downloads\EnableUnlock.mp3.exe

MD5 41d33ae12e0e9243911b115ecedc5e38
SHA1 0415389c18b33db1e0994f2765eea061d562ba8f
SHA256 8f1b52ba8c3c1c41d6dc7c27b93cd1703d6170f1fd5dc9d6771ca875de435396
SHA512 8adcf3494c4c55b518e1cfe80b6d1a4a552ce1d56d04abfb6349db521c0588276c5160695378e736d7414266350e2b28573a3e40ff9d8af41f199d5cf05d947e

C:\Users\Admin\Downloads\GrantResolve.mpg.exe

MD5 07d2ee9cde853a5fa9755c3f5257e2e4
SHA1 f37ae6af8901e13934e2d12298814d399c799a6e
SHA256 8f10c2e04892dae2d7d29a1d50d3039f994ec28778edf3e0f3f68745cbbb3d81
SHA512 e5a293dea1fb9d58f2fd9f2c65a6836d7e9fd30ca2abbb7d1b9b723558e9d1a8691af826d089cf60628fd2386d78e9c330f0cb0effa0572d740c579016792b65

C:\Users\Admin\AppData\Local\Temp\ssYA.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\Downloads\TraceShow.mpg.exe

MD5 15607a77f80a928871201b00b06dfe84
SHA1 d9a90041777cec85aeac13a8ecd1df91a1ae6951
SHA256 5f3af7a2122d6cff14fa30912c6b6175d6d62e9a1c63484e8ae392280f41a248
SHA512 7cae179cece5866ff861e97c07dbf77765616c239e93b57bc940e4640c65ecbcc2291cd94350671bed0b315c95781fc4af01f5a7a4bdbe57c01eaf6d26636227

C:\Users\Admin\AppData\Local\Temp\gQQI.exe

MD5 e9246250d315f80e071e79f5996a4c54
SHA1 81b60947f2636c8f96986316567ef3c38f1d0fc6
SHA256 1c4c50a83b9dfb1ed21b2fbddb63b0b5bdc0c4be27e0b95cb4d6022bf972a773
SHA512 95ff828b54807fc1ae96f70c4e7dcb28bdcb828d4f828b4f976a73fef782356f54e6f941b4fb5d2374ba140b0feafad1cfc55ef55c32cf1d84fc67ef27cd936a

C:\Users\Admin\Pictures\CompareRequest.bmp.exe

MD5 14e7ac9860662bbe71d2e6af2d286f9b
SHA1 0b6b2827fd100e275d0d754b0ff3c6bce94bb8ff
SHA256 d6577bc696ff70fa2106c87c5d8a4fcc914a655fe25df7f5b682f9002f4f5bd6
SHA512 9e656b9a98ff5225e6b911085fd26c880acc9ae7d60a41dcac8b321e8aa5ead75422bd52d253faea61f0c6abbd9778c92baa6b6eead9d62f5bb579cc8b0be01c

C:\Users\Admin\AppData\Local\Temp\mkUA.exe

MD5 29a2c51ce49a6a8cc3301a7a63ee7d19
SHA1 98aae3c825b1ddae628e59ce7a242084142a0707
SHA256 b5403dbcb24e784988dfba39a28fb3639ddb05d17261e5d972f7194ea7148b33
SHA512 52fb74243eadca21833bc9b9d2eca3979e626d0bc178f4225bc55f0543b6672ac01c1f0a2de807207dcc94631fa935bbe5f86f03c9c58969824023f2461bf9d7

C:\Users\Admin\Pictures\PingConvert.jpg.exe

MD5 10f44445fb72073aec4d2b66d2fb202b
SHA1 9233c7f0d845e8a6c072ec317952b11a49e43462
SHA256 aab1ac784d8ab188cbf7236f38d7f8cee667bc29c3cd7d1559b54fe493d1adfa
SHA512 88db669482609937f14ab9b205571eaadae430e2594190243dd60208c9e2ee8a28cf6d4814a6520a93472c21bf62e77cabc75b1a5006bf490f18b40a92567494

C:\Users\Admin\AppData\Local\Temp\ccgC.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\Pictures\RedoOpen.bmp.exe

MD5 72720de13ac547b4f87c71c3691389ab
SHA1 4e9dfa7581df5f44774afe633ddc7dade9905b93
SHA256 ffaea06012ac06082307c3a625ec65c5ae1b627bade96a9cb8431a9088cd720f
SHA512 cd2d9f022944cce0193be329b93c5d8facac9ac98df4327517e6de0157c22df497f9fe726e92841c3e841097716ead9b7f99c13bb0c9822c129d803c62e6ae2f

C:\Users\Admin\Pictures\RenameInstall.bmp.exe

MD5 4fe7545d58919ac53112ad1ce2503144
SHA1 44af562847591a638281f9a31c5a00d187e9b127
SHA256 f90fdaf0dad5ac7a216dfdf8b164f1fabe2393bf9178b60820dcc8069ae722cf
SHA512 501c32625292a08061ee2fee46e2cbacfb5af369ad6029c3783186b4034fc931b59a40706baac566eedb8d329c651a851671393a008df3aeda01824c2db7d8a1

C:\Users\Admin\AppData\Local\Temp\CMII.exe

MD5 0817898bfec70b54801f85f34b82d22a
SHA1 371adee3c6068a161fbfbd9f825d8ff346cee459
SHA256 745c2741ed48aaa6f173636a7e5e3105895623b17a8705603d0d935bd91462d4
SHA512 e0eb209b5c86eb76c399602fc756658d6c556e495f4c987c3f481ede4af76443c4e800c7045e9bd32fb4f1488bbabb1c6c7ee0f2dc936ab679d2e2ba6598b631

C:\Users\Admin\AppData\Local\Temp\sYYi.exe

MD5 e38793466f3cf328a58948faa9156486
SHA1 5cb9c65595a02207e7f84c0b8a62573bb76ce981
SHA256 bc21907172c711dc0391bf1031ed2e4fa4e8c5d0e6c5a95224efcb3bbb8cd892
SHA512 4cdbdc82e190ce01ffc117041a07a221ad46947b7973592f9fc3671020531db723635659b8ed4d3010759c7f21b999fff8f823597d685b974d5d5259ec4255d0

C:\Users\Admin\Pictures\UnlockSend.png.exe

MD5 69cd5341d6928c5434fe129b04c9eaa9
SHA1 cfc55621bb38cfdd8f82def95168a3040acf7a02
SHA256 4263ceace2fae2426ad60cd4d1037c1df1100e16b0da429c2a835a588dca483b
SHA512 bd50ef7c40ded2eafd1dead34cb291d3d27260d588c0dc26e8f25a53d6bd0e65e3ac7b0eea7c7dfba92784cb5e5833527163ae0fb956fb412c40d96941589e05

C:\Users\Admin\AppData\Local\Temp\EgQC.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 6b36f513319222dacaf73315f703c505
SHA1 a524013dd709ef35ea7a5895a6cf3320b9e84af9
SHA256 1c743b0dafbfb73bd02578db034432232fe20831ecb920c93b70dd995dd88cdf
SHA512 d67e6868c51d84533496259a830be37453417c78273acb2170eace71451097ae2a5c72641efef1fc8f629ac8145b80b2b529067b113e419389f07e0ffea8b86c

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 679f885d7c863c0618199ee80ffc6416
SHA1 6cf0d1a386052c9ba900adc18c106afb818507b0
SHA256 b76670c646b50aa4f7ff23d56f88a146c9ae0741df805180f94d0b1ec94c1b1d
SHA512 68f8e4e928abab8afe26703ea596987e6352d77d05ee1e4ad9d1a7fbd1f27188ad1c8bdc55710ff8ef7d06eeb2a7dcb0c3b64757c0a96206b2bbd91e5a0669ac

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 2913c208df090a4ff329a202ef05bc86
SHA1 24b9b9aca5207ab8952ce55029288665a5914a16
SHA256 077dd7087f7e8074a4d98a55a2ef4d95de5727bd7c8badc6cbddd39e247c92e9
SHA512 4116fabe688a01d5e5741aa532672074d8600ce1664a8adf0907f33191d09e61b855c9139349b3095e39f01936b03f7aa5c43d66521cbf2bb915a009daa0ec65

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 8e864ae5b7456645e979efe3bf038cf3
SHA1 35f22e2dbfdd5468697d2612f0393051b4053e97
SHA256 4129dc5f4f4370038746fcc0f34ca0d147604336e049c58ac8dc681775bd313f
SHA512 c52a8779a4540681199cbf37c9b161d515407114951f8f8c37d196af0271bba88d0dbdc30c325b38435415e42b97f24e22283293bce2c43fdd20721bb336cbde

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 28809ced2134c006478558cc7f4080e1
SHA1 535153dcfd99437ae7c5a8df9983febef4619b76
SHA256 e97a03ce87b8053a4eee10e31cbb41358c86b70d04dc13b40607270547456684
SHA512 045c3b76b3d0d9bdccdd32915a38f0147c6031634cc710541193e65952e0f177e7a85586367ae2c91434b3e48b0e4b36f653936fc5122507d03e982a0ebe5727

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 67aa1e559add365468fe153c83b0d5f9
SHA1 ebb06f90c61bf0729528934b5e6eaa193848cfb7
SHA256 5a7b6edc70703ad92aeda9b7fdf289cce1c1c89f1c810c6267db53e73c5d9515
SHA512 78d606346d6b32b7a3e88ee3c416bd98241fd39764132ddeac28a73d16b9a7b52223cbcd1acf2e3d7a2c1c189164813e055991c1fb42138d5997ec2fcb0d5bf6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 3f14960223672293e786a2a9a29717bf
SHA1 bcf8e72930433f8bac26ae4d074fa6e2af4005d6
SHA256 d24230b1f39983af30bec5ce740d5e770101aeaecee94199cae2d0264c50e5dc
SHA512 8a716d2ddd2d5c2e4e9023c343ceec0ed7b9c8026dc1a8e54f177cbd262e07e5476181a145b55170207bc2f906aff0d71836a86f3817fae535b055dceeb1683b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 7db19a189524c30481e827139f794287
SHA1 0e9cb825e8394a61e859d1d5e7241d025f0a53a0
SHA256 1e2c04272b3b4ef8a12e32a57a8895867ad2ebbab6981358d9bbb94284952199
SHA512 526ee6e12fb4e8ed0f334583051d27c5d7bf278c134eb40b633b47d6cafb0f1235ca8c707784a7dbc27b9a851e3992f0f935ae3b9835137d40dea78b9dd9d3b4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 213de3719fdcd6b7130092dd44994d52
SHA1 79259fa27404f9b4704390e077912d006769f0ae
SHA256 250f3b4dad869450c59a5ec99be8fb67fab3179402fe2be93dbd8cad67f6fc79
SHA512 4b131a9e221f17072682bf6d174c6858b543b422e916c199ab3145e46f749f01108c26e7c100a92d76f3c175c381635d3f4e374bd1ca8075c267944ea68d342c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 b37af0a8e1a4e35dfa82b2ede8e494c7
SHA1 6182aee34e96287641bff649b88aaa3263408211
SHA256 7fc7a3e336a08304d82fb405cfe790272267257d85e06e2383a4f7e0ad9d74cb
SHA512 8ed8ff943a075f379dcb684e2e260c91fb86fee859a0df1bec50f07d72c1073a95c80bb1cfc845feb797e4699ab9cdfb34b4151647cb757cd62d1b3af57afc07

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 ba836e5ab6b68a85c97fec9d3b43b217
SHA1 b283bbeefef112f6fe8324461a53180b4bd1c8aa
SHA256 cef35a3ab20a1f057819966bc0523ce77c86b40e6d61ffd25681d88c16ea5ba0
SHA512 04c6979a981ea5bb1d5cb50e7b10d1990b722416a25f15088a305301ef5bc169b34b6e05db380860c3e72294f79ca9eac4b1af4355355924ddbc17acf9da7602

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 2011e5d4e499a0eea1f01942a5b850a5
SHA1 8a613850ae07c7a58c703e2207ab068498d89c8e
SHA256 f264307442d6ab0c60619c719f075b977ca40edd9def1b626477c2ef08359a9f
SHA512 a7efc2fd12715d92ce5d059ac1cb9d75037803008e6fcadbb7b3465a17507ad088787a121165e2e908ad27f00ab0dc52bc6dd79dcfa8d765dc268c1a8fc4381d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 351c81c7f788737264d580f623be2d41
SHA1 1278535355b5835369e21ed901d194caa5903fe6
SHA256 59c5e92ee11534f9f76ec3a9561e2cfadfde30f85055ba934ef34c8b0a5a028c
SHA512 3ad746f5d144f1435af4f98ba0b9707b37e427f910504a473c3ae524302d3725acaec19e466dd8dd3a344026361959febd6a8cc2b2d1d32b6675e778a19fc248

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 ac1d0675f0e4c4530eb66e51ffacf085
SHA1 bf284919d73d80b67cc0838ab3ef12d42e8b43c3
SHA256 94c49f9cd796c8bbfa5493d1d27d6593a9e831de1f1a521d82131ffd83ac2cfe
SHA512 725a8c66f1444fdc1c8b26b9133a3fd2110fc854b7a1a2a70a8d3c3cf735d663fc479abdc6efe25d4d3591a196807674f84fd6a1b2160dbd5cb8b33b80a3df7b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 e15055a1e263de9563d65706f85bf077
SHA1 df88b32f54d097f3170841fa8bd16cdc9c0da1db
SHA256 7df0399a1a861f2f782d7ea86075163d96c2fc6a425329664f1eeec5520a9972
SHA512 9597f85a88d6f464701f08de9f3d61bf990061df97e240a0dc5a527206182d414e02a719f958f9840f40f015e6cb845072c6e4d5f87358a49d8043a622ad4357

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 b8d533aa12bcb2811e01e8cd7ebd22ab
SHA1 c6a8a93ec9d4bf13aa99959aa1193a0bd9c8a39b
SHA256 cc635dd5b4673059142edfe2d195676bdd239ff04a69d99dcc4b7502096ccca8
SHA512 3dd76a9c2b484270126fd16937b38395979172c9e4fbb6a39a42d0a0059f47e6da263d1d7de287e54df49ebff0f5952c1777311e37c834ec10d4e9b119262a61

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 6203907e71e4b11b4ca52e1a484183ba
SHA1 74eb6277c885060163346641081db671ba4ca7d4
SHA256 9cb4c5e31e8de88da6ca91b3900bac9da81e04108f1138f4e3e080519c18c459
SHA512 18e01b086555fc47d1e65b09f7233f665769b628fa1906ec05f481d31118640ae2c4705d1bfd648ac8325a64d33b57bed96f55c1bb804e49aab3ef961652d6ec

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 074a6c054288681c7bc156636d75f707
SHA1 7f05e3983043ee3a885dc1fe1390ebc2a0c99071
SHA256 c289b09bf8e6330e99de7a2413a460a7a1bb85e396c45504ad3a5ee2fd93b497
SHA512 1daa4caa569e72f1807f5bfee49bc4cc12f56c86e304598e86fbf162d7e177b9443bb7248edeedd0618660053aac570aaa3ad10ea0ccf338cf614ead959df0ae

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 70f68ea0bc0e7c0cc62179347b9f6e02
SHA1 ceb8e93e1433b4dc840f26b70fe950b4ecc64f13
SHA256 76051d062822075d36ff32f092f8e858a402e9ba5e57f372842c1717db380869
SHA512 166555b173390ab78e701658e35fbf3f5e64a8b128d4e41590602660db568d52fb6f07cb6d12ef55cea4fbc20aa8e3ba20cc3ce6d14d41b5f99d9931e662935b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 902169e46ea0b9c49a9a9f623c3efacc
SHA1 67fb9e265fc6ead84a6a844033f127997f29b7f3
SHA256 1efbebd25b5b04847b6b236dc802d2dbc85cefdcf608bc86aa345dd2c0d96610
SHA512 e6dcaba06a40655d3fef9636686eaf3027c26dab4fb6d8fb7e1de3418921fa7db0371054c7f476075368530cc78350593fcba5f808b8adad1328384178f0c709

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 b98c259f802c0d51adc240c2538ceab4
SHA1 30fe45b2568e7c0be9faa3bbfb3205edf44bca26
SHA256 65bbf5963cac5aace408b5bceeda44210941a3c6298146e9115f9cd0c4e08704
SHA512 eee9d06cc2dd5d836dbc7f06296ba7e4ff35ed0f561bc7df98c483c522691c1771edfd0bc98c1f322a689f31af66ccb53e36df191dea75fe56c585813cb4d07a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 acefaf199b334e9865e9569d7b7bcebb
SHA1 aff943966bb08242ec55234c6cf50025c1969742
SHA256 09ac0adcb93f155afb0ab9cb490adba67715c3738a09c99eee36e95caad7b883
SHA512 c3c9eda4331150b689634d0d01f1d0ea40d0662c03a1b8d0d64c64bc2612eca2aa1ab922f0c067efa637c640e32b99070672c087e7159c4b4eb4401abc917b7e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 a8e7d6fa04da512b6d4d204aa49456c4
SHA1 ecc114620f8b27c39d8d17d3a1efdd40081eed2b
SHA256 18d592e0633d0d666192b6d132c5455954fd14d71ec0ad3e290ffbb6e7c68cc0
SHA512 6ecfb5cce390d00bfea3d2432dd0b6d568c48279cb5e8919d8c1539c7a865eb02188bc579a3160b97d987aa07b160a82872a8b5707a71f9af11010471668d384

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 ce5137ccfe6b35c94855f2748720b708
SHA1 980b52657263bbca3a776628fb8b0440392c1c45
SHA256 b80daa960db204fd4d29619edf00d51481cb8e5f2dbc9ec6821ed256a476b282
SHA512 8ce860d5d7487a94ba73b61f3fe811aea6edb9a223285cda7f6d253168f0e236185cada87bfd4bf9a74a20499a996207ad56d8f3be711d37d2af74e5b05c5896

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 0d09110adfdbf401d1657e9bc80ac562
SHA1 090a5ba7ff67ede8dc30330291dd8ecdf00df5c1
SHA256 eb69df92587aba8ef7e61859201ad4be17bb7fc5aafe653518ada08190be6b38
SHA512 88c8839c69896121eec01d4a65f4b98d15862e46c5439bb22cb31b3eb7ed09b6b1c719fc524ee0af4ad9f89ff0a392c441146c0e09fab49a9a4bc4022425fab1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 04ac76b04a570e27a42377b9f54eee3d
SHA1 86bbf9b74227e99793dd0266e0cd0ba60b956855
SHA256 b946f4f72047ec9addf33aeabd809c3855285499c0fafa838fa87712ac18c061
SHA512 c6d5244612f4a01d6266ac41166f8964f5463d6b2460bcecc30f25f8e6569c683ff46929f11d80a988dfaf29e3cb300bafdd1f10d13311bde79430f5c829ea0f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 11ba6757fc9f99e7030c0b71d6511935
SHA1 07a922dffa327773fe5480581dd9bc47bf5ac36c
SHA256 d7fd25c650ebbc04950a129ca536c74db3fdb0e3a44bd2080ba77fe16123e4c6
SHA512 9a1e73dba3b01e1a3d1deeec45d6d4849ff78e3693531d761c66ebff5e02134e2bf3dc3c578ad585186a9f644dcb067280a3a5b16d8dd660f81d446162e1a896

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 2a1aa148a1425a7bfe870ef1d92171c9
SHA1 fef2fc7e364a517163d119dd757a41c8fa88327b
SHA256 7fc95bf89953e5a35d02f1baefe820c6c250cba9a62f1a4628e1000d393e015d
SHA512 7626c34c5c4c361082204416b8cd3a8b1d2f0b86cd882e6ac01ee9a3ce9e1715601e0a67e9821bec80ffdd89994270d22299541f9bd4b40aef20f251bb8adebd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 c325916d81888861c1e9e603ab2ad3fb
SHA1 edd10cfaf4cdd451d6a63182677e3628588a0baa
SHA256 fed5cfd966cf573d1a060e4326f6d2756c3fa904401bbc55350c8cbf3673a0ab
SHA512 95f72f60bdbd383bec8c275fafed8b4616aa384eea37050c064661a79383bf7211f4246d7349a21aeba531d5c5a09c3e6afc7a8efdd504471c3fc2448da19c97

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 e0d71aa45d8b96e3a368ee56b58d8aa7
SHA1 7be94a3cece1fb29dd68a3c4843229eb26e41da9
SHA256 98c5133b4ae052532210756f384f47e871cfc18198d513e744f96dfe541a5c34
SHA512 d99fd78ea4340ce751d290386b3dc06939fb550479321e476ddbe107da18572ae88fc5307529c77952e60c78eccc76fd4270d133babe7fa9a16895ca885257e5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 38c19a7353d31ad313af1d0128bd7f89
SHA1 a0136606d229eb3097d85bf17653ffd30c68b848
SHA256 7f81af5bfc7a15b2179bc6ed61c66a0c235c7d7151eae52632870db2dcd3b1a7
SHA512 b324e4f3f4294b3934effd6a8c6e450237f3ab0f4656a52e4a0e9ca522b5971856b1a739dbe22757889034413775b7998219286b7d49163fc060b7d3d1da8c70

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 8aa2f9492d8eb45d8c6036cc223fcb3d
SHA1 b4f0b09f5ed0a40cdfd005120275d511bb8a3208
SHA256 cb4b421291293430988652133efa15559ba4ffe6caeb9b2fe17d81e522fa2b26
SHA512 1e8056e77992e83c8096125a17ac41ef1ee2461a547296ac00847d3335364c713f35e7f1a1540d284894ab870d2fa7be363980fbb14bbdcea68e954a5fae1e03

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 12fe90b089529e95e424f188e2bcbc70
SHA1 7e21b101fd69cff1f567333adb7d7bf8005394ef
SHA256 f32b32b90bdc84b698722756b8572e44fca2cbf389ddb7090866e0952f98b674
SHA512 54312b2672f6f398201aa4110410a2e8730d3ade8f681f3c82003afd1ebf8463e04e13bf23e3a3a8efe0298989b1bdcf3eb6a7e2965188987df1ad8bb64c0211

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 55bd3df21a11d11e09af3df9a615f227
SHA1 82f7f35db67aba1535418f7d271d88568ed570c0
SHA256 626df36652af0c41d3b34381418e1d85af1d01db41da75a4bdcc8937986fef9a
SHA512 f19f0aa7155cc4ae2410c38f0901355a1e54cbe8ed30076e45d18884d85f5d50d285c29e692be778338105f4f477b6870d3eb1fd693e1758b1a32aae5bfa7993

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 37fb9982a8572fc6602b0f2546e11d42
SHA1 1a51a69be2b72efb1cacce875a82187beacc8577
SHA256 d964904f63b1d6e1a519ff6f985509235f5f71c7b3ff7a5690e6336c6ec7bde5
SHA512 0d1c340a3b66bbe5ea268022aa92f261459d30b9638211c036e6474c502e9df90c21cbb926b242570182980078701bc57659a6f130903620908a5a3aa72a4455

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 50f7ee2c37fffb3ed2b0f44e42c1bcba
SHA1 da951bad9dc6b818186034c9909dedae266b6e85
SHA256 852c59d38f6a9438dd3de8893f2f2379d5c59c8761317440fb3a22034f7fe692
SHA512 7c6eef81b17be3af3bca101b2aef57570462ae09894906cb1bc3f0812e5df8bf1bee3391dfba271e5a71a293774e3b2ee63f33a3918568a0f707a8e3217256d3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 8f9cd667eb7a1b4cda98e89c891508b2
SHA1 235c239d13cb6b339588364ea5a4b5e4174c7004
SHA256 0e2456a1d826a003e1e11f04641b7382c0d15897626f274f8870261fef6b4358
SHA512 30cf5a6733d334bf3597c4386698553c4594446a55c0c05ccd7a2747b30bf693003e7218fe4a91091f3bb81d9381b7f7075a52051eef1974420b19032f319fb9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 0121ed6ed07b2058976b05d4c4b5765e
SHA1 06dd7717b8479b82047c1cdd8262023c8289a130
SHA256 0aa2a6bb23a952b03da037e0a69b061980944e214a88fddf3fbf2b2067ea0e54
SHA512 9dfb578f0ae717a19d9e3c8019aaa9e164af4c8a6a10a6fe303b16ea930a7ddb04b2b06dd52aa9572120d2d5b5072fb8ded236e4f01e4b2347bde30f8c7c8cb7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 a304ac442176c8858138b545802b4a3f
SHA1 e7ce19978f6858bb93ef5c6674f8e1e666626809
SHA256 6cff2618265f21da566e536e5cddf1d515df329e54503befe99f11f971cb4904
SHA512 031bb4127c00d09b02570e9c5c73de3efdd5557799861aceb957ff3806df07e8d6be23c71ed367d17b1a0f688bb5d3fb1d5b68d0b0727ebb6478698b80050d87

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 152e1074c6f0ddb236067c92e1922577
SHA1 2486e182e25c582fea17e5db1fb721577b3bcdff
SHA256 227dd17e4409ef725758a9ebafa6df5fbdf082a672e5b957163c42bb706c5be0
SHA512 6e5f7a1251ead05a332f792e7262d76a60bfaf057e52d32e2dfa96b1375ab12e037fd2bddc5ed624ce979c44e3a4531e70c8cc0050e871ceefcc314f5240e156

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 9f3b99216eb36a6253533bdf164d0db5
SHA1 94dafa2ceb511b7b1b64554db97e09c06b111467
SHA256 b9ecf0a61809ec61d7d72083e4d4eb53362d8072006973aceacb3f36e62dd585
SHA512 469952595c61380d67b4994d6d348d0333bc70f348765cdfcb85691ba4ab2f197c12f382337120f169d03656c018619c64c768318fca6afe140ff5d411484fa0

C:\Users\Admin\AppData\Local\Temp\eogq.exe

MD5 c708cef52a72160d80d412973df37ec5
SHA1 ecbe581d4b8f02dc12f079f44c7f2f9da4061046
SHA256 9b0c331fff46003acea6f1d7106a94e5301e892834420f85f169f604eef3cac6
SHA512 6ddfe03ffcb3571b54783e16b29e82cd76e1ae73ea587fd5ee1728f302fd8c4012901897a93dd816b83f6f83644249d5a4c9d1d97756e793c08eeb976a75b5c7

C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe

MD5 1cc1086baeb9f0a0ba0b47f257fb462d
SHA1 40f86fdcdfae0731ad6e69b66f8de6f6a85bb9e5
SHA256 6ad57ba73c8c264e0d37f27cc9388c3a20e14fa3420aab1c3af2f10f975f5344
SHA512 357f2560b69e0756089cd554d3b310146f93c42e7077ad570628be1630fe63632c0ab49271b067e0eee8dff7f3ee7918555dc984ecb98a902c0db761555da643

C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe

MD5 f422a3376c7dd9db1c3c413ed291bbb0
SHA1 0bdb5a568645ea9ed8539be932dd94b026f6e366
SHA256 761152980756a6d1452da36cb9fe2a0a891db5263824be50633f9fcb1f90f84d
SHA512 ec8de2fb99788961b99cd258686c095e7cedcde90e6321d4d8e724a2b125b4a5be32cd83c719776c4e63756cf7f729c73d6268f9a1f8e376e90a7bc4d62c849d

C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.exe

MD5 57bd4abcc71aad01840cd9498a621104
SHA1 1fa83dd7f011280685f6a66c3a7698319c86b980
SHA256 41d49643ceb86a75c06d7df0dd12cd77d7ac47106b918c3cae1b8865005bd83e
SHA512 802b712b3c45b05c4849d2da6913264ed68782577fe1f37f4d8fb2b72da8e75a3ff162b46c5c93283e43e2db5ca1294e7d04770803f4e0c924b6e526e6f10c6e

C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.exe

MD5 0cedee9f3495d82330f7b327750db99b
SHA1 03e6dd6929a3362cdd1903900dcaf21c08f8a9f3
SHA256 49df5007114778a814f50c1f8b730c4b12221b1c0db3c2fbbed5ec28ab99a656
SHA512 d49a684229edb7ae845738addfe8b3e9a917293205284e934266033b9c4cc35c55e1b347bfd6d03e6dc4d967c7d0c14005a643e9f680922dcfb8cdef43e9f8d4

C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.exe

MD5 9e0d79e3859f8de4e527c4e646aea1bc
SHA1 5a059ff181c17271e486bf80a3ee2272fba2b2e8
SHA256 b8450d4f8e2e139ed65cd6859425ef5821a57529c26671270c651684a6068f22
SHA512 7a690803f1b28b9e33d0bf8b7e0efa7e21be5aab31da3bb4fc07eec7ffb40adbb8a4ba64aa48989171a8c955971002e7c3f58e0edb33f29524d6e24a2d482b77

C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.exe

MD5 96a2f69ca4016d095346dbb633e4a53e
SHA1 a31655aa3434b2b9e7cdeeac029af280052d4e12
SHA256 0f83b92e21732da44cfe96627d07cf9a0187d897d6cf260394bf1a7f390f1b93
SHA512 735ecd9c441c0dfd6f12e6cfdb7de9b17a2d1c1f8d6ddae735054fe95e61dda61dd5f6dc30d4db0eb45f4867ec14f82021674ac45dd0c771739b37b6c667664f

C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.exe

MD5 cc8bad809d3a099dfdd5a119fbe230c0
SHA1 813aed7deb1ecd7a87028e2147ee467a44532300
SHA256 f1a5bae1d027acb366c8bbffdcc7a29e1d153fc6161a4299cf42856566728455
SHA512 fff9b77e66d8c5f50c1899785762ddf0e217d9a047786cdea8095e1e215bb7c7452e66dccbabb40de03d580a94d9a14602c6d45e05dba1293db528c24bdf5108

C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.exe

MD5 61a5f096155f725efd0990f8dd761457
SHA1 e341aff4c02430d74534f6eefc7d89d62c201aed
SHA256 4b7dac775543ba00110e7e08afdebd247dc3ae9a72d23525d9bad3e09259eaea
SHA512 7409ed082cf5e343307397ac67c57a0cbc04b0cf8f06b0013f35a60c5223f0d01335abe78ce555b4037803c74c7234ed20a8ac04a89b92171e3301eb1c33ab29

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:13

Reported

2024-06-13 04:15

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (78) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\ProgramData\uuIkEEgA\xwcoUMkc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guogccIQ.exe = "C:\\Users\\Admin\\MqgUUkcE\\guogccIQ.exe" C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xwcoUMkc.exe = "C:\\ProgramData\\uuIkEEgA\\xwcoUMkc.exe" C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guogccIQ.exe = "C:\\Users\\Admin\\MqgUUkcE\\guogccIQ.exe" C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xwcoUMkc.exe = "C:\\ProgramData\\uuIkEEgA\\xwcoUMkc.exe" C:\ProgramData\uuIkEEgA\xwcoUMkc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A
N/A N/A C:\Users\Admin\MqgUUkcE\guogccIQ.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4912 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Users\Admin\MqgUUkcE\guogccIQ.exe
PID 4912 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Users\Admin\MqgUUkcE\guogccIQ.exe
PID 4912 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Users\Admin\MqgUUkcE\guogccIQ.exe
PID 4912 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\ProgramData\uuIkEEgA\xwcoUMkc.exe
PID 4912 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\ProgramData\uuIkEEgA\xwcoUMkc.exe
PID 4912 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\ProgramData\uuIkEEgA\xwcoUMkc.exe
PID 4912 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 4912 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 4912 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 4912 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 4912 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 4912 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 4912 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 4912 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 4912 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 4908 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 4908 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5d74812a0c8d971cfdd9374620ac17e0_NeikiAnalytics.exe"

C:\Users\Admin\MqgUUkcE\guogccIQ.exe

"C:\Users\Admin\MqgUUkcE\guogccIQ.exe"

C:\ProgramData\uuIkEEgA\xwcoUMkc.exe

"C:\ProgramData\uuIkEEgA\xwcoUMkc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 52.111.227.11:443 tcp

Files

memory/4912-0-0x0000000000400000-0x000000000048F000-memory.dmp

C:\Users\Admin\MqgUUkcE\guogccIQ.exe

MD5 f8b51453db4d8845ef51b6970d047ed7
SHA1 6dd5ed5cb0fe3935ef91e963eb4508adeb9729e8
SHA256 1c155101cbb3a463947b3f3cf2b2a04a0442eccea1114aee590ed940abeb19d0
SHA512 66d7989b0a61dfaa0c083df3cdd07e7f0112a5b8981d4aa68947f0638100d4970b494e9ab39bb198d42e0b54875f2788cd0a7dee4150ac9104fa4a6c049c51f6

memory/4444-7-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\uuIkEEgA\xwcoUMkc.exe

MD5 9284a9e682a914303cf287357a6eaff9
SHA1 cd284148e3d24cfc6a39e53d0aa840b67799b4a1
SHA256 8ce6a0ce13d44ee2674d8a1137d73e34146d812e798c2f4cdf4f65296d74ec27
SHA512 eb3516bfc26c818981111589ea640d41ef6ac5d93926baef533078765480d800f03059d55e4f313e58601502f572848ed2bd30a7d550eafb4b043ab52cc8a651

memory/1776-14-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 96f7cb9f7481a279bd4bc0681a3b993e
SHA1 deaedb5becc6c0bd263d7cf81e0909b912a1afd4
SHA256 d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290
SHA512 694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

memory/4912-17-0x0000000000400000-0x000000000048F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WUgG.exe

MD5 28a494637ce8293740c74be5236f4206
SHA1 58142633b21ff834e491716a8b0a76a12a6e90e2
SHA256 932db70cbf19da26a66461bab26d2d4fcae4c66afbe00a83e8880fe92969dff2
SHA512 17ff21ddee7a15434e180bc853e578a7321179086f509e5a42d788da3febd410a67b67f92ea36ea6ae076f162a28227ee71a85c5282000af9e8dafc52026f79f

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 d10f26f4c65f1e09578e0bec166c77ff
SHA1 4b181a449bf92dd35ab4004e33841e8ab6e83bdb
SHA256 6425f416ad12237fa4c829e56c04333caf054c10ec9e137992594ce6209859cc
SHA512 5ed667b888521fe137df1610f2dc8071189ca82c6d11dbf33898d69398ad793f4b1a316a025dfb127259a14671baedbf6b50699f5539a4c0b2868ac19f9e4c18

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 f8de840ec62d620885d1c33cc43e1790
SHA1 99b72a087a1c50164537721d895c6106649248e2
SHA256 99ee39b2aa41fadd5daf43a9e07c8f3b4eed1153384afd159394d244a2587093
SHA512 25a8ae832658b5477173a8d93d4b081037da9e01ebdb857f19241a37b916c068887f06620a17ea5f2fe0586266502a8893fdbfa9c2a673d60cbd5f7be6c9530d

C:\Users\Admin\AppData\Local\Temp\qYYa.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 f2f23bdbe33946aae6a1a4f334747d04
SHA1 699f661ef1db02c31c195bce3a616d33faa2e8c5
SHA256 13db08585bc7e3742a658d1346dbf5a4aa2d8935491da5e68238803c849cd7ee
SHA512 303f92d50dd883188a77badba9548255d41ed4151959ab40c0e6389dce45df4e48cc74750eff22ac7db1d5b663ceaba55e6a1b56fef6dd61471c8e634484491d

C:\Users\Admin\AppData\Local\Temp\YcYC.exe

MD5 8f5289d5a9e274b63fddf822014592a8
SHA1 3038894f4a16033d302c016566f6fed084e1d391
SHA256 2b62d7c4c31088f1e775342061124d9514cbbac74fbab25751daaa7c8e15b04e
SHA512 aa3687cd0229f98e9eb7110ce51e3f405ec1b6f0145d19cf3469f69d402d80b3824248bd357ae359a21e8b24e18fdf485491b88ccef261a2594bee15638db541

C:\Users\Admin\AppData\Local\Temp\kEMc.exe

MD5 9193bfe1107be71d2e7594121100f6da
SHA1 60a7f69a9cce67671adf183f443ede4ba61a4176
SHA256 59f3eb5ce87455a912ebdca038c0c3e8e17e18f74be1ba03767ea389e1891c44
SHA512 8aff2472e2f98e896e480ff54364f8289e84788bbd6b4b9cc4a54f6b63f39f816a4be9f5b843e9bd913ba4a1da4814ef2999e296e5198fd5287f3bfefc3f91d7

C:\Users\Admin\AppData\Local\Temp\OIUI.exe

MD5 73a9cf6bb8a56667221e71ec7a7649f9
SHA1 9f6c965ca82d1360cac2432c6aff08221728ec48
SHA256 6fb41f047a8b83ce2a0199e0159eab139870e9501071ddd9634b2542d26ce610
SHA512 00834d0d8b696ae28476c20eff2a195babdfab2179836cbbe71fa4a2cef7f6c1050cf76e81d501cfedc9e9eb23e53df843364211163e3dbee60b9e4b79ab99f4

C:\Users\Admin\AppData\Local\Temp\OgQS.exe

MD5 8d077e6715e51e3d50693fd63733bf01
SHA1 95d78a53185abab0260e1317c4a48b0516cd55b5
SHA256 2cd07ecaddf3a94158f19cbb2ff1a2f3db74a0a0763e07de5d44752da164b36f
SHA512 fd920e2170b429c294b5da5e1b93b501a5366c3154e4597585b9a2368ee64b1892153ec87c49819a0d078741edac212c770992637a1d1648f608bdca76489d78

C:\Users\Admin\AppData\Local\Temp\gsUe.exe

MD5 bfb30b5df0d1aa95f91a0448dcdede6b
SHA1 41974549e6de036fba341ffaf713fdf20404f763
SHA256 c753b21da1bd8b52e0e123f1faed512fe00cd4ddfe710e61887a62c1ae640d56
SHA512 ec4c4ae2dd2d61c5f64c5e697398d29de02311e72033346f0c4cd72191217105b6e3f835d073ab30e3d4fd5e1675865e16032bb0917f5271b9b12eeeae011af0

C:\Users\Admin\AppData\Local\Temp\SEYI.exe

MD5 de61940e50e52119dcbfb0b462ef32bf
SHA1 431102dc90b90847279555a83fcfdb24779f3d1f
SHA256 b8e0ff8bc5442f2c2e4afc019e75862efe0e62620bf3804c843eae3d41f394c3
SHA512 10463134e4e531959f2c5f837006224c0395493f07eaaece7dfadbddc8d172030a0a73c6f9e99835c03414a8098f1022759e4009474244070a56542ebe71e587

C:\ProgramData\Microsoft\User Account Pictures\user-32.png.exe

MD5 cb26f2f775d2f2dc1e184ddfbde79185
SHA1 004a2c01a339aa90e185f47440abdf4883a7badb
SHA256 f2689dff52e1cdc95324855393e5d2da27c99478d96adc269544fa23c0538910
SHA512 133d8ff185d886d4eeaca842f6a934f98075791991c8908f6b7175f3351cf805dafc880aa3f4e85448c6a4cd826f2111cb3ee1baa97f250750b65c13c4979015

C:\ProgramData\Microsoft\User Account Pictures\user-40.png.exe

MD5 90fc7a46a35fc941b50813a0feac6fb2
SHA1 eb22808b02f59d94ee70a4af20f78aa4040f1bf9
SHA256 910b7a7cbf0bb20082dc0dbdad290e352982086fd0615e6bfd99b793fbcbbc92
SHA512 dd23d9618e1340ed18776f5751b94ef811a72045cd112bca857dcdb087a26d5652b6863b87bb03dceee6c79622f637212ff5c79d962cd62b4e0afa89342481df

C:\ProgramData\Microsoft\User Account Pictures\user-48.png.exe

MD5 b904f3e5d687365c8de1073c48d02d92
SHA1 4c07d859ae7696a1215118e9cd76f0f334328f02
SHA256 ee3133030514160afa1f65aa6617a9a00cc9c7da92f8a7adb261760c376e5f9e
SHA512 9371ab7c9397e7135e4d83f8ff8dd4668f1561064fc6c1aef0937b4a482e8479bcd03c394d5723ccb0d3566991f165c5463043f91504e9de904fa939c141ed29

C:\Users\Admin\AppData\Local\Temp\QAAu.exe

MD5 1209812f9e763db119f8b15d218d5d09
SHA1 b4d2293f04d2986209bb8b75af3631c167755ad0
SHA256 7019ba381dd6fa569f59b3bf2326e3eab590d101a462cbe0859dc621ea512bc6
SHA512 8bc5a132c5f320c269df8773551b8373e018afadcaf4838e896b561258a64d5cdfa33d085792568a079dde3cf573c2ebf21c0e7aa6e281f7f932253f1f058962

C:\Users\Admin\AppData\Local\Temp\ywkk.exe

MD5 26e25ffc6299676f66268fdb3a29ef16
SHA1 cbb9b431a1ea152014d6b5167324bf096aa54835
SHA256 ea5f5a44593b454100735f26dd727bbd7f2eccff0c7fb9e8e69840d92860dbfb
SHA512 5cf6fd52d2c5da5768cfed05eeb891048b355430a60ebae14ffd2a0968e7511681285c5679f8bb01f13ad0b0b359bfecd1f69091eaafe19c685d3e60ce05e76d

C:\Users\Admin\AppData\Local\Temp\mgAU.exe

MD5 d1d22c95352b91603d75106f739b3e80
SHA1 53166c5f816016235cbebbf19d2378bb47efa93f
SHA256 b84147ddb7726846a598e4d0817d686dcd1f1122f1905b8194be9407f714fbf9
SHA512 a33c755dde7f51544b3c9a86b9ea1e053d96196ff07985bc2353b236054f6c91761ceac175c974f66a3f00bd76643afec07e33e96ec7334c51f176892b3d7b5e

C:\Users\Admin\AppData\Local\Temp\Wsca.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 d1d892dee75de28581dd570d2b84386f
SHA1 ecbb3023b3707c76655c23408c6de7a56eab941e
SHA256 74425da8d1896c96c1850fad9073b1203cafcbe8efedcbbe1ac8f8be68520130
SHA512 b8c08574fb787284419f4e2b17be6fb6b0fbebe943a32eb4b25f04c5ce09a68ee113919c8451684d0a4ca7aed85908ca6ec7844c6e8d220594bdb53befa732c6

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 251a4b8a7cf656f36a27e859e7dc361e
SHA1 197f7fa16d3a19f92ec0b6726e91c8977ded6edb
SHA256 0f619ebf2c78984a8a00ef6342ffd3f58ae8db09c4cceb761f4a626d806cf750
SHA512 73a1fe9eb76d3b07be08d5b3e50de8d59ed346803e2cce5d3707bb9005bd1ebd603af8fcfa60a98fe30885872f68b3f01ef7191d3d8be65396e41058e761e286

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 0ef52668665bb0cd2089ae0e6354458f
SHA1 4f8aa0bbdf73f089acda6dd479c7b5facce99af9
SHA256 19508f85e222bf05b14d940ba2a82f5f0d98efd328d59f9fbaa592af34613fea
SHA512 894404dc5de6b3f3db85acde7bcd0fc9b2c08bee90e05c9189aca507c8cdafad4b14b610514cb2cfa69073256c9f963625e2a7710edb77a1d27ccf7ff0ec841c

C:\Users\Admin\AppData\Local\Temp\KAsa.exe

MD5 36571480eacf801958b10f1ef8dde284
SHA1 77d3e87eaa66dfc3876748e6916ff00d4b2ea106
SHA256 c4558705052693a5eb99a41903eb61448b8d482cf5a3bf0723d7ec1cf515cd20
SHA512 86e303ca0db5d4bbb9d5630e68f6a527acf99c01f109f7ca7d487aceaa139ef45d71d7e9376f1c171aae4c7088e34097349a20a5d62a9cc1292a816b15d62f23

C:\Users\Admin\AppData\Local\Temp\wwUc.exe

MD5 266e17a83ec533b4a5dc310f133c6dd1
SHA1 7e2e0284690cc1ece350662e10a5271290100e74
SHA256 6ed557fd311663206336f461c0b5ccc51d378361d3dbbb00a17d963751839e0d
SHA512 f978ab1af5db459706b69b33b940ee71a6974cfcdff1880dbd34cc432a05b99726928f25f3ef297c65e6f3db1d2c3843e307d65b5dfa014197da0b162504225b

C:\Users\Admin\AppData\Local\Temp\GYEG.exe

MD5 e02f025c0bdea9021bae4e6e8211179d
SHA1 91bac45c908e9a27c5c78e1aaa1b9a29e662087d
SHA256 208cc04deb30fd9fd39f59b858f68ddec3317b8968e77e28a52ddb195c348b12
SHA512 60d04a7ed90864e28b2352a17729a4151f048327c89a652a2bbf6ab9a4af91ea2f584ed693d3812b39d860b7391abda46a5534fb48840e53e84caaa991e62f12

C:\Users\Admin\AppData\Local\Temp\ookm.exe

MD5 15eda9e7de675ceaba48f83d43ac6869
SHA1 3fc21e182b6ee4cb334c4aa7f6b2f4b19cb6f12d
SHA256 32cf9890b3c4d891356905bce2c3dc71d85179a1d133c558fd02eec6f8a58fc2
SHA512 5a974faff431ae4c996878db6f503a0a156791525eed85d0e3bc775a4fafe9bf85486bdd83ca3a60c3411849ec2a24f747692e13473c10e5dab0c490ac6f887b

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 78e8b51baec47b1239b107c6d21ed1c3
SHA1 fe1a99c5a4d4d37be57d10028d9757ef362252ae
SHA256 ec832d591d73f9065d64cf7e4acb9e0662f19598663acde7b6b5c4ee1550e569
SHA512 4b4a1afc24b3c7cd86ae2c277a5ce7e3b3c04f9845961066fe3b93262349bcd62eb61420167c4451c01ae43438f64f3d4d7242c9dc9d2683ce4994760159ba29

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.2_0\128.png.exe

MD5 941742552b658004f79037409b641eb1
SHA1 ed7168179304bc97723392642ac0fa5651c9ca2a
SHA256 cff0e2d73be05d55df76e6206acf7488d836af2510d49cf5cd5eaa8a10093531
SHA512 c3d046f9fb9f69ab88a17a3439fd23bb9c287e26d16d71d61667e48b4a168e335dedb25c8c13d812bef61932994c9796c0abab5981625b8e4d98b93c98796413

C:\Users\Admin\AppData\Local\Temp\aMkQ.exe

MD5 d1c5da874c99e85dd46a47b20805fe7e
SHA1 708c937987024dd22031381f4c312be0d1b54486
SHA256 be971d4580c7eb44b813239ef4f53b848db2c707a8f8725bf383cf14c1627a6f
SHA512 45a31e9e9512fe92120f29cb2fe74f0b66e4c900074e4b1c6060c2a727950495a5e2ac86936ff551dcefdbe6f5cf0b6c45f958b38c29dc5a5773ac2930a61b0e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

MD5 16dae9a66a7bbab2d02e297137bd38e4
SHA1 4b1e4fa4ba13980a96af16a95a8aff9889728125
SHA256 e2c775cd7f5fae5e54ee1f187698214908cf64b965da78fa92da7240d6d179e1
SHA512 847b75552177d3ecaf956dc2f470e353fd7401ad623734402d47101089e44077bda8eb997a98345cb44130354b60ef795416afe6d5c04fcbea347b15bd30da95

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

MD5 6e6747cf328c53d933f1add1887891d3
SHA1 407de501da8d67bf14618e165a49f58cecda0b83
SHA256 c143b8bafbac349474415029b675c3d1dbcdcd2c337ff62a154f8eeff23b56ad
SHA512 f3a45063916bd68492c4a95afc480e6f4930b849b42c886aed9bedd3c2eebe6d24f1323884c43b9e9efbfbe4001352f67ffa05e0c6d205c1a25c617bcd0b65e1

C:\Users\Admin\AppData\Local\Temp\qEQM.exe

MD5 a796a85cd6ae78968447f3ed2808d3ab
SHA1 46a63cc132c63fe8a1a14a2e1e023a6e2b6fa818
SHA256 ca01a321ad2c94e73ea90dc546a42034fb2a1d2a23b96c9d1501dbe78f293473
SHA512 2ed341efd294827b7651aca0fe049eae43569b5c03660b3fbb1a95884f6070281d06b15c58ea1f0d500420a670d3eaca7bb9dbc2db9c3ae1ac26514fd79d7763

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

MD5 dfcb5ce802c82da0d6425a59fec3a531
SHA1 ded06d09812b27dc5759561f6638b9742a14f71b
SHA256 0ddaa22cf843f0eb850d828735fda6ad521486198baa86f017a18a902c078c3e
SHA512 addd9c0f8daaae1b398cf286e56e390bd9ae0a6e2483b07a9b99478ed220b5699ccbc4290db2440bf18b7a07708b9372fdc87dde3aab797435ee2d3e5f01878a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

MD5 cd6df85b47042f1d81589de330078d8f
SHA1 9076d93c4bd9e5687d9ef1e7e77aa678fd39a229
SHA256 138b8cb65dcaa9802b3bf4175867d7c29574e4f014d77a0a05fa8d2ca8de1f10
SHA512 db5b1da3ae2fd6ee89218786e4ab3f50e7d60f2a76ce8a179aa4fc129620150fb65215d5a7443304e45f8fbc052a660610cdc216883046efd205092406e29a15

C:\Users\Admin\AppData\Local\Temp\SUsM.exe

MD5 ab79c50321cd70adf065c51b0d53d445
SHA1 64834a8d3758caf02fa3257f88e17464bc3aafa7
SHA256 daed2933dfa66fdc113eca5d32b1e582cd9e01128970d629da3517d7ee1e9540
SHA512 318a4489617ed0eeecad84e5c5fa4f000d14bcd9eee9d1a79dcd9fbfb59ae6220d951170a2ebc4a7e24f609d92046ed6a250aac739e7eb05575f0d4070a0dce4

C:\Users\Admin\AppData\Local\Temp\mgwk.exe

MD5 57bcc229f353bae877fe94e8e0c9fea5
SHA1 2995dd4f3ec016c4573c09e25c1fa3f0c4c918f7
SHA256 c2546fa5edd8714aeddaebceb5a2cd93aff9131542cc2cb53ca29327cfe2c81e
SHA512 9deadbd604e1078c18ec0f87ad0783c9a551274a0e280b69a0b91b42248be870450d62ffa301f71305aa663d09a7a4f323018ac27b12c001c7ad621a4613e848

C:\Users\Admin\AppData\Local\Temp\CwYw.exe

MD5 70a1e280605f994b2355ac6616396164
SHA1 087f9c1013bec739ce3e83ef643949d994b1cfef
SHA256 d345acd1a8d6e1a1825fa04d80d12f038442550e7458e99b43fca5665132599e
SHA512 6e2efd5ca1eb262b70e195a686955c6bcadcdd403ad3c7ff21a86b0e9f17356337f66ad2a987af0867c6220cf28e819f811db40cf72f1f7ca4a854413dc0f3c1

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

MD5 a4fe7bcb8ab44211c388d22a4f407e10
SHA1 2c74136efaafcb4a5c0473c3e4cb652b2d11ba1a
SHA256 ce7b17b9cba248c31321f51290d2aeb49a53cfd6c8fbb93f281a8264b1be8e10
SHA512 d1cad272ff4a40793de247fa7820e769759cb437b5977574503bffab5232780b5416b2763740c1a56ae69e094ba1033fa9c60a5241f7b59ce5d3c09d4e6e756b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe

MD5 c235c905305d45f592b193d0c1c9459a
SHA1 af2ca29ab4e1ff218b4bc338c0ad65f1181fa6b2
SHA256 e25e9884ebdb30cd41996fb37aeebe71d392d7566ed5f00352e148be0657b844
SHA512 d77163cd6b0ac68fb6732841f7cdf5f0be21e33052e8028d582ba0071958afc9ff6ceb407f18bddd4f0ab25aff51d1a214f7f618c497e9ec7079a8f1e7c5e20b

C:\Users\Admin\AppData\Local\Temp\OMAm.exe

MD5 e4224d89381abb60a99d6adee823ae06
SHA1 8e1bd23f6495957b0d3e470b1f63867b859834f9
SHA256 604fd5dadf348ca7d09b31b3ca1cc69d925947758eedf172edeb79b6dc0213ad
SHA512 3dda1814444917c3a8255ddac97c0337045a2fd6e64716ae4328e9800a5ac930ddd90537d182d26e6afb3be253d11a93c2f4227a794a5a3baaad0973eb3abcb6

C:\Users\Admin\AppData\Local\Temp\ScUe.exe

MD5 38aa755143b0b9c982e8584380142a84
SHA1 194ef40f3f2c5a8d586fa890f936624d7c5550de
SHA256 25fcf2e7e5918bd83a125ebb5d57a5a7499ee44b4cf903cf37e5b8430df93921
SHA512 cf0ea6053ad9d45241f285938c1f05f8be1d341bdca6ec5bdf2322f16e5b50854407a16adb184f42e681cc9c49898d7903e33680d56e3b919625f48bc09b7638

C:\Users\Admin\AppData\Local\Temp\AsAa.exe

MD5 dec7929bdfeb009b0a2c00338d5a326b
SHA1 297f60d1059b578250c4dc552c8b1fdce82adbdf
SHA256 9ac540f7ac769c8a638167e15d9e71be60cb62d4cc1e792ff4be5ca2c246fb04
SHA512 fb5c4d0e958ee5c87731104ba96fa3207a63d0886485cd6e44ebcfafd6072c237c46801529bbc8d549c77f968daf9e09443869ad550056e37986d554117a8995

C:\Users\Admin\AppData\Local\Temp\coYY.exe

MD5 c90e870a6224fd3135c7dbb7f9e6bcfd
SHA1 5429be3e06cb9df75c86003fca3d104eb75553bd
SHA256 4fb8e02cad6df663026e9df08d59d2506af7ad1bbff20abed7f90b1c1f51e663
SHA512 b256011f52b0160f5da18b686a7a383950bc1fc8bab6ad071eca83a9fa9202cc530ad9f79c26505c09684a99dd5614d3e8267c217ef684cc4c4bfca5cbc2c28a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

MD5 402d2b3d619de0379d81c965f8e784b0
SHA1 24243a5c4ceafe10d43b6fd507cb6b2d749d8abb
SHA256 3f6d71a8f20d5087155fc39596192ee2ce7a3fa2e08471836c63abd7c26a8d1e
SHA512 4fa511eaeee5660b1b04a497ab7393d38ecba9d814ce23528e055f2cd5c5d028df639bdf5835c2a09d4d04f739afaa4c33abe1cbc0c0d77334d9409280136a1f

C:\Users\Admin\AppData\Local\Temp\IsEw.exe

MD5 04f309f524bd5b3e2f2fb40acd7af33f
SHA1 25e093aadcfbb8f5a3dfd687336ab5888cf45849
SHA256 7c39d2d7066f41f79fb39a57461a1623a28ad45a54de373bb0b3ff78b17f7e3c
SHA512 d5112ae9a560d3fd150bd8a09d62fa13f89bdb300c84e6b12f05ee35f8ca5c45eae1be4bdc8f34371f7ed61445100108ad2c879b5cc97ccf15f00ea327e76846

C:\Users\Admin\AppData\Local\Temp\IQAK.exe

MD5 67ea56919f55357f0c42cc5d2f9d80a5
SHA1 36f27cc60bfc2b724a063b9d0badc17c04df893f
SHA256 3a68932cd68262c76e3e839fdc85c6ee79e56c180435927da4498ecd36808012
SHA512 de14387a99a1c6d36cc2629eb54cceaf55f489e78b86ec5f1fd8b2a8aec4886a8c3500669878ae4ae31c853b73af0d2a17eefce4d8ced0f49e469efffc07c7e4

C:\Users\Admin\AppData\Local\Temp\uQgg.exe

MD5 8c85c83b7274966954336ea4abde54fc
SHA1 10367bec2431ad86e95f096166b688a855d1bc8f
SHA256 f9e0d0a2ef214ae5578a5cf79b9dcd95a4a4ae281d761f6c50ed532c7f7c58be
SHA512 5a2ffe9eb014a3fa6536b1241cdafe8238da7799f0dee320c6b78cd19bc3c6956a593897653fa8087b86cf099f2231e1f1ff55de13e87095caf06a7fe8f4e4f7

C:\Users\Admin\AppData\Local\Temp\owUW.exe

MD5 0fe7d71b95d57dcf9fc396fe2738c3c5
SHA1 fc02b5afbd9f492dc65d27ebaa8cd72bd83114bc
SHA256 f0c97c7357daac2ae7f8005d19144f8d8e93e3b320fb28095df438183a84542e
SHA512 daeee0761381f41d7fe25d8505b0eb551f10aea4c1fa20c7f98e52c88041f186f2e0fbf613d8dff023eed51b12fdd42bd2fca4fe9deb199100cb0ef67b50f51b

C:\Users\Admin\AppData\Local\Temp\MEcm.exe

MD5 8bc1a5f716a683c11b372a2b7c6c8c00
SHA1 5d77951c6b4be306cb5065bcf2249049c5e11e1a
SHA256 27a3525fa6da8ebcd4fbde0d729365e947b74829378a9b1c83ca12a73c1391bc
SHA512 35fc1f7f4e34c04803d9ea3c77da4f433f0e480fc6990e8f1032ed27d2bcf3534f67370d6898c5e8c5ba461d9405630523f960571c4ade4d3d229b42546731aa

C:\Users\Admin\AppData\Local\Temp\yooI.exe

MD5 50cfd7451770049ba5da0b449936e4c9
SHA1 b684334aa9680716316836f6f7dae7d903478a5a
SHA256 82eb44ffd316f5d94394a2a41f00109fb79776d4b2398a2584e75d398274f142
SHA512 af9a36aabe0aae7e731a1654fbd46e74c48078198fac4dcf693dc1c803694a3cc68ddcd7669a86f3a6a5028b329c593037e59bfdc1deae97c157ad3913c08010

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe

MD5 3f856499f0c0d85fe5dbf74c866b490c
SHA1 1e29271021ae5fbcd5fde27153e4be066ff780dd
SHA256 44480d2d6824944c1dffece44c9a2c8ee38da1cf93a7b99b3183eff11784ee39
SHA512 e76e6e48b95c31f4e78d08e2cd51293cd1977340e0f09cd9c10851c41680c346164f12b397181944b22f87058b3c033b3c2bae36d1848c112433459fe0963b2a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe

MD5 7d22d4f66d35e7b774cdf333854f3002
SHA1 497423d09d245cc04a5c1e31f58d5594c7859dc1
SHA256 840568f3bb75aeaabcad8764659946165e65e81c06a54de640c5dc710a306c13
SHA512 622a2253a2de0eae4634efa53c3ff68ca2dd4265fa2745f5bcfc5c71dde154292d5aa68d22077536b76bef0f12bfc54fd54e5d1b03aa5d2af8d5ce3fe32a60f6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

MD5 3e935f2df96a488465195e7698d1ca53
SHA1 bb70fc973b95394b2fe0df366db9e5ac8a9288d1
SHA256 96283a0e6e86aa048b1d61c8a16f50d27e2d40e7efdc655aaf115322675cdacc
SHA512 c7b79afc1c62960d1654332e475e1c8c59e7fc1d596cac31ba823ec6e92306dc8ac1e94a756519067d122d268ebbbcc0477226b9f01e887e1611a129944112f6

C:\Users\Admin\AppData\Local\Temp\aYQg.exe

MD5 e1ad7434bb3f760912e496e62b223fd4
SHA1 29dd985c3e7edbdf40b58192c9a695aff9545828
SHA256 a5c8833bdb7c11b694caab042ebf5ee224506336d7efb6288a77adfc848fe31e
SHA512 7848168f4d867a9d174568a626f442b8d7474f0c8dc1219b5d5269c7c7d3759a1bf8b2bd290f96af897fe0c4f0a9a5ee78de48442e115cbeaf77d8f6b5991701

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.exe

MD5 5630fd2c2827f0877483e22805563d48
SHA1 998856d6ea29e3588be7b994f03a04d6287061b9
SHA256 0ae92ff01040635bfcf8bd2caa546f0c4b3a08d2107e0708ecf79884320b79f3
SHA512 8535559c711b5a4775c9088dcd54098c6ddb547a7d526658dd50fb5c0064a13f58234e16be4a33e9c4dcab97d0bef4b19e47a67d5dbfd9ea2b00ce1b9cb7e54a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png.exe

MD5 8d4a8272b431556b77eb8f26f2703c01
SHA1 33f21b97186dd80b364a1cd858aa60c9a04853fe
SHA256 663de6bae71eb3e2e3dc2f2781317517d14fb4c450ecd3b5197d12494322339f
SHA512 7bc59548e3d8e515e810b798564d80275db3c5b2a313b194045600648104da9bc9649b49d1f7f1ce65bf6c61b2327345fd0516dab800af56a04647df5f7e70d1

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe

MD5 1cdb5b67d676ba451c8b52156d821b95
SHA1 c0b278a6c03f4c9cc90cef19fe5edcf41f45cbdb
SHA256 f3eba6eb945088c5b28038f58d7b5d222158807f1474f631d6f141ce5e71aefe
SHA512 20fba212c8fa0e9ee1efa7efdfdbdf93d789ea9e07b3638319057a667abccedaeefb40d7ec0736d4e61d8098898e7d068a66c00ef02f0f6fe764e07204594193

C:\Users\Admin\AppData\Local\Temp\CAIi.exe

MD5 1fb65e41bfa715e525ba5931015732be
SHA1 21b92bd9b9016e9f5dc5e70512a013c4ccee1344
SHA256 40ed1b06a614884650f71eb282ca377d860ab9357bb887fe6d1dad0f633bc1e5
SHA512 21a8ede346525b7440fb47bf310f103ecab905bbe8475788c8b2556271e17790ac4301857b40a8671d0e1b88eec04a7b445531f802092d328790b83a0c728ef2

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png.exe

MD5 415eda2b076fb7eb6b138314dafdca61
SHA1 1ab9a7e6073f505223b3a062bf4586626dd1436f
SHA256 b3a05e4e5ee91611cd1697e711556d71a511833cc416a2fe835541a6c615fea2
SHA512 81e1e176d2d275f77ab1bce0f4051b34703f56bbe9c804a1b295d2a8c428d59cc4f77c20deb047f26c2599c23ea17c4b9bf46b94aecafb1f7fdd36409ab49d09

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png.exe

MD5 9ec47f1de1d65cd5cb465e744a03f59d
SHA1 5e96dc119c75012c277cac52e357a74ad121a9dd
SHA256 47e0b7e95c70abee86be7271372ef08e02bad1f2aa1b12447192a9f02c8d8078
SHA512 9161c1188eacb78f7c6e8cb7feab3a078bd755cdf720a2aad75a5001e9504044aab1333b0df9d3a7de5abd845fcef712b55ccf5347f61dca034797a88d059373

C:\Users\Admin\AppData\Local\Temp\QMcg.exe

MD5 9471b7efcee287c9df561310ac9cda60
SHA1 f026bb52ffa0a1c07f521f1c2e9fa3c6cfbe89d5
SHA256 fe837053e1c96715a22f833c0cb9742a5fac6e5737d43f8693fe42e3a4a65822
SHA512 091e5c280105ecde4676b48264f82c316f83b50bfd109c11316753f7baa82046b4fbc25cf11b2007e0eac192733aeffeb70f06b92ed9d0699b493cc7e45f65de

C:\Users\Admin\AppData\Local\Temp\aQEu.exe

MD5 1abc07a0e16ba0f6c93ced86202ca374
SHA1 469c3ff7ddcffca2dd08a90219c8e1b43d49e5c0
SHA256 75f895137e4967e8491a206d8e6ccd948f7e2703fd232a03660668028018881f
SHA512 a592f229134b75e1832dfbd091ed46be4b15bb8681dbfc15db7c86c663e646953ca8a25d86a4c10545f3fe8d4dfbe4b33cea19a5704183ad0be80b3bf1208c5b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 d66c0e58eaeac83a51d5a5f1d0f48d6e
SHA1 4596b5aa1d12db5e1197eaed15286dfa16d4fb6b
SHA256 6fc682c5bdf20321d2e040d0cee7c2b86bc142768edfa3c13a7325be04e3b427
SHA512 48203853362c16a161db4d342c5d7eeaa9fb1c6451bf7e861971cd50abdfef6d27dfae3479fc84b010ada9e582619ac9e102bb93fe101233c6279f130b3fe133

C:\Users\Admin\AppData\Local\Temp\OMsQ.exe

MD5 ff92118c0546a2d9bebfd3ac83ccf5db
SHA1 23e32da6e409fa781d6469df139348ed692948d2
SHA256 2f23fee3e7aaf7e831cbd6223f82f663da71615615ad4e1410b7c2ac46c39e2a
SHA512 620f0850ed267d0fcdbfc6fde49cedfd39ea71cd7de433351a473ec54f2386675a1daf1acd16754dfd60f01c0bea789c79ea60f1a5bea5370240e153d4773da0

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe

MD5 28a5b4158e649f0c51f4fb510c73a729
SHA1 b9847bbbc9335ffb6e58ec45295961b1c766ef8d
SHA256 f6e4fac63e6faffad68062d3903bda9bfecd80f0c39fa16ccf99b9dba96fbe8f
SHA512 c672b319cb3d266202c8315d7a88f548ba69d2b630d7d49b5296ace1ebd7bb9c84f7f3663824a5aeefa8afeff222d9a4cc6748c9d8f047399410b2a8982c01ed

C:\Users\Admin\AppData\Local\Temp\QEMo.exe

MD5 2b08f3f2fbbe2c8069e2a00d41ef0699
SHA1 5bf23fb5fc156ff7508d5f225b87a4548bd37209
SHA256 1ef8564f026b2afc93e07ec3ed8a99af914449f879431707ebf9b8877f8fd834
SHA512 edf7c39a6214b95c1b0c5439b0bcfe03d44a386785744cd980375cb07aac21a8b66c278e0d06451f740ac58a5b09e691043d667d323361521ff0123a1a64de90

C:\Users\Admin\AppData\Local\Temp\QgoC.exe

MD5 f34e34a75096ebca0e6c38bbbb4092ad
SHA1 5bc40fc9d7d8f49a3341548f420071b601355970
SHA256 9902e939244e1fd06effb7c77f0d9af857baf483393514ca7c57a64437972ff4
SHA512 472a97bf2904ab33db554138775e3c57db4cf5c00aaa44b6504f3d7ae97090ac5cfcd7e1b3c4b3201a71d7eb0e0a670b56e06484859ff80d67a0938148199d2a

C:\Users\Admin\AppData\Local\Temp\OMoq.exe

MD5 17e9078ad170221c1610bf1657180a61
SHA1 e3b6a6d7d3667bcedc599ec0babcfd7829ddeb4a
SHA256 ad52e87d4d6c7683609981f14b8e0f55e9d75dbc09f4789435aee52e92a02acf
SHA512 522e17285208c3aa6efef7a6f7ddc834b7b141a0fb128ee4fd299a47d770a404818accc0f8c716cc471e5f7fc61c92655567254106ca4784fb94c9c80a230b2c

C:\Users\Admin\AppData\Local\Temp\esQc.exe

MD5 d799d4226d7ca841ea24d79a03e59877
SHA1 ce70d743ce57a5aad61842bd2142abe7097ba1da
SHA256 1b5bd2f43487bed3fdadbd42ae091ac599ccbde8195abc9c492a0fdcef456f66
SHA512 6c83a9d0cfd7d5575e9351ab4c7c36078479957ea9045f2720dcf067678827a57a0f3d5b308b04f64103a65e803671fec206209e3ce166830c1feaaa5eaffd79

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png.exe

MD5 79ae4bac03ff7e94caa27f36f43857ee
SHA1 644ac436e4bd731a2ba71c95dc4778fde0e35779
SHA256 05f84cf576e2160ae7f45c44d405539ac552554dec86c74d2b9f4e459d47c0df
SHA512 21f58ebb0c1f3531b82e96a3ae5ca5ff50cb605daf55433c230aec6065805f41f4f701c24cfea22b37d79f13f9997eb869714cde0b75b15bbddb16185bb6afdf

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png.exe

MD5 14c884532521b359e607ce5a0a366346
SHA1 856634ca169734412196e479dc67d7608420076f
SHA256 b2f4a5fea14594c125789f6b1c5949fd4cf652517a0b41ff68933d9e26b59c71
SHA512 d29d7ecbcde93ae56b9331fb167fbffe8fb85bf2ece742ae915ed65855fc5fe04b7d0a246c4355f12e146c886063420dea928ad30ee0a0f48d45d9d5aa599652

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png.exe

MD5 34967a49641cc0f491b68a78ece8f769
SHA1 b2d063e9b7d33352fe7bc9f1335d62389c1c69df
SHA256 00d3b2fe9992a154bb9543cc6f7820b7ea51c4641b69c2db07b0f969ce76c53b
SHA512 af39ab3a6385dca965c9ebde885ea0012c290a83215d391741d0262e5da55e0a6daf933195ac2fbdb2a3d701e397a1ddb64e656c3ad38c98bf11536185d7cf22

C:\Users\Admin\AppData\Local\Temp\Mocy.exe

MD5 1130555eebe620d747b4973eeb7be574
SHA1 ab1f556cc84b1b465bcbed9cedf5f79fd7f79533
SHA256 14e90e16fec09c4d5cc360f84b402508e74c043a3f79869f849050db3e2e1f7a
SHA512 31ce72d1dd6d933b1e0b2d8d3081b843351af3807d59018176a13e6630eaf733f9154cdc4f4d03aa835d25f5947d8770acb56252fbf29adc8db43158d557674c

C:\Users\Admin\AppData\Local\Temp\OUwI.exe

MD5 d37e857eea10e0cc091a29e5759c814e
SHA1 8265b6c3857f8a32a5a6436140fc20b61297e8d9
SHA256 e6867f7a781231019f1d85c6313423642b8caca39d9fd0b3bdf058a0c31331d8
SHA512 81ce71b54de8d7a5fb8b4666a7b90aef71b2b2e2c45b89b45a3a2f7cd49a68b7693672efa537e29456acc80f4a479cf398b95fbf0c03dc33578295ebf4d145c9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe

MD5 b27874c23a64db1d5b32fe66797d3ee7
SHA1 fb0ee4db9373b55aae1708d4ab181b0410818a5b
SHA256 f567301bb1485496b0e1b7fe95ae7bdac60d937ffdb53d0e0431d49a43a53ef9
SHA512 080a61d132797c9a2edfe2d5c4dd60e2253198a11015e1c822d67b1f4222040513a26e7840550fbd5e0d9d0fbeb4f31866364d21277dd3291e14b99577b24c70

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe

MD5 4449029840e60a128b8d4fe98192a0ea
SHA1 8aef7d75bb1d385258006a91218c6aff0ad4277d
SHA256 63ce3727cf411ac1b8dc1e81e688690ce12be9070b2ecf26e87090258b7b67be
SHA512 43f4c5f085cfa27a681560a4ebe25aaf4b13d3cd6412eb05647dd8a19433b4d8e837e8b04134d041ea42b5294c1109bf9403efda3fa35c2c28cf73a0857fc9a1

C:\Users\Admin\AppData\Local\Temp\QYcS.exe

MD5 66646b4239bfddf927d28cf149e074f8
SHA1 44eee5a273417c4fe67bdfdd0122e7db394faba2
SHA256 322adeebdf218f8454455cea668d2a7bb4a929131878362279a5e655e3a17def
SHA512 713e20a88b4f5f940dfa587a5130e0248315485a12193cbd051f0aaaaa9f36e681fc1422bf0a8101e703eb0056034bfe7d1dc5be4ac4764831d8b00d3f553a5d

C:\Users\Admin\AppData\Local\Temp\cYIq.exe

MD5 fe9397691e2d7104aa552b60ad6dafb9
SHA1 e5deba769bb241fec0803cf2ea4994878466bad6
SHA256 8c2fb878a724691e8683fc0cccb20df91b99b65ddbb14821f15bdce34a1af0a1
SHA512 156284987b76ebf7a1d02f73120a10168a2dc325293eafcb353e9b829343a2890c0d2b7fda4098db9e7975956957bf0d8a760a18e4dc9d454c4b2cd743d4b348

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 9b2127f0ace15340c0cf244f55c33c3d
SHA1 bbcd15cb2e5dc4eff79d6a529012fd9946f30371
SHA256 72cf49b809f4ab0b6844ef196e6a99e12841f0fa49862ac0c26dcb8576bf01d4
SHA512 9d3916a931af7e8a6c1dc9f435fcea33b83f44c01243b404298f54bdbc63abff8a1fdabe9f49da2259e9427bad380645db1425decdc9ff5667da1a2894a6ea51

C:\Users\Admin\AppData\Local\Temp\AEUo.exe

MD5 80d64efdbf86d667a6bb0f0cbfce270c
SHA1 79c3919308bc2dacd38925c460e3653bfb2bea5b
SHA256 df709210f2273861dc0b65adeddaca7d84af2378ecffa4174b35251b28edc3ae
SHA512 763d77f8b9afffda334e4fd81237c9274f28ef70bdaecbb32faf58967a2e0bda6db8a419e73294c815d2ffbb43818b426a046ae179395a6e2da5e98dfbf0e6ce

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 8d0db2d02224ab06a98aaf6b8db8f97a
SHA1 6df3e6d5e271330fa4513cdee67ebe97f9ba26de
SHA256 1ff2b442b91cf71feab8773d985ebd562ebbc00ff8684881da62af6a2e469fa6
SHA512 6d99402716975685fd630cf103c487811033498903c28b0c763d29e73bc298df76c665e2cf84c3cbb73a7f612c5f47bb1a60e1f242a63c8373b40051b46b5a29

C:\Users\Admin\AppData\Local\Temp\cIkc.exe

MD5 fab901d15561cbec7166f3729e4ea630
SHA1 d6dbeb112b27d79c1b042bcb81f01e48217245f1
SHA256 fa450ef6f9a39ce713d8cd52a0f704013fee05af31c4ad2d1fd50501ea128113
SHA512 eab3eff84aaaed9f994c37c8ff2f5a294d499cfb97594711251aa8df0c999ccf34bfbdc2a7944325fc4ed15080f1db57b2146f4d3a4cf3498320ff81c74c0b61

C:\Users\Admin\AppData\Local\Temp\EoAq.exe

MD5 c4028e06084b9ccc484a94aba3530fd1
SHA1 3cd6974a867800994efdd3a89c2805b163b38780
SHA256 32e1b6f3a67f79f27b10870981b11cbad18ec3e94df7e5ccd1ebe7966a829157
SHA512 279a14d309b900e6f72ac87c97a5ec2faf8fef1f9011a66df69ef0b4f54fea3648826ae46e2d886a029957f57d66795828657f757b6230f08017699d3e9eae79

C:\Users\Admin\AppData\Local\Temp\Isck.exe

MD5 359cd18cfce11e7eb781bc29e2e529e3
SHA1 dd9b9c1fef3d52f3cd688dea314d44309d0e8c17
SHA256 4dd1770852428008bddbe1714176722579e801ef2aec71ad9c86d03f3fefb372
SHA512 bc5265907e2b18e1a4136db797da124902d4e5b2e6daa7a0c79c92da6fcdfacdcb6570688aacc219ce471652036e7cf7e41f4c06802c8fbd7ce9eceb25e3b3d3

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe

MD5 a66b27db96e184e66f8dd75a0fcd7b8c
SHA1 d705893c8662c1b2271911b5eeb8a0391b90262e
SHA256 57d1a52e6c57ad542976646445f51525d4f049ca18d8ea33a9f3609979e1e9cc
SHA512 fb0497e6fe881cff495097249a9e9815269e94c05ed2bc29ab6824830de59ed2197a96fe8718226911026a11e1b8252ba60279cb3dbeae642a348d5c09cdffc0

C:\Users\Admin\AppData\Local\Temp\iAgc.exe

MD5 9bfd2ba26eed8708aba020cc9c46e6be
SHA1 a2c6aad4b37029b9b4f0d83bf1b367172fcfe030
SHA256 e17ef83cebcdec32934e4c4029d6fd080cdef7bfa8c23585ae7a029d7850116a
SHA512 b50b9ca3147e60edda759384095579b14023e2dc852ab66c3b3cea8c26e4f64b109a8d21c09ab3c745ba5075d2f449adf61facbd74e307934eec94a73cb53d65

C:\Users\Admin\AppData\Local\Temp\OQAw.exe

MD5 2dc1a138a57d6efaad2a9e20056d4fe6
SHA1 199b6aeb089e832610a2f274c0eb22b2dbee8953
SHA256 799364fc65b932613923d34263934efe937621f823ab93315094f8d949e96e27
SHA512 ae09ce94b7f771a2aae14aadb8a761dec67f0dd2676e0379da432a8c4fe5d62d3d65126bd23beec861d317768a91836390210a2d789212313ed30c2807cdfcfb

C:\Users\Admin\AppData\Local\Temp\uAoS.exe

MD5 0dbb64598ea68ed1df590a3f4cebc250
SHA1 8eb1edf099cfe7233b402cdb7a6f99a841fbee8c
SHA256 b3a7f8f08fabfacc777088a8f683f8d2fff3292347e34a1ceb9ba8a35d793b87
SHA512 faa7c9e30c3ce8bc51d154e7fd4f20e2a7d70672158d76d3ce7cfa2e675e9b60d29d9c99a66d5ff2495901672c016d50266f65941b8fbc8a355dd18cfccff636

C:\Users\Admin\AppData\Local\Temp\QEcg.exe

MD5 258a0d93ba2ddb28b82c7c02627dbd19
SHA1 cd783581866b94b8e1c69c1ef271a43ef6084bf6
SHA256 41b8be416c935c5c8d4357cc4e29696f4f43371845ef80d923a9e92beb3f785c
SHA512 5f05cff126289b86757f85e4279f03a2c920de5f7743b3ec82b08f8026868fa6d9620ae0fc34fcdce41a93463ef646c4a1e664276bf13828cd774318b94d555e

C:\Users\Admin\AppData\Roaming\RemoveGet.zip.exe

MD5 75e8dcaa0ad22b68b0f9e044166b15b7
SHA1 bd01767a83ee72725518ba899005a2a9b51d4a91
SHA256 d64de8d48eba4de4cd0cda6d8816dd3d2e9bb48c5b1f042a3be4d8c92ec9cd63
SHA512 b84899e7dac00a3601570597e1a6eefaf4e9d8995bc610f9cabfdc2330a57b327aa5dc747d728e10e1c7467d50d57dc17ec6d45f89f5060245888fd0dcea03ca

C:\Windows\SysWOW64\shell32.dll.exe

MD5 e9d505ab602bedb47c58efbad9d4c3eb
SHA1 909e8f5c8d8319c5e8f0e16aa061c0e81e289d79
SHA256 dfc08c6d9876e58129b8b318b97a033c898d92d985add3341cfd51431c187a35
SHA512 f8d695b836b99f1cd773c4884d6c8c90b2b5d661638129b9341208e8e37da1bd4a8a3cb2c4614986b36d2bbd0e6be528c1a32b6d39c94629e6855762e24cc73d

C:\Windows\SysWOW64\shell32.dll.exe

MD5 746f8023e52232446cefd908e9f1d26a
SHA1 896230b9adcfa6724d3ec5f53803755c17983a5a
SHA256 b826d173785f17392eddc3869bad95ed906a70c7e55dea84739a52f817fd389c
SHA512 1a00608bbe1298e8ec66aa9a0f551025c353914dbf0b24894294935311642fa707445b73591e92fc5ba94eba835299fde981b4991a1d539e7dfa8e5392343308

C:\Users\Admin\AppData\Local\Temp\GEUs.exe

MD5 102b8424f72d18a7828b600ece73a7a5
SHA1 cd4465c4d2387e2a42de8495377ce3012eff1bd4
SHA256 0a3659fafc41a32f1fafcfe9b639f4d623ba8e036fb71134ca16d1ab31b362fa
SHA512 f1e317b5c63a5d883d26e4dfef14145c2b8a911c3db9c542a4c45a6401d75815462f98416ace5d2d492be928ff1b3c2cdfb23c8210ef7673e2f1e39208964a1e

C:\Users\Admin\Music\ConvertEdit.rar.exe

MD5 b177a3f04da6b3920410639c46b746d8
SHA1 1188ff76ee1cf42ab237ef3baee68e4f9f6d9d6b
SHA256 55a2aab8afc8ef470048a1051642787ccd313b086dbf04c7afaf976ab8a43299
SHA512 776d3518db29be2c9dd21e3b7a0b68df0aafa5323093432876d4dc4b91e56ae64d93ecad05795318b7828f08f1a12067eacc84a7cfe32f16a28fbe3839d15346

C:\Users\Admin\AppData\Local\Temp\koMO.exe

MD5 fe0583efb84b7eef5fb32f57f2873289
SHA1 d4a92c606be548e952b140df832168ffb3d7566d
SHA256 d15b3fcfeb928e9a3ebf2b3fa792028e0ea71092dd8a8eba841f0f89f8ecae20
SHA512 53c552aeeacc84f705e9321ba9d59a65d9dc944277b8dea3ab973320df36a32155921169fbbb462de1aa70196e6cbe94292c5815855d40390a6fe628a50b2520

C:\Users\Admin\AppData\Local\Temp\QwES.exe

MD5 da7d61036187425ec6dacb8559ef462d
SHA1 e7670f64846d4c9cbd2b362462ef456527a7e7ef
SHA256 4f90a0a02eabe865f5c818663b37b9c51c8790fba75aa2923bf8e579363787d4
SHA512 fabc4eb55c153d78cd8db6f15ba1d90d3a3d46fd81e062115ccdb3f822411df66edea115dcf95889e7ef86b23659764fb562b3d05d6f6919da2fba7a1ca1377b

C:\Users\Admin\AppData\Local\Temp\cgUq.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\Music\WriteSave.gif.exe

MD5 6649b9c1e2adb6797e7590e2a77a9b24
SHA1 0a1c3db03d28adb4836f0793c5f4349ef94232e8
SHA256 8b29e36e7e5ad4ca7991ae8643b2f27b53539a94ac48a003e30826cdf28fc6ae
SHA512 c345146b2a217d64afd5b4e3f8d374c1a6b63c7e3e4f3daf186855fe053d024029ac6570747f7cc5a500ec7527193e694eaab183a22253200eebac55cada4b4a

C:\Users\Admin\AppData\Local\Temp\uUwA.exe

MD5 7dec9aec3d0ff78fcd405472e96debc4
SHA1 cacb773cbb5d1d4eaf0a7421c7e145ef84f46e7e
SHA256 bfc94fddbcec41588929416ff2694b25322131d8a9389bc5d6a4451213ebb87d
SHA512 8a9170278bce92ac27ba358793a8e4d29359ed5aefb573f83887d90a11902f4e9e76d38b7e8ceb81a28eef6320ea75d99e01a631e215572bf40260fc7f76713c

C:\Users\Admin\AppData\Local\Temp\mQQw.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\aQos.exe

MD5 be3792c982e7ecd4bcaf91d71c1579bb
SHA1 c948f5c042f6a4b45c55f59d421dc5294b6037ba
SHA256 c65052d9d54a11b2be6372a7185623a520ec1176965a0c139dd6ff9615ab54fd
SHA512 58f8d5b21fab2751844bc79b8b7bbdb52d1252b5610d0520e66bf18f33188965288bc2dd96a6d0b4fced8e37ef4a79005d77b5e02e5ea27a2c538109b2779508

C:\Users\Admin\Pictures\RenameEdit.png.exe

MD5 9910145a33a80fa66363bd41ebc26d57
SHA1 5e0ebdb8889401b248fc4d23214a76edd6a28e93
SHA256 80c9312a3a63252ce2d8dbaa426c7cbe0407eb3bba35ca1daa466efa79e7426d
SHA512 4142d7cdb6b44726f7f9f8485ab7faddcf506c07a17298d1644cf823d8081a80b79e09b1aa4456bb579b0f66634818e7b10d38d051bea4e9350ea9b6d56bd176

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 26debfbf797d40f12034193c16344fd2
SHA1 0205979e5210d8780a646d75267358846995e8dd
SHA256 5275b9e47cf7c25a622f7b1a23ff6d0f9df41aace530a4ba7f0f4de6fc2760b0
SHA512 4e2b7ce3eb8d91e5e41b55c127baf1ee7e870e1fa2aa0b146d0c4a8940b24b50721cef7f62173cbd1b7b9ec435072b643e6a5e13d766fb0057c4ec8ac17a98af

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 5a07161360757c38809b549e4c401e62
SHA1 77fe1b56e25902784ab29fa968ee074c4d68e6b1
SHA256 d3d0fa5a868f502e481f8fa3e0bfac6ffcf4ef4164abfa276c8e9d31fb63737c
SHA512 8f549e3b80d75d7123deb53ae906bcb076d0648ce028d93490749a9cf4e9bf952e76b26d434f96d4a4cb8a863b36cfaf7bb495db0ed402960a3e6e292f408997

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 6a62438382ed88107be69d85bc44d69d
SHA1 625c726c20d8779f89146a2e687ce4ce6efcc61c
SHA256 8410b9d62a5963a7d5d21f1cbe26c4e6f53fcce09a4ad13dda91a0f274931af9
SHA512 a7aba47b27bbbe2454407c7a95da064dde505408dafb2ec9c920dd507d8ad35bc6467b8d4fafb99cfee4c21154288ee47a30b7b4ed4dd9906abcfd829254117c

C:\Users\Admin\AppData\Local\Temp\IUgM.exe

MD5 a678f4bae4592cfeb99b40ba4a9786af
SHA1 8a1edae137cdd1ca6a955eda24828b5b893b6c0b
SHA256 b3bccb613004f6833bdfe813cfd964c57f4e15f47196b4e331889f5dc7bc8fdb
SHA512 4da55496f1920e0ef26f5810f7b35daac6346415951aa89e8d67fe7a94a10fd220fdd75f2c0d5bebd520201983e31d90669771a8169b9ae1b8f3eaa0c8217d72

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 0ae3aff993567204ee44ce79e1667062
SHA1 c7df107972fab97d0e26b445af074d9de77e97ef
SHA256 81e877a77e3deccd3f7e3b4dbd9f660ad609f287c8534528d0b9f81c6010e4c1
SHA512 bf8c3e22819480063dce8021e7c4f517b1ab4f4ed724a52b2c7313ee72d3ee799be37c935b92823d5f7718aa86b2ebbb6f66098dc087987b32a58e8f8f0799e1

C:\Users\Admin\AppData\Local\Temp\ycIK.exe

MD5 d189a211dbe644a8c4c3b1d760507396
SHA1 3438921e54a7f1b64ad60f4d503622537fe4eee7
SHA256 0642cbb0a4be4c344a67f0e06326da33438cad14712d9a98910ba48bd5768e3f
SHA512 6b50d85aab92da6d7430e504c867c11e167a86bd35868731acda349afbded113a99e51edb8e67964a0d0b2f31dbb7fb5099ddf55400a5fdeca56dfa137deac0b