Malware Analysis Report

2025-03-15 08:28

Sample ID 241020-yg7fcsydln
Target 34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN
SHA256 34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943de
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943de

Threat Level: Known bad

The file 34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (90) files with added filename extension

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 19:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 19:46

Reported

2024-10-20 19:48

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (90) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\dcQwwAks\CGcYIUIk.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CGcYIUIk.exe = "C:\\Users\\Admin\\dcQwwAks\\CGcYIUIk.exe" C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HSMMoYog.exe = "C:\\ProgramData\\nAoQIUIE\\HSMMoYog.exe" C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HSMMoYog.exe = "C:\\ProgramData\\nAoQIUIE\\HSMMoYog.exe" C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CGcYIUIk.exe = "C:\\Users\\Admin\\dcQwwAks\\CGcYIUIk.exe" C:\Users\Admin\dcQwwAks\CGcYIUIk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\dcQwwAks\CGcYIUIk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A
N/A N/A C:\ProgramData\nAoQIUIE\HSMMoYog.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4436 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Users\Admin\dcQwwAks\CGcYIUIk.exe
PID 4436 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Users\Admin\dcQwwAks\CGcYIUIk.exe
PID 4436 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Users\Admin\dcQwwAks\CGcYIUIk.exe
PID 4436 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\ProgramData\nAoQIUIE\HSMMoYog.exe
PID 4436 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\ProgramData\nAoQIUIE\HSMMoYog.exe
PID 4436 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\ProgramData\nAoQIUIE\HSMMoYog.exe
PID 4436 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 4436 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 4436 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 4436 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 4436 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 4436 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 4436 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 4436 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 4436 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 2820 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2820 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2820 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe

"C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe"

C:\Users\Admin\dcQwwAks\CGcYIUIk.exe

"C:\Users\Admin\dcQwwAks\CGcYIUIk.exe"

C:\ProgramData\nAoQIUIE\HSMMoYog.exe

"C:\ProgramData\nAoQIUIE\HSMMoYog.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 216.58.204.78:80 google.com tcp
GB 216.58.204.78:80 google.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/4436-0-0x0000000000400000-0x000000000048F000-memory.dmp

C:\Users\Admin\dcQwwAks\CGcYIUIk.exe

MD5 7311a55085427c82c1cc895abdebf67c
SHA1 d48390f0688d701cda3ec62919b51b74d45f56af
SHA256 9fcebb9dbae570114ed7bacdfc5b688b421e45f1c92a6e2815fd3f7c1239139e
SHA512 1302db6ef7013e598c98eda81067da1bc8f13fc8a7004bad3f7d709bac44fc27a074bdbd5323a295b17394d9e8a2974b01ab593d952d0a0e32ff965d3117559f

memory/1824-5-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\nAoQIUIE\HSMMoYog.exe

MD5 d214325978409d42d7b136ade29ce17e
SHA1 894a09ece3fd76213a1044a7bd48488ea9ca19b7
SHA256 f11a9b114f3cd15c8bcfd9e9b9d9d5a5f8b2dd97b698b7cffacf42dc33935281
SHA512 efabc26cb7495d5a5806fc2617e59f24fc0b9b7836e1df7c527ae509f1ce9f4603e047ae7bfeb9737e17476eaea5166277543527161a38e793127bd56b6ae2f6

memory/8-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4436-17-0x0000000000400000-0x000000000048F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 96f7cb9f7481a279bd4bc0681a3b993e
SHA1 deaedb5becc6c0bd263d7cf81e0909b912a1afd4
SHA256 d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290
SHA512 694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

C:\Users\Admin\AppData\Local\Temp\UQok.exe

MD5 52a03bc42e1e2d9b48a42fa90c778c9a
SHA1 c5be1328f7465571d599a2901bd04a72ddb58a71
SHA256 4a72cab8dc576b8ded86411bdcc17b9612a83d14f1f87d5de270e74b9cbba19d
SHA512 e303df3d9d7b0a500c9c94bf316818e7b403592bc2878ce21c3269e0a55c0af719a60073a1d9903ebf50dac4eb9da684f5dd62ed2804826e67d155f74c0bea58

C:\Users\Admin\AppData\Local\Temp\Ccgc.exe

MD5 61e42d9efdd51bf906774d10dc37e007
SHA1 240413364438b48ee7f529a5466230f185f03448
SHA256 ee66d38ebdb7e0fa415d78c200e963ed9a48f869f665d83402d65a7408f3023e
SHA512 98ba1ba5d26f33257d9f791a11ed75011ab17560ec739817903475e0498575ce2275fe5958f2430b41906114d3455822f202f98f0fe95b66d89feb8a9e599ce5

C:\Users\Admin\AppData\Local\Temp\QwAE.exe

MD5 1faa0206a8afe7875e029858c566b599
SHA1 67c631412b82c2c3c18dcdd057f08338b3b610a1
SHA256 030cc0af34a4740679575c5741d99d4a18f929863ae76c19a47af749f13a3014
SHA512 34031cd9143278a9a53dbd981e7d64764e030fb631f1ac23476ba0b4cdf636544ba0ff3406eb495be47b061ff19528b003af69883ead0630535250b7a026acb2

C:\Users\Admin\AppData\Local\Temp\woIC.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\qwUU.exe

MD5 2ea8f1bdf5e1a5e153fe36f73b19e1a3
SHA1 2be9a922b90c1ad8c126bc36070fcb2bc132b50c
SHA256 15d0ea0c0731e34f70a20f6e4202994e168d53f7a5736c4977303b5ed70e3fb5
SHA512 fd709315fe8dc50d54c182dbc1fbbe86fad1f1792e55691a0856ae1e9b0e6fe52fb36f6ea768bc2ec22912336d682c32d82fe292758e41d087a0abac1a5746e3

C:\Users\Admin\AppData\Local\Temp\sAgi.exe

MD5 45033247a216101c56aeacb675927a33
SHA1 b36bac8cd0b51458f0cc92a9a525c1910b98a317
SHA256 de4ce84eade3de75aca01885f9242a6466fb6cc5c7019a3cf68c8bf8ec529373
SHA512 85d38fc8fc973cde677d056ba4d881e1d8ae52c54c2a95e10382e0d1651ccba12531b8c47278be08c4fa8b4aca93f5f41661143f29e730e39373b3b40b87592f

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 780db3b4f57fd27b31e361a465c05be4
SHA1 eb199e4e3654875ef14a416dc6f2a335ebe421c3
SHA256 d5bbad785a3d6348e6e491ed7f13c60807d83cd1fcf170b90da5ef4b8af45e21
SHA512 8a5d330e2bcf2a020b87ed7f41a49d0ec86669f4e9a955dddc09c2804a7aef0e8a19a702290a082d97c89bdb640593a8f0589c6e7de699d164c275ffda045b71

C:\Users\Admin\AppData\Local\Temp\oQEQ.exe

MD5 03e430300b68351afb11548548966bf6
SHA1 26cd40aa48f9f29e3985b67b3561fc3277f40b19
SHA256 50281dc9bc48b8700a365034368c3d93d3f5899ec97edf2d1b3eee5746a5b9d5
SHA512 a634c065576de7082a6e925c2a9f0f438421f80762b1bb4af110342b8c4a577fef0318bf25a32129758904bf252563eaf90a651f4290a30f11f596fd454e0eed

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 526eeeb6c41cfbe13f699f5951947fb5
SHA1 16536d8e331ea9fac1670f1c668516af648f722c
SHA256 9a0484524f18acbdbb2373563ce7881f2b29ab06664df9cfda0624f9924dbc43
SHA512 868a94d559d2ff84fb03c34b7e3706cbb5fa27914a32182e97b55a70c101182ff2bfb7fcbcee825191fcb9b2d4501f7e2042ab0e2bedca7278856fb065943285

C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe

MD5 947d6990e4a8bb6f668ab29e947972c2
SHA1 6408d70c95eb5ffaa2d3dc2dccf154d80cbfbd94
SHA256 a2a03c984e1651ed2893fd5df45bfa880e827e2712be4cf6bc39382aece504b5
SHA512 869371263dbfc88a93aef6aa061010d0e00c66047a01978d22be112a474a8353ec5d2f54f2b4675f299a9733560c9f79a80a6978b0c12d3952216e52d302b46f

C:\Users\Admin\AppData\Local\Temp\EYwY.exe

MD5 9c5119a0eb96c263a8158b5d5d5c76a2
SHA1 e58444bc6043cd39e016d93f968d49af6ec062c7
SHA256 be5c03a2f71c4cc44a252cbaf81fe7734b97a8eb425082c770dc7de2af9dfc99
SHA512 05b3201e95e521071331ddced4ef7f046dec6f642d564523505161dedc623590cad9c74530260a3837e14991732b0abd16be9bc1cf89f11c4fe0b71711f23c18

C:\ProgramData\Microsoft\User Account Pictures\user-32.png.exe

MD5 fe9603fadb77ad866723f29aa73ddeb2
SHA1 200e969cec23c570c4389f61a5ea16494bdee829
SHA256 dc897ba73d9857d1d56f3555bccf0a75317fbebf5026aedf89c54055c231bbc4
SHA512 df7a8aee3f3a465c5bc5e875a0750fa14833293dc55313ccd89272a2af105452b4b5d01080ddeb51ac0fc35e3ca53add5b7ef4aed36d8872a5be1e4f6223eb3e

C:\Users\Admin\AppData\Local\Temp\sYca.exe

MD5 ec3da176434ee442764bb594e95d84e3
SHA1 6adc95773d442aa4ac7735a5b6d9781a6f2ecb49
SHA256 4c85fa7cff605a5caaa0c9f4b92e6a2143f7b796e9113fc790b2a5e8b479601d
SHA512 3d851b9be4ca4da4136a0fcdb416d59dd9620aa8be70aab2064aee4fd5206992eb4b09841b76e883c7470d25147d523aa70b7cde21e0f4a7fe1c10b506c4254d

C:\Users\Admin\AppData\Local\Temp\MAwg.exe

MD5 3e0da6b7e41a1cf4212ba26158c76136
SHA1 713ff2d1f19d22b983160816256d32134a9b9793
SHA256 0e4ade7e1b6125e686f9e2caa1ff86cc9eaea0c73055b5d36a8eb9e5d8f466a2
SHA512 f6fd2e123fff26bb9fcee47687ed935b8282da614aa71c18b0d98279c492a9df45bf458f7488e970332c2ccafa4a7ed57c855a91c05546f4450d00113590c899

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 b17b8a4b031bc07c0c83191c0bcc4de2
SHA1 88f9c50cb0c60906e2e888696ef89c2d08d1bf70
SHA256 aee13893db2bf9cfbead49a69de67a410adede93e1e679828179ff556e1c03e9
SHA512 12b0862d4bd33ef7baed2c3023224703b9121faad2ec08951e5f4960c08795b90a9a6abe836be174751564d201c4b45733f4d054dcfe7d944d849aa928f0e96c

C:\Users\Admin\AppData\Local\Temp\UUcK.exe

MD5 63b6c11af347a02ac4f4d7de213c7987
SHA1 0399e2d7bce4ae2cb308737518c228eea556e908
SHA256 06996d9292d258b8be88f097941cb1d366558421551ee0b081fbc82c231c8889
SHA512 59d22575cd87ac7711b4ccad98ee2f26c233dc458ef1857f1deadff16dd57444cff564586f020cee91c578c023d955a8aa45b0f6cd417c49bb89121d52fe4cc4

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 b1bacb31e773179e171d672ebb82d44a
SHA1 c482bb3537dc74be2f60f65fec48b7b71e1519e4
SHA256 e9fa001faa21c1ce3011b7b6bf421e16b4cc5d937002c4f2cab2dbbb556877d1
SHA512 1f5dc510752aa37647e71d43bee7abb72a88017f1e7d119b74e75d241493a18638f504dcd30152e45bf423f5003842123ed22177c542453e31d20bc663a83466

C:\Users\Admin\AppData\Local\Temp\aYgo.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\igUI.exe

MD5 f951bd14162dffa6b64d7831c97136d3
SHA1 332850343d0dbbbf89438cd10f6b2896ff41b2bb
SHA256 73228e1f519f340175d0adb543eaa6436dab24615219c64d6cee906366043d6e
SHA512 b4f2acd8b68d4efb07bc95c7d883afdadcc74212d66a6a11532eb18ef4d7a9541444123b259148794eb9d60dce5b2822fda272d1033e27f508c8f613d26ba208

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 e7c64a24676487d42bdf99bb00018b34
SHA1 20e8c6d502087190593e6537a144a36c77f1ce41
SHA256 5cac479a7710aac9aafdc558ab003802ebcf47919faa45fb1f80c0dc6b798e9c
SHA512 c8505cecbd0e5e7c8f133296e80551e5f353cacadd5bde701f93797e5406eb6902fbb15c3a8a13986ff0e015fc8b2e603a54ec1eb3f9305a464346286cf0a5fc

C:\Users\Admin\AppData\Local\Temp\yYIm.exe

MD5 ecc5f5327594fc6e4fbc52010812933f
SHA1 3a53211d247ed6f58d2672b303b23107f2ead051
SHA256 f20c1c8a60ae8002973e00248cf67d0681a6d40e93fdfb18bad1e4936dfbcde6
SHA512 4e5a7e87b0f0ff49b7944d5c0ff7a459adf54b24ab9f3ddb5d51e91c33271808faf683576b1cdc0d59a9375b08a7096387d663a7168c1afcfca5cc90c2d7cd37

C:\Users\Admin\AppData\Local\Temp\QwMY.exe

MD5 3fae6befa2e5c25600f61513e6f2c420
SHA1 6e908e92d9cbcfb1c2cc6d8e7a62eea2adf14f85
SHA256 b005503643eaff5b61e1c86bdff039464f0382b3a5407a26625d0194fc3654eb
SHA512 c857e26021a93a91bb9c7d0420ae540c182f3fdd155d9c27ed63d30d2cfe9ce9207f09913360e0153a0ae69907587755aae9498e28423b3d2679630305a9fad9

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 47c7ad89265879898ed2df8dbef3a424
SHA1 4c8d0e41c6241c1052924c895e873188113a18b1
SHA256 595c52b57a00c4ba4479e4d3b5077cfc07e8ca8c4ec24383680d6b40a25301f4
SHA512 39b445db6bf681c797e4bf4b346372669f4ecf3bf8d4a59282aec332e1db20e693996286fd20301839ec52f210406fbee688e0f476af86deffee215c269f7aed

C:\Users\Admin\AppData\Local\Temp\wMAo.exe

MD5 7abb1d0dbe6d7ea8aefb5f9a28ffb5fc
SHA1 33add8bf9b5ddb78aad2b0a55e5b555ff94d2420
SHA256 a8526227c205d59d80d5ed55ed67ea689237b2d311047474ffe0a0761d8929d3
SHA512 f4e391f65ab86e2dff7530addd11f7236aa49ac94d80c71070fe5aac46bf750167707271c8f3b37ddcb400577ca825136b0a9b1afce14817633977c4e4177147

C:\Users\Admin\AppData\Local\Temp\sYAq.exe

MD5 3487e852198b2823d480938629d13c15
SHA1 e040f348b3a731e9c38422413e6d4aef0bebfd46
SHA256 2de523ef0c9e3c338b820c4a3b4b04948b0faaf98f2ab53d1185990a2fce434a
SHA512 8607dead7c1af371552d4e7bd30b1c8eb552b4751688ac33e7b2bbc3daa51e7cd0cbf779110b0bf3e595239c5701b6ddb1852e6bb9b1e1f9a07cf09188663d3f

C:\Users\Admin\AppData\Local\Temp\oUIo.exe

MD5 13d9d4b1c5ac112323169c29967b6885
SHA1 d6f60aff8109500559e4faab03a88fab30f06769
SHA256 b1ef1ec94104912d781a0ebfe38cf1d7e308b61284d16e80697999d0c31c7b2b
SHA512 b3ef7155c3ba015c654c095a79df01daed4b73a2e260c437c7b4c43a3f4a155a38c0983daa319a05a536f08420203bac953b8553d6755740ba0a879f9832ce65

C:\Users\Admin\AppData\Local\Temp\oYki.exe

MD5 d703ed84dd1ec151d171e7e17d212cd4
SHA1 a833d54a24ce641c733d765ea4a38d0c74bbc787
SHA256 f7d54a16db1767e8ec8df1de22dbc98cb6db417c2fb3547716c30ff05ec43834
SHA512 9f7e99ae2b56bfbfabd7622e5f94f71178c22b87dc616b058d4ec3a55ed23c1f7a5558bb1762c56028235d4285f5971297eef5c4c668b29545df51660b127ef6

C:\Users\Admin\AppData\Local\Temp\koYQ.exe

MD5 890267bfedd3574c6b0241b8a86d0530
SHA1 785b5063e00bfc2db3d2fc1851c5daad9fe3144e
SHA256 dace799c3c9df233699525155159cc1f160505fa93514038b312dfc26af5577d
SHA512 8faec907ffc6a861c685288b0ba38d98e7d0a89989e8d8e2ff72eba44079e4fbc33f883aa44b83e6cd4e605fe54777c2df06977de52b1b73c93047f113e89b49

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

MD5 792888ea891e89908cb6228bfd7fd88b
SHA1 0e491c13374560a4f06c2c26d93d6eba74c88ce7
SHA256 5693ae08d809205e78924b233edf2105a1a823ca7abad2aab668c0495a899590
SHA512 d9da35ca20c1b5b4c6d33933b2f817fd366b112e37f6e1cee6deede14c5ff654a0517549c5835682ef6629573d3a32f8a4e1720b43db86b22c7936e1674587d7

C:\Users\Admin\AppData\Local\Temp\WEQW.exe

MD5 c9cfadf69e624fa9e166063c48bf2cd9
SHA1 561afe02dd68aa7a6f2d460e20d11193fd9ed127
SHA256 ff3e5dd00864940f4765cfe34562d7f439a03b2be5cad6df6d2086e9c8ca1a56
SHA512 986557ca1da74f7d449894e3d9da5b40f57b7497cae8c5335865c713b2a26f612ec943e0b6ae4bb53c55f9f2f1cd35b75f5c647ba28de1e9f43c14e9dfb2dff5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

MD5 45e6ea544394bd5bfecb69df5e4a237b
SHA1 4d9f494d0486b13e543bbb49a567f8d5d6b072da
SHA256 719cc3318fd406cf89a4e58446138dacbe350bdbcc7cde54c59f239fb69ef5a5
SHA512 965185b4f645c0b06bdbf94bd62647ac9863ba0c358532f5d5522352e84bbf0a75a71ff512ee7881d6dee114619dcbfd31bdbb6466fadf039239c476c80b34ed

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

MD5 bab37965df1a49d6668de9222ac2c5c2
SHA1 cf0e4c928ba98988d85e0a74baeeb5bbc1ca21d5
SHA256 eb37e33c15a31d9fa23e17509c308a68822f65e86f0730beb6c33da9ab24f15f
SHA512 231e8d1c7cf850e9ce1b5f711ee3531bda43010d4b11b31d7090e07b09f476aeeba2622b0971b7e774fe50fbba2f6dfc15454a60ad743f1b69aeb6f64e81d8e6

C:\Users\Admin\AppData\Local\Temp\Ysga.exe

MD5 3a68fe2b1e3794fab7f331631ee1ea53
SHA1 30a5837fd7ad6ac784845ce8e477796e27fa5c5c
SHA256 f083bc491838291225936303d25b21d16a627a7eb0dd202ab0cf452ff1b1222a
SHA512 d94263266f17bc84819372083d8d5c4706246422428ea60823e372a3196fe32c935c04e3bcbb67273ca31f0e84d0a542562ada66d629035983a48a24ad7acf2f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 aac059ad378393cc31efb50ab3d50c3c
SHA1 c0180c9b91b9b5c07b173414b37eb89e86a5e29f
SHA256 8f8045ac478050319a8f3fe92fff84b145889aae67ace6742877466658e8ed76
SHA512 bc604aa17136e3a90227d06a3455fa0729c92efd396947cbf90a8a2afd089643c8e47c42b14bc32fb86f254d668351410ee6d8373837775f867b8b7ae056f399

C:\Users\Admin\AppData\Local\Temp\cAoC.exe

MD5 215cb829e19d06408757b916b93b961d
SHA1 582c65dd358172592eb089d30d132d624e7c781b
SHA256 66efe4c6e4090ca61deb5fcc511e0950c11b8b4a239109efa64313682c1205a9
SHA512 0c0015e124124d3443a7187d5211a46c8c544f8b5f97e579ddee0860106139b935a558386ac241af21868ae5ea8081253f8a41f024bfbd78714f67b68f79f76d

C:\Users\Admin\AppData\Local\Temp\qUos.exe

MD5 4a2e986b49dfc131426fd97113b3639c
SHA1 0f30d2467fe3cdc479c1efdf7934117534fe0330
SHA256 c741b197126915d7fb3a2deaee6cbc5230c01815d7c5f220743d2c62e8ba5031
SHA512 6c4efffabaf9c99ea73198e38feff57627b5d8cd8fdbf75a52f7de9c6e92d7a99b144191311508e150b0665203ab4c69cfa915a7fbb7cf7cebf845974ee23136

C:\Users\Admin\AppData\Local\Temp\wEkA.exe

MD5 e7122fcce66f2480ba61e7f47ae72767
SHA1 f63461a7064794fcbdd8b92e81544dfec2d627ca
SHA256 52760b38276f35d7ffdd407e7262afa1ddec33a7623c624990d3754011682b86
SHA512 cdac01e7ffd8036ecf5316ecaaad73f96e78eee7c53a98b09f42aed34b9333195556731c571090214bbb410439cc4824fc4d888e4928d8eabebb5e28f58dca75

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe

MD5 29064e4b01992110364ed16234e117ae
SHA1 47cee868cd12ed7d26b3e0fc98b5f8fbc3c9bc54
SHA256 2f61cb1dff10f0cb33c9f9cd0b8e945eac995657fc33f70c14f593e69bd8adc7
SHA512 6434465247a4e0625ba562b3e195765142e47cba394445ace9695b9ffcd01be0c4230f2e677e1e178bdefe37d40f74559c7a98f27505c546a8967c7ccc40942a

C:\Users\Admin\AppData\Local\Temp\kAYK.exe

MD5 aed02952b24aeb213afc57b41b6fce5a
SHA1 09d6e01e1683f3095020396810208d778b457f45
SHA256 9b82afbbf0c2b526fd407560a4f418922731733e2a17d12f1bbe5d8de6afe12b
SHA512 12d854136e9d46053f59f7ed1403de451485d3324eda9ff035e98633ef9cd44e9a6bd64de0619122d789543f31d4a04688053e0a41d2fa492ca31541b4716062

C:\Users\Admin\AppData\Local\Temp\YMks.exe

MD5 b98e6dc091a2bc4ad8d36f67ec27af97
SHA1 d3d917dfd1bdca840ce93d8a3618036ade883659
SHA256 92779678d54390812d44920cb75aa428099f899e327a76b04c32b255dd738c4d
SHA512 423984aa6f25ff9e7dc3ab0401f676c9f7e5fe9a4adbf07a21143482f6a2d708adbfeb9cfd481cf614b9dc24107559dd9d7e3e14003f2f6803097cba1ebbee28

C:\Users\Admin\AppData\Local\Temp\EEMO.exe

MD5 9b9084d69c8f1617e75e694f46c9af89
SHA1 daa24a9e291a99d247555378b93601441d0d9095
SHA256 e67043310b07398b72ac0904013bb16de14ca75b7a7575fcd9f884b79d896a0d
SHA512 57f2847fcb6afe6a3d32704b34415cc40961bc4b2e040180bc40d376570e9745711ddb7584b449c1bcff51d1325bddaa3f483f0ae94f8300e47869c288217f9e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

MD5 76cee97560f30dbf864cfe6cdc4861c6
SHA1 606a916f59b4a6c635d7ce9d60f4b9b8a1803473
SHA256 0ea7400310552f7a2b6bc898d9418cd928a13db2d9608eb62bcaf3516ce14aa8
SHA512 ccf56ebf7efa767afe3df427b769926c9a2f06882826b9c922955b7cc99b5a358d3f89a3ccf2a16878d5a578fac379a1b842eb8f1fdd55c2b8f1ab9a55a83c52

C:\Users\Admin\AppData\Local\Temp\isEE.exe

MD5 8dad3dfb46714e01c7be891cd3dc504a
SHA1 3ee087ca2e4e4676171332140de1b95af53818b2
SHA256 27002c81ff1f58942b44a337aa5c91f611d24c8c3a00a33fe9a3929ecc2be0a6
SHA512 a8f759d68d413b5aca2bf0e33aa22fa0637725f1b5aae35ac7fce9f59f05fb462d2299ea6aed3839405fee48704e3123571b6718ddb396ea70c1d000d6d1f1bb

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

MD5 f327549beaa5dfa0e8c202246297441e
SHA1 c305d8abbb0a2fb2bb17ca4cc0fadd22fdee4a5b
SHA256 249d06c59b89ab0f826648311415eca49264ce929c0403d472e5cfff39f10b6e
SHA512 741d49995ef700fd920d7f12b8a5293977d2960d3539bd23fe162700e6d53d18b0d3a15b55e50ccf5fa4c6f4499a23c05b6c28fad5c47dcba2e263215607a3ab

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

MD5 08eebce761107914174e22a5cdbe70ed
SHA1 f494fa071f132ed06acc3eda715e8f408da16580
SHA256 e2e71c5e56b61ecb23d0f34c551cb1f44f8306d18c34af010def9e3d8bdf40b8
SHA512 23f867657313aa8ed37c2342657cf31db96269a5a12d45c6e50f9dea918bf5e3488e4d9d40a4c7d158f9cc2f9ed7dc2e0e45df31ac784a05a5de32eb3dca52ed

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

MD5 8b78a32c8cb4f32c8aad9f78f858a4a1
SHA1 4297ab953b96e41a6e6372deaafc5b784941ae49
SHA256 615bf14040dffc8cdbbb810fc83cb99abf40db02ec8dd0a242529263dc28bc10
SHA512 0deeef9697caf42213c15a4cd611fba77f9c8e73cb4600eae66cad61400e25285641a88bf52b7c815e9ef89582366a4b1d42fa2b6a68e5936329b6308cd746f1

C:\Users\Admin\AppData\Local\Temp\AkAm.exe

MD5 9f7862763ddddc98eab3baf5fd29b2c4
SHA1 d7bb4d333413de371aa381f495cd7e02895a8ad8
SHA256 d5ba18ae4d770e4cebab571cc155f6d2f867e1ea46517e86f0194ede87406636
SHA512 46219305f80a702d678006956f67cc14b2f6d74839c783de38f0f961670386ee5d69be176c2bcfd825ca18f93a87be177a9c4ec3a3f3403a999a5cc45dd81edf

C:\Users\Admin\AppData\Local\Temp\sgoS.exe

MD5 c9a5dfc4da3d642043f6e2a904432a15
SHA1 e3b9bb679e5643faa41ee734d095890a683a7697
SHA256 322659fae23b306e8b65dc67eb2afdae6256dd6bfa603ec2fb433326952ec492
SHA512 76663b8e2963e0f05b8f7cce98734e70c8021fc4a024894b00a068870344cb4d2f9f6f5d5ff6836d4e41c5e7b1ab4ec9531945a0cde49e02309a8a53df49006a

C:\Users\Admin\AppData\Local\Temp\EgAc.exe

MD5 1fdfa8c66604d2cd82fecc19bef457a2
SHA1 b3766af6e28beda7a1d95276cc2e9e57fc9ed399
SHA256 16549843e706c918570719060f2218381187ff22ceb30d716953b421e411edb0
SHA512 a7eba73c0407cb915352ac7c724b240ffb260e2fbb67d041566393546bc21aec70a9a0d3b6a84486295ac0be49b1b676bcfa349f48fefdffba96842673a7b320

C:\Users\Admin\AppData\Local\Temp\KUAQ.exe

MD5 5e73aa56fe5acfa164bf8d062bc5c49c
SHA1 180181f5f7cb077b735ce1b2f1de4390afc1662c
SHA256 10de2fec2ca6398971a7860092517fb06c4c76097029b918f55abb6aa9fd4f11
SHA512 a3be8e732ee1a5197594cc3a5169a5d39195886c5c2bb9d62065d65086043bc1913f3ae30bbd589420e25c672a4a2656dff6cd2bcf08471491c27258a20afd8a

C:\Users\Admin\AppData\Local\Temp\sgEg.exe

MD5 23c38710555b9fbe7912b16cb43d5a52
SHA1 75a6fd84c76b01f14d4eb9b2edb04ac2dfb7acfa
SHA256 b702870b654693c3f3ae8964d21164e2bcd21141b50191e0362be9b486a05cee
SHA512 9eac17ed642ce7463fb169cc4f690cfa34cfafc393ef742f4247bff187b0f4530ffb849fc8f4db6935941fd0d10d68b311b51217d59df6a1599d71357324b72b

C:\Users\Admin\AppData\Local\Temp\GIkE.exe

MD5 7677627318621ae9fa7650ee900dd2cd
SHA1 79cdbf0712a792b631c576794c128eee129520b6
SHA256 c5b615eec1a8e708b251fe73f50ab21a6e581e068df41fa85aa3258a35613907
SHA512 a5a22b24771c8ee93e8281f930368c1e0d89c44449ed70277ac554698ab528dd4318167576f4190bc01ec6e586cf5cbd55969920e80f201470e5b204a5b351c7

C:\Users\Admin\AppData\Local\Temp\eUoo.exe

MD5 66034defd47b8fa7b596a71100afe904
SHA1 7de0ca33c4ae04e9106ae8c17f111b75760a3a77
SHA256 aa90cddf3242a78a37e3af791ee4030ae95bcd71c40010f97677ed1caf7021e2
SHA512 b9e34352a94904ee2ad901e60c2e9ea5a0cc68e1703c7545329d4fc86f9ea99776848f818663b3291c729cc2c6f61c8c5fe9a1d371795c8aaf57f8cf1e75eacb

C:\Users\Admin\AppData\Local\Temp\kUwO.exe

MD5 e73cf82d5e72a94ffbd6f80ab5cd63d4
SHA1 0be46f03e82300c1299f32fff119d9870d6a4453
SHA256 b022ff2af21b70182870ba954fcbbe70e830d5bb78deca71fd76c2dd43ea1f91
SHA512 798c3cfee584a7cc906d1accce3997c94f561ab312b9c0d7d6542b43878b1a52029cff1b830dc7d40fe3a1097a170b88a243652d1a0e69cb9f874fac6c4e831f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png.exe

MD5 a6624c3b0804a09e438d84dc59f19d0f
SHA1 f6a3dec29fa4907a23cdb26ff0704f2f66ccd6cb
SHA256 1bc9df4330d9f98abc1895021b0ba19039f661603166f4f785539360f60a4178
SHA512 f4a869652adfec424f996dbd292f8c36f4cdb781fdb4fd3d2397f9fcda27473810f5cca4aab04dda75258eabd15196a832990ff13902024d7c7ae134385665b1

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe

MD5 01a41e45d9f62b4503755f2a69f44491
SHA1 44871cc257d6540ab45edc04421ebf7f5b82988f
SHA256 a44f9108ff13ce728647f331380364ccbcbdf98b1cdf24e21b4356b1199d9884
SHA512 d146d0d35c6e7441db2866d6c6be99934fd69db1a31bdfa2671b739133d0647a1f8dccba90db309d1cd655b992a9619219a47481ec3c79bd3d8d0139af639ad1

C:\Users\Admin\AppData\Local\Temp\ygom.exe

MD5 007d419cf99c75de89f391321be523c6
SHA1 5efd0c786e3969fafa014f7f56da61b0a0fd2cbc
SHA256 61099fcb16189705ffa56d3637c50f79771886cad51d8015aabcfe1129a91fae
SHA512 32a983e581ed0b3e98f97d9cf00688a1351a1ff29527bd41a86ea5960911e79b73de174a25db6b5037ee8651e7f5c50450a30ce16ef159163105774a547b9dca

C:\Users\Admin\AppData\Local\Temp\CAAw.exe

MD5 64cf877094dc19ff189750fdefff6c9b
SHA1 3491ce2080d45c0a991cbd063796ae3501847411
SHA256 16ad7f6c04810135771a124252bc89fb162f250581d371ebdb14eb24417eb308
SHA512 86c3c5a001450a9fbb48f8c8a4df42f2f95b6e9b68813afb02df0ac5ae25163924da05f403ff9f2d2a8a337367b2a36ec0c4ef72fbc3a8b64b29e2bd763a2220

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png.exe

MD5 699f7a67c91784ec5f1c3f77212c679a
SHA1 03759a488fcd00d7705643973ea20fd9e70fb80e
SHA256 96097163b3e0da18f7ec50aa9a9e7df44d36e9f7b60e7dc82edc7e2c36776c8a
SHA512 e7eff6e1254c4fbe0ab15e23aecff773d4539a073e46bc87831589d7377c0a85edfad33a7516f6acaddf691899b81bd486d66a8765562cc9b3212e30da93c79e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png.exe

MD5 50dca304f998c213b15de74e87eefe3b
SHA1 3a26c2f7a99cb3ebe6d6c8c923cd68652401ea26
SHA256 4dbeac131e4f04d65b5cd37bfa6ccb2009c8c86b7ddb499f2fcbd555c76472ed
SHA512 6f02859105644d06bc5a691860e1f7cb7f9b141e01a3ee9c70e987599bff551a69a84625a5d9cc6549e182ae2c8893173ac429ed7c55d241307de37d1b08fadc

C:\Users\Admin\AppData\Local\Temp\EQsM.exe

MD5 3fbde8a2dce0edb45b1373634da3b889
SHA1 19a3289906ed3aa711b131e0b0d80e96727fb6f1
SHA256 c1318a9d8b9681350ee298d33d49198ec5ae531dcb6fe836a70e423398de948f
SHA512 bd85e77f9b22095247044b601b46468d53ea88330d9692c574591732ece4b52a6b376dbe1900556f70d95281a85ab4d29939141b7c16d310836ee5e05a0db1b0

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 8f0abaecc66444dc5505fa0e2bf333fe
SHA1 ffbd911798cd750bf07f197b7838d2c2fe0d5489
SHA256 e1ed62a0840d021f2f53b38d463d27efed892241998ca5b6a14a5f73f3fb3767
SHA512 4fc392d1a649a0355106aea90236b37be4c6146915eb559a74a94fa6cc9580907e05e0e42acd2d4b38c2a760576ba38b37df569a435fa8ae6c231c5222d9d9fd

C:\Users\Admin\AppData\Local\Temp\GsAE.exe

MD5 c3b75700278437a82fe0fac6df225a7e
SHA1 fcefd3aa17b502137cfcb887323bc36ad5c441cb
SHA256 25de009a09dd922df92d0d02f1d3d499bd1f61aaa71abf33e4dc5ba20b2462d1
SHA512 1f1593abe54a7fd6fcea7dbb631bde77020c795c72307ea0532b3a3ea5eb0c16be7e462eab2a1054e7c2cb03ab1713cc8f65b925796392af8b000566a5fd68d2

C:\Users\Admin\AppData\Local\Temp\mAwA.exe

MD5 97c36e4aaef1ea6265d110224a6daa5d
SHA1 8b03901297936bda9902d8ec47ce09a4ec9a3851
SHA256 e1a3e5bc6d89f85c94721cc1ccc1585fe1571eda6dce69cc62e5eabbfa7ae8e6
SHA512 72e432eb362b35d63a2e38a06af80ca5381ab045e052adf512ece98cf43cb8338f1bf9d3b308d2137f35854c5d4cf0f5bc8b8dcd3c2fe82ef3d6a97fe29d9ab8

C:\Users\Admin\AppData\Local\Temp\GwcU.exe

MD5 68cb59999cff3828a003426cd4202e6a
SHA1 7cd5db04f70f2e8d28db44144761dfc79b3f9c83
SHA256 0b3729dae529c55cb13b5d975bcc1cf728f8dc64b7275015c3fb4b83657f5bfa
SHA512 c98bcb99d31faa9b670c065e8f50b77ac08d70c5a6239dfc175d8f7dd15db0e7a9b9161d2abb4348604b3e092ff782f012d6b3be86d0f8c3adc030da7ff1b5ab

C:\Users\Admin\AppData\Local\Temp\ewwE.exe

MD5 c66612a451ed97e560219ae0cac9a096
SHA1 5b30469248ce78c6795acd7ead0d4c53da65a8b8
SHA256 fd3532cddca49df7c4c58ec8903dc58255f5f6674da5b3dd3ff7b3027719e301
SHA512 25e67ece1eb5773e266afe7f2043eb31d91631490c0900eb44e2bc59d7b47242f3278f427c933b047bf8bc235d249341c78c3953ee3cda5e3ad8173a9153509c

C:\Users\Admin\AppData\Local\Temp\iAoW.exe

MD5 b486b401372a16e0f4af5f00598ccf84
SHA1 18e207147a0c613bf41863ccf192b402b08a5985
SHA256 ee1b0565683828e92c11081d9894bb337e368cd8d61cf21c0ed49fe183583892
SHA512 2d05f21f7539eb549e18f801dee3960307c228de9772ea3e4b8b21ac9ca2a8cd24422aeab4d936d30d2d18e2fd9026b10bd8e14120e42fa7020dd6d1b5fc31d6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png.exe

MD5 fa10a50673189d8b2982a252bfa3c4bb
SHA1 8aaf3f33d6cebbb67b26975a849f23562e24cf97
SHA256 0bef9a2e2f28226a509561b0623547d42d08fd0dca1a6d883a5b858318dd1a77
SHA512 fa25abeb6aa1cb89e32ce7569fe578a6714128ac50b7ecc917054346e2f21386a0d3fb4191299fd15328c7e8be1e131b53e1168c6dbf1e4275240125c5e6308a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png.exe

MD5 a79a6c3c454ecd6c35be420f395fc36d
SHA1 7373b6d70f8f3f5aee536de8e6b3ee2325cb6f9e
SHA256 83ea9d1964d2dc73f73faf09ef3097e391cd4a873a8d2f06c92c8ab68ce0b1c3
SHA512 b6485fad397ac1599b3a23d92bc3544a943ba655f1e81d0903975e17fa863ff394feea912e97a0639a1bf243ee1eeb3a286bc9852c777d83bc3a9cc882c7e26d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png.exe

MD5 6742b82f5c8ed41ebdb33f41cfabe4b5
SHA1 04f2ecbe00df37ff0e8dea62c94ae301f371ea95
SHA256 28b18517eef38d1c4d61e16c1fa7f3153134aff852621c3041c757ea21827a81
SHA512 617f73223726c23eb75ce2c888b7ef4583ca7245f43b840b8c91fcb9b4ad29d8dc5e4ebb29fd5c568107085af562e5b2a1d5c15a766e586b2d7d13baa0715b9f

C:\Users\Admin\AppData\Local\Temp\acce.exe

MD5 0a9ca2d3d1a6c38ad8c54fe239ba4c93
SHA1 def9f6f0f75b625f32ad9814f2c0a6602bd16ae3
SHA256 1fce7a3c9ec209c6051d2d09be8878a0259f2e9380b23feeb7798dac6e3eb599
SHA512 55cc5051be9a8a162276591a69b7bc01cf7927997f9e74cdca96d7d5aeb500109b7cdf6a90491cb6d79366a3c556af5e4c936bf015bd2110e103cf1dd92ed2c1

C:\Users\Admin\AppData\Local\Temp\qEUg.exe

MD5 56aacb2ccbd50d2e1a410053b44e22b3
SHA1 b8f9203095a1f907155aff6f212418ca7ecfad69
SHA256 3a4ae8f67c107f622ac66ae93883725e5f400e1e08c6bb47dd1e73d2546e6bab
SHA512 68a91b051c1e2afe47a24d465eb7dec20be09bb535e3d3f10aa529e85c087eb1ad1d4320630f228ef944044399441f121dac45aef1fddc3ddecfd9fbb2815a88

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png.exe

MD5 6a0a6715dae0243c7b9a3f873971aa1a
SHA1 881ee1c7dc6013f131314eaf6309d7f76d987659
SHA256 9a21b5d8ccf59756baad2fef9b09766df1a51932af56f94937ea7c7fca23f1ee
SHA512 b579eccb66d8d6bd2576fc293841a5a101e43439f50635474ccbae5817d6038a86f3f4d28d97fa3be9b93139ee041bb97983ce78e444369e985ce6b0259b7b93

C:\Users\Admin\AppData\Local\Temp\YAUk.exe

MD5 b5b66fbe41db43a258bb0da042802f85
SHA1 cd551b0d09a8b50b23215f7aa2aaa7de9a60cfeb
SHA256 753109da8b2e2a4cbe5c47b6b6c4c80aae84db1531bf53c649e33b8691e78bb5
SHA512 fee795073b25c858647ec93e4129a727b984343ab24f5adaf98776f42e0ca2959c8c2b0a80d218a0b425fb16b33e24aa85a2816f697a077dd1f825bd7efa51ba

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe

MD5 eea08857a9972b26e6047fe515f214da
SHA1 c0a6e046d655ee11c793286ec012dc5d74d1c3f3
SHA256 b23bef937c8ec36c031cc1330fcc5b21c0fec83be5b72aff525c4d806f38689f
SHA512 cb4587590ceef246bd00e3357e81910d3bb3c4c6cfa6e04d7c2110ccf8b6178b034612f6e13e6ef242acb29662e04e6ae3f0300b6e1a52fd82f8d022b5ef3c3f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png.exe

MD5 5b8aa45ac7c0955c31919eb7329aa404
SHA1 37a107e2e3e8cece1b7cb90b018d7d52d0270836
SHA256 c7a29a92ee5b3486364b5a05009c6e41f3962bec0160de23c90b0b354a46cbcf
SHA512 e21289784f7a4da4454b8f1baf01fa78438d1b1e8e5c502c1304738f506f20c91471d7544231fa83a092bdbf77ef89b72fed67594e770cf0b5fb2e0d7b48e4e3

C:\Users\Admin\AppData\Local\Temp\OsYe.exe

MD5 91e3e993d6cf3a133fbc701f105488e5
SHA1 4b911e976061df7bdf6c867ebf5bae84ebc2431a
SHA256 846d3371c90a09d85bbd3d7f759731e3a7324b8ecaa591047eb88e149bc5aa59
SHA512 02969dbeec622ed25cae094d78c64c98e5bea22e85e4248c5e0157a75c8e6166936b9421f872bf2fac61fcaaefaba5353cdea212ccd27f96253d6fe3b57a8863

C:\Users\Admin\AppData\Local\Temp\gwAW.exe

MD5 58fc92f92bec61aeaab83b4287d6b847
SHA1 ca43b96764eccbf48081cb88f250a0b326a2c547
SHA256 f16e2ae21353af9e544b1564baa17f180d3162ceb6fbb8f32c78955bbea938a3
SHA512 e37088969ecdb34504b5d6c874375b2f07f183418cde2d0f570f74c5d637c9b44f10c98cf5f76671ba0284ec64ad4f7b197af36776a369a86238fa431b32281a

C:\Users\Admin\AppData\Local\Temp\ywsy.exe

MD5 276024412ce709e49b9efed1960e9350
SHA1 7f1db331fc61dca13252095eee3b87bbfd797615
SHA256 eac892d8b8c5be05753423563bb4a2fa00fc473f1985d70e1b8d14553cad3bd2
SHA512 3dbf1b62fa4740fe90c858d651b4aa5a0f86472f7c1975e5a508e3efb531e3c54f8e1092d2f565bf68632c9cbf4ffc2d1fecee8a256fa62501f316498b5a4dc6

C:\Users\Admin\AppData\Local\Temp\OYwy.exe

MD5 4f32465e15066b1ddfd4b29976048b15
SHA1 4ad90a512c9139ce2c6ff9764ea897a752811d52
SHA256 f6164440f3dc31018d4041e606ee6ff8209133e1622545b6982e95593cb975a6
SHA512 c141dda3578195c5ae207937d7219eed4dbc706624dece275faa28bbda43a803f1d802b4f9f87979ba47a7f7bd21300a43ee932084ebeae35e9e813bc5038a80

C:\Users\Admin\AppData\Local\Temp\oYoG.exe

MD5 266af8fb3d4e277723b0e2cf629bbca3
SHA1 c2656a998ecbc5d2b2487671db011a3028472b60
SHA256 4f3fb09f1b4d5e654474fe257bf83eca1b2bd57e3f38721622b0f13c6b1e20c4
SHA512 66f7c71b26a82ab9efa2282aa30af009da80203f057d3df0b30b37a77ce2d4ca44180c2eb039f784222f6c0f369b445ef2421aa112d41aee88296694da2b3559

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

MD5 0a0cb86f7a45cd4e588e50f4bdfd1821
SHA1 672a6b77068b331515d074b266dbc5ce00b8350f
SHA256 42045ecdfb404ca3e7116994d23a69fb12175a6b7038ea58699dbccda950f0ec
SHA512 e6c0c2161dda8f7cd7e6111a15f1e31b5b7305cc40157b7cf2e28da293b021d30a5c5334e8ccb019300587a30615559765a7e5c92d7019d13231905c73240063

C:\Users\Admin\AppData\Local\Temp\cgcm.exe

MD5 c02005508f3243c9e86580cdcad752f5
SHA1 dc14a33038cedf7c3c9bbf35ebb4b0ef3f30cdf6
SHA256 11609373ad247347afd01ee52734b9ef3fe077ea905aeb919904f99821d9aa53
SHA512 c813df5584aa6b9a566f9c82eecacfe25f5250ebe705b9ebae7b142b8c28c1895aaba1f4788b32780193c8c6580d545e1b5d4789afa4287eae36189f13b9dd5f

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe

MD5 0f97c37fa89be5d21c435d669a4255a1
SHA1 050e3683e77d1abf4008de1b4bec3c3c34e49ad0
SHA256 41e5fe466e4e3b970d77198d88da6accd8f8800eb6a6e2bfa5dcda36d61999c4
SHA512 51c3a71be4ab6b8a41ba5b28e4f5b2480db5b6a53d2212f11605b7f81b74d956a7fdbaa5d6a70df303b6fec21eb4d73364fd4749405c7390183945180aefdb0b

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe

MD5 0c7c2430b79460c0c8fbe23a8ed72ebd
SHA1 57293b5933b4ec172338b52f93a3bd4c441a723d
SHA256 e868ff3d58747683ddcda62f69bf4d76d9a6da4f6659dec562360dbb0d07e9da
SHA512 174a9a798a2b19bad0adbdc3c0fbd647ef4673255769717d313d565b2dbbbbbe1eb78b1f79ec4bf9901cfb8bd411732360938f3ebf6185f4237553c39ecb29af

C:\Users\Admin\AppData\Local\Temp\ooka.exe

MD5 9fa848db2e11e1f59cbaee51b7668e77
SHA1 5df96e9a27f7b7268dcdd7294069ace84c5d3a00
SHA256 c3a55ccb550c8351e83ca82ed9289c79c164c3730cd22a9820b42b1fcdd7935e
SHA512 266590db44f611d8378da036048a56e0f78508566020c3ffff8ddfcc1d215104ae632abf3f785ba8a3085a5732e6d80a75b5aa0a0757d8c175d12f256a704445

C:\Users\Admin\AppData\Local\Temp\iQYu.exe

MD5 e5d38155d36f7dffc15b576045ecb6fe
SHA1 597c52072a4baae0bc74380e7514851187991761
SHA256 a04f83e955eed2606352e5c0146b942f7537dc06d45ef9a53f4ea07000db65cb
SHA512 5054582fb23bc57c47b480ec7b7b69e256bfe4bee9c72b03b281816708304c1a2f80e1844fb03c24f54a3ae58571dc37330b4ce2c5d3e871dac89b28a2e10b57

C:\Users\Admin\AppData\Roaming\FindCopy.doc.exe

MD5 ad8f07cdf6f8c5369bb7b6620cc24bf3
SHA1 e85c66f50ce2e994de4e1cf104275990a5140b23
SHA256 c1e838d3dd39462a899d68d074635acd8ddf8bd8aa9666b7dc8cea4689f7e2ca
SHA512 fe1078909ee260a759436ad76631cbbb8da785b9610568f6bc3efaca17f9190da438a9336440688e511afc80e952cfaab569b823c9deae696f19d300dae99934

C:\Users\Admin\AppData\Local\Temp\iwEW.exe

MD5 a23f9846282960162e4dea67422ed9df
SHA1 1fb5d44b82390fcd40800f16b4760819652ee4c0
SHA256 3f465e416c7c890f79f729b6585b394c137840974e2cf5edb0dc8b8d8cf77e5d
SHA512 49ccecc2d0d0c6dde345a07506c0c73572642154f7f957ed54ed78906da8c874d4ccc161a6f46dce470d4c2093631ba56a70c246c1ad05e70dcbf01315eb1089

C:\Users\Admin\AppData\Local\Temp\qsQy.exe

MD5 68fb1368b43813eba7727590eb561e5d
SHA1 abf2436b7e36e2f3e46c84557bd4ad64e1c055a6
SHA256 99ba752544e62e3e97d550bef9f80b290da94f0a094db5e41953cf4a27df8925
SHA512 ecb55993f5900e737422b382ee0fb81553bbbd6c1f5f19d252701ef1bc1024c0739874140a82a6cf45f4e2535adfd87dedd3e3633859b0a114b4fa9eb38a4c63

C:\Users\Admin\AppData\Local\Temp\qUcU.exe

MD5 cea3860e0dc11905ff149a82de461098
SHA1 d6d90b72ba35850393d8ef13f096f4497ce2c8dc
SHA256 3d1fc41302adfcd3a921162adf630048bd7b775fbd026c1e0909b045009dde3d
SHA512 e1c153f0261fa3377fbcf459f60a4a83027e5475a69b5a601294c17d01c4b0a558ac5b0faac502cb9fa541487987ec2cac6ce4e6190686d5a319586f724a7bc7

C:\Users\Admin\AppData\Roaming\WaitLimit.xls.exe

MD5 ae711d344b73c9bdaa6e43b4c96ab581
SHA1 c873193261fab11cbf72453f1557ade9d1a0202c
SHA256 ac1d7737728ec50d211d1fb41eb71c98b8f3e524924ab0b453c42a7289e64523
SHA512 a3a86246d837e0529f0168fa63b4195040e823ad3587cb55c2e869fa9058d51c08123910e1d9a48350e8afdc70518ecb19833d3b580a3b62bfa6a298f282aec0

C:\Users\Admin\AppData\Local\Temp\UkUu.exe

MD5 87639082d104e79e4ac7e7e3fa26fa9c
SHA1 b0c010128a65e62d17e173e53edabea6471d384e
SHA256 9e71176d60251fbff37a5dcdf4fded0b91772f42097238e4826caf856fe9211f
SHA512 afbf6e58485793049cd4119255d503cdad0c5484833c4dad1b11383ade743ed731fd8ecd4fada0892a9eaf23e049b865e329052654c9d59534e5dc66880006ae

C:\Windows\SysWOW64\shell32.dll.exe

MD5 3b906e8be7f2df2582907dba47d9003b
SHA1 b0759dc77a4e4a83af2edc7d01f0b14b22c8f171
SHA256 68599df488fbf6ff6c204aac969578609409ab0c37f776f985ea476148aa621c
SHA512 47fb9cea4080f8d71c6add85962e9467a9f250aaed9c30b0deeb864e30a1ea34f18c956721ee4f28bef64766a85eb8d6cda5653b3d12e2a0a71b506dffb32928

C:\Windows\SysWOW64\shell32.dll.exe

MD5 29fcf4f1b0e88d09a177bf7f270db45e
SHA1 13944fe046f41143666af8abaa59e4479c9dab3c
SHA256 02d37ca2678e6010caa213c1999d514f1bdc39cd9792fa4dfc3794831cc13de9
SHA512 9aa4412a75bfac23623d320a9bb2e98b3a794b2e5e135057c755fb476742f607243bd1b0f41eccf9876e492bd065a6b9b58dbbaa6d2010bd9a129c6cb20f33c7

C:\Users\Admin\AppData\Local\Temp\YUAi.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

C:\Users\Admin\AppData\Local\Temp\YEwc.exe

MD5 a386e4496e0ac7d45a0d85546ce699f9
SHA1 536bfa15b8d332c0a33f77b20f315736a5295d21
SHA256 d2b0357dab84bf883966e8ed60473ffe3f39c3dbf422ee1c76af056e096fb831
SHA512 ae9eab4a2a03915d13e933b97bccd1ee7ead2d1b674f3cc644668e0f36495a123126b32d4be752d00530e63991c8d731231a936073f2c7dfc075ffa6ec3f1edb

C:\Windows\SysWOW64\shell32.dll.exe

MD5 d851bbcd3ae1054fc9e3301ce5799720
SHA1 1308b22ae4f0ce9d4c564de50c367e2b921284a6
SHA256 70592f5133563d2062830332e07ed0a7946bfebc0b8522c23b6a82b02ec56826
SHA512 10639a3cac4cab8447486db6ae79a91b8e10c76c5172f4dce287265bcf13f93b623876e52af585ca3d587e54a5d6493c23f842c4c2e4cb2c6725dde64a8a2491

C:\Users\Admin\Documents\ConvertToImport.ppt.exe

MD5 3a63954f74b3fe6ac2bcd1b340297b33
SHA1 7e4eb2c152d64dbe293b8552711db4281476c598
SHA256 8643a596cd672520f287fed5c0b2a2664ed6d52e737085057cd5cc26000ef396
SHA512 2bb154d165b0a576c43042cf9b197d38800ddb68524e1628d77e0b58f135d65dc5081e53212f87aaf41eac3be882122253cee993047065ba4f8e3e102479155e

C:\Users\Admin\AppData\Local\Temp\ssQq.exe

MD5 17fe61865020e00d7bdc4c01fd9d0d53
SHA1 c04bede9703930268911623f57bb839a6f142f4d
SHA256 5c820304947689643b9062749711a54d8b3ac671cccabed1c33514f88bcbff48
SHA512 6242ffee8e0f6344db35607a547dd6feb33e5d3630e06810ca09934710705fad092b83dc7c46bad302edace5fb8cd1619a5555b4bda520a144b3a0f33f6bad3b

C:\Users\Admin\AppData\Local\Temp\iUYc.ico

MD5 383646cca62e4fe9e6ab638e6dea9b9e
SHA1 b91b3cbb9bcf486bb7dc28dc89301464659bb95b
SHA256 9a233711400b52fc399d16bb7e3937772c44d7841a24a685467e19dfa57769d5
SHA512 03b41da2751fdefdf8eaced0bbb752b320ecbc5a6dbf69b9429f92031459390fe6d6dc4665eebe3ee36f9c448a4f582ac488571a21acc6bba82436d292f36ac5

C:\Users\Admin\AppData\Local\Temp\YQMw.exe

MD5 5dbcccf2498899349d062b2f27032d07
SHA1 58b1295eb8365ab951bcd661ab27f3454990660e
SHA256 d906cff81236c4a817f13d08ca18c6bb23fa81fdac9b43bac0369de51a6d10e5
SHA512 faccf68b357760f095fe51f437d851a10e43c7c9ef7e7d61dbaf3346c6563a64e077c275e80c131c7289a4aeb0680b14ae9e7284e8e02c148a610b3dee6bd720

C:\Users\Admin\AppData\Local\Temp\GkwY.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\YkEe.exe

MD5 fb5361465387d684c5bf83bb0ee467fd
SHA1 f804ddc4b96f4d6e93bae663883b693e9a15c80e
SHA256 3f361cf6c25675b3d7d6a24724fb9b6e6e824b249a9b3681c18961834903eed3
SHA512 758fa58badd10814dab70cad19f193e0e18cb70695b18f0eb196fdfce280d5cd3cda4ca53fd10debd179c60aed158ba1bff117a9dbbfeef926c46ebb3bebc432

C:\Users\Admin\AppData\Local\Temp\esoW.exe

MD5 9322c17496858140587988af7d45bcf1
SHA1 01b31535b505b179f1e16b038c4bfa1d1205b26b
SHA256 6acd79c50e51354d3a6f2940518247861cfc0ca748622ed3394684f65ce09e62
SHA512 350c0e8d85c09377735e09bcf730b7ab87ef258399ee931f819014ef24608de7293dc1d16dfb8990bdcbafc943318ea397763443bb6de0925108ceeb9c6bd9da

C:\Users\Admin\AppData\Local\Temp\ckke.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\AoUu.exe

MD5 18560574f4088f72dcc5f7b8e070be26
SHA1 b7a7050aa5160ec60753ceedbb1851f2b0f42109
SHA256 23f36a6538c0aa4aa647b1b6046c11c17f1336055230e95256dddc4139274be4
SHA512 48394b810dc97fbfab83e0c263e12272406aa5ee813e2c332522bbf4de130e83b6c4cf1a5ad8cd6b0dbea1a62fd7a58f3d8b5c99dd8e32b74fe7a16ad1b59ca8

C:\Users\Admin\AppData\Local\Temp\KQYo.exe

MD5 4b97e9e4a9f871aecb370015a304df73
SHA1 fbe97a56d09e8af42ba98c978f4fe4a0b4a03f34
SHA256 9cbad93e3654497a42a67e1f63d387713af4e1fd9216bb73c3afdca4eb5f43fe
SHA512 691f5bd868b1097dbb390937867c55a0d33e92b2a02add52d2725b31fc994319642ca666f34b7a29626d1e0c487745990e8cb0cf91fb87eac832da23e029ffcc

C:\Users\Admin\AppData\Local\Temp\GAQI.exe

MD5 67492f3841fc41a461e0a1c64736f507
SHA1 7afa4b72ac7113e75a7e0b33a468670ac607f614
SHA256 afa38a690e562899e0ce070c30777af804699ea73ae69f48e3fab69955378025
SHA512 133d009a46e62f20a0e51ad74d0836c45025a29c3d4fa82128ffd5365ac650e7b7a7482a19f5ed3c137104a2926c05fc61af30b9535b836666e3bd55d5ad08b9

C:\Users\Admin\AppData\Local\Temp\sUIU.exe

MD5 3d46071132ab29ebefbee721727c7962
SHA1 3095cdeb2ed65941a8827b53673cde4b6df314eb
SHA256 e43867121e2bca2065f4bea79ae22b677166301f54f88b05cede2d9d5166a721
SHA512 1bc5fb9a83c2f2fef1d7093fc32484fb4244776ecd61b418f41dd1790e4b80a0555cc6da94fddbdfa149905ec3e607ef3526039161ca9f41794c40f3431ad569

C:\Users\Admin\AppData\Local\Temp\ocga.exe

MD5 f96c19cbdc1571c10c9c63617b02ead8
SHA1 430711c9dba8e5b5ba77c6998f43c4bbe998bdd4
SHA256 856943fdeea68d35e961e73134b0ff7ef4c4fe1d668e6ef7a62e86bc43f211ac
SHA512 f4655ad6025e817d63d1eb9ac2958cb05af95527bb37fd22a7967c51d83b6f97cf88242427e6032508b3039da89e3aa9d4ea9bce22d26df329b605fa4d9f3f8d

C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

MD5 becc62bf44f945162ccca0ee0c101abe
SHA1 f82010ca5536cf117c3ce39a3874909eefbc5c98
SHA256 590606ba6fdebf5a22d72a1a153ea6eb5a9374c62474b338a0e32db9db9cebd5
SHA512 877841d3dd83450d3be12baead688c0f08cf8b6a4d38103a715324578b5ae7c0a6b9937348e84e148342c9e9cc12db07fc539d202467504ad51b36d0df2e5458

C:\Users\Admin\AppData\Local\Temp\AMAW.exe

MD5 4bb7e4876cd20cfa0e186f1d18ce7583
SHA1 770615d41e61f48e3c28b29eb9f34cd2ba77c060
SHA256 25cab9a5c9c4b69191b3b82c1b27de2806392f2c1c9d50b6de3d2c8b2130f332
SHA512 00afee915c4da29da1eecc39741856e9c36b1086a1728364cf512466f6b6bef5383153e1c3b8d97a4d76b2761bd0a18c8da5c7a4e100258f0b94ea59ec3ac2d4

C:\Users\Admin\Pictures\ResolveProtect.bmp.exe

MD5 e71d010bc859c0143ca5d63e56c2ca8b
SHA1 1376cd28cdc2d431f5ae349d803bb4ffd3732b9a
SHA256 e1e0f2a0780279b08c282edcb6746a5319862407929e8587d4c3dddad5c17d2c
SHA512 aabca85cd1fe11e62a81c1fa65942f1ffa2bb7b83cf7f6bbec576a4017acf33718eb01e56ef9f8a258296c934704794a5ed0c3b394ed7e0e22156c364fcd2039

C:\Users\Admin\AppData\Local\Temp\gsUG.exe

MD5 0899ce03ca22afd0ce5646ca33fd1606
SHA1 2079d3861cc9a0c5b47e5c7a5e0d0d84719c593e
SHA256 e0a2908eb7629afcbaded1b0418472d2d80a60f4f95461bcd7ca5abe46a8bee6
SHA512 048eb6accc42110a3ab293099e6f636dbb2266630a99a09378264ac5c715cb40dc232b086e362f8b54ae477c5ddce252d777af8fe6fb2d38f1c04b184ffd40d5

C:\Users\Admin\Pictures\TestExit.gif.exe

MD5 0327ed329af2a638c6f795e0d069f448
SHA1 479c0813d19e89a953d14fd2a5262a1daf586f79
SHA256 ebb4131ca06396e98accbc4c4d208ab864d087a9f17e1551f6e43aa420e1da72
SHA512 8b3c4123e3a66c12ab7f52f8f1fc2b14bb3a2cbc11954b673b977fa21df03812aa361c53ea4466e0b3bf7c1981e7941a652da8d6acfbbeaed7b78cdf0025f453

C:\Users\Admin\AppData\Local\Temp\eUsI.exe

MD5 ba98a7cb990c03d4bb4d8b19fc379a8f
SHA1 7b23b5d7419d9f89c892655ff9786381695b56a1
SHA256 db9d522623b5278813f0b377934018b95b8242ecb550c8a7d1f896446b528e28
SHA512 27b6c4a10f52302d7cf4c923eff4d3cee50efab8aed8baef3e640e1afb82115e971ae4a4fe3c17b3c9632011875e7db9cabc37e0880f3effe92f203693b45958

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 953044850aecad1c5683ad848347d6ee
SHA1 a580a421f3dcb59742a62f7618b8a6053ceff217
SHA256 22da4b60a03c513b733fbc08e70a47fabc4ebc384d40a4a2a13f39fe40b38c5e
SHA512 8e275ba943549b0327ea1e692f4996a3e35edb17b8b2deb72ae826fb23409302151e0da50be008b30c2435f29ba9458eb5f38ff9bb99230c4381313f6cca67f6

C:\Users\Admin\AppData\Local\Temp\oAgm.exe

MD5 44fe211ec402ed12f7e4402009b84eda
SHA1 9faff6281b71b80f863c69cbfc02a80ddc72bd20
SHA256 43fa6d54557e7b8a15f54a1babd7749f63904c72d148d32c169d2cb482271c32
SHA512 b44fa6b020ab6390c788ac2de3d303378cfe8258e7ddb00c3be8f57a3b210aae42fdfc6702d33fb4b09fac9368b2bba0c2981ff347e9be1e361e9ff5f4559ea7

C:\Users\Admin\AppData\Local\Temp\wUss.exe

MD5 be686f2ea9296087c4e5e3fa16ced48c
SHA1 d593c48ad9ecc2c29c5321df6c8a2083d43bd4b4
SHA256 798a387988986e10810d026a2186bdbd3e98262982126246daaaf6115f038107
SHA512 879e490553b848bc0f333c8f220d9e808ae5b11ed5e19d137c16027aa41910edb5a2bccfad024e2d293be1ecacdcd5fdc24f2d7aea71e49eee1a3844a2f357bd

C:\Users\Admin\AppData\Local\Temp\QIgC.exe

MD5 d859cc6ba9000c2381e0e16a98d0fc08
SHA1 5f834e2853661bf91707ff34d6c42333f093d60b
SHA256 a8c595121964c0710e65295e975a5b8af608791a0dc9d595da38b607735330f2
SHA512 d553ca787c7ea912e9267eaca9a12dad78d9716a33f2b9d2e33f29a6fe9acb0625a523d542ce6a144de8aad3e6416e4c816494f994887e2537fdb49361dff299

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 05225941effe1d653ca7487b89e94db7
SHA1 64f2852a3be9c6ac8288c2ee7e1d1c09bf6d29d1
SHA256 c9b51a36ee3ae8394bc59ea4041ffc033337279caa303fe738e790f0f052bbad
SHA512 6f9da82b4913e2dae4de5fd63a727218a0a85226275c06df371ba37fae3dc179c77a24bb4916371f390d21f9c7c4b7bdf91e5c4304137196b2302b0162b1b510

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 96070ada6886d66fea40c257706e735b
SHA1 d9d6332b2d1e4806a6e632be37412961d77448a7
SHA256 b535995c06b047849e7d9a851e754ea745dd07b9fd7ca917d76395ea0849034e
SHA512 bf523e01faa3302ebc15ba0278f45f41814682a93afcfee4d482d2bdababa6a264c73b7b46ffe90aad7917322d194d58a5250de1805dae047585def6ec770863

memory/1824-1693-0x0000000000400000-0x000000000041D000-memory.dmp

memory/8-1694-0x0000000000400000-0x000000000041D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 19:46

Reported

2024-10-20 19:48

Platform

win7-20241010-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\ProgramData\dYEIYMcM\OgMUwUYw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\hKIYAMMA.exe = "C:\\Users\\Admin\\HqEkQkgA\\hKIYAMMA.exe" C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OgMUwUYw.exe = "C:\\ProgramData\\dYEIYMcM\\OgMUwUYw.exe" C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\hKIYAMMA.exe = "C:\\Users\\Admin\\HqEkQkgA\\hKIYAMMA.exe" C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OgMUwUYw.exe = "C:\\ProgramData\\dYEIYMcM\\OgMUwUYw.exe" C:\ProgramData\dYEIYMcM\OgMUwUYw.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\dYEIYMcM\OgMUwUYw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A
N/A N/A C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe
PID 1964 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe
PID 1964 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe
PID 1964 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe
PID 1964 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\ProgramData\dYEIYMcM\OgMUwUYw.exe
PID 1964 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\ProgramData\dYEIYMcM\OgMUwUYw.exe
PID 1964 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\ProgramData\dYEIYMcM\OgMUwUYw.exe
PID 1964 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\ProgramData\dYEIYMcM\OgMUwUYw.exe
PID 1964 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe C:\Windows\SysWOW64\reg.exe
PID 792 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 792 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 792 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 792 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 792 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 792 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 792 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe

"C:\Users\Admin\AppData\Local\Temp\34bbcb742885d412f02ea9243db181e00446beee94228835bb7f9c8c321943deN.exe"

C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe

"C:\Users\Admin\HqEkQkgA\hKIYAMMA.exe"

C:\ProgramData\dYEIYMcM\OgMUwUYw.exe

"C:\ProgramData\dYEIYMcM\OgMUwUYw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/1964-0-0x0000000000400000-0x000000000048F000-memory.dmp

\Users\Admin\HqEkQkgA\hKIYAMMA.exe

MD5 3963db0b69e59aba8ae7c4f9e49bf4d8
SHA1 f8c700d64cc87dccf99c95139a8ecc4aff8c5295
SHA256 b0afea15c3f8586d6c2463c7146e6644dbbc8c6aa6790188b726cb69cad125fc
SHA512 b1436fcaa2854809266e8152454b1240da394ccc1a06d4a37f412f592cc86add45b81645014ccd14758c6231e7f23cdc93e0980af219f4f10b2fe466705cb88b

memory/612-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2452-31-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1964-13-0x00000000003A0000-0x00000000003BD000-memory.dmp

memory/1964-12-0x00000000003A0000-0x00000000003BD000-memory.dmp

C:\ProgramData\dYEIYMcM\OgMUwUYw.exe

MD5 7f0d6f136387ccfa814abbc9901cadf0
SHA1 7801641af2d925f6bea4dbdbe05f3fc92a34bb7c
SHA256 465c0f74d52df3f7b327ad113112f24c2125d93c4f6547159a8ecaf47cb948b9
SHA512 bef98b6d02674283ac7c146a5648e8824b8c74633ab56723a9d3bde709271cd1214a121012a6bb5c4e4d03d0246ade3896804e692ebd77df3add6eb53adebbcb

memory/1964-29-0x00000000003A0000-0x00000000003BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sIIwcYAA.bat

MD5 1955067a443800a38c952fb6fa3c6f0d
SHA1 a77648a274ee01db7711733664408ad2b94fcfcc
SHA256 fbbc7237b85b076f16daf17cc4ead3764243abaf867a2ed2f7a860efd05222bf
SHA512 3d199abd4f26b37ae940bd1180320f717ce07c5d0c71ef672112c3039ca3d3db9a0bc502d63b0c4f4277bf4cd6019b4fde649664c6b5dcf3fcdd5eede1f1e5a3

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 96f7cb9f7481a279bd4bc0681a3b993e
SHA1 deaedb5becc6c0bd263d7cf81e0909b912a1afd4
SHA256 d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290
SHA512 694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

memory/1964-35-0x0000000000400000-0x000000000048F000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\hYAc.exe

MD5 b351c437221a1370a3fa30953e59399c
SHA1 a5e2cb10d645c6b5afb3c8934c1762cb638a2073
SHA256 8fc318162e4e144df32ff975145ff5e2d8aeeb8b3da6fde871b3dd86ca4382f4
SHA512 0571d6c9cb3dff2bca8471e1b7f1058e087f382def9111698571547b24e8c6637d934c1dd4b246f53119b6df12821c9c81a50dfc2ba2fc9093dc98a482459df4

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\ecAC.exe

MD5 f7ff21f4ff10ad2f14947ceefe48f043
SHA1 112b2fb0bccc0c3cb975ab5e5d3999fe098f3f16
SHA256 b5187e1a9811e7bf673946fd3f103604db9f1882dbd9372c677c24d667eeedbe
SHA512 57ab6288ec5fe761f1b4e00a798e9c2b943ba07ceadae716f1434975c20b067010a2af3e3102eff5b04662484620562fab515fc2d4af2c337b47b41b5a51fcd2

C:\Users\Admin\AppData\Local\Temp\awMu.exe

MD5 0c362990069f30af09cd185d9af40e7d
SHA1 ea8d6dcbbc4e528f3856883d0b1eca2e09a1f701
SHA256 047c528ef59acca9f40febb1ac5dbbc377fd7e3b6611a56c6564204f9eaf4c24
SHA512 74c5e90ec226801d63e36b014b962596ef6e389df886400776a61a81856ba01c750ed5f0d59c11f01bcea131dad874c904022846be8fe786c101a71a4a4f93f1

C:\Users\Admin\AppData\Local\Temp\eIcq.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 962b1d9aaa163044217a81bdd75d5715
SHA1 20fa14eb94cd6b993dd5e7092faaf4ceb655e622
SHA256 c244bbc9c1ea1e621bd1a1f5a6234b4a26f0d2b77f31b5569f26f4cbd296abf0
SHA512 c26153c0c0c25fc8d6ff1fa922aa6041fccebb33c5fcf090de940ad64f6f9ba2de921561e33546c680fb8c29b73e19f168242000c6ce0bb71bf48997cafcbf30

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 a8881c07a3db66be3c3926a46088c36b
SHA1 0c930a9d15195bd4bf4df3afab083652453aebe8
SHA256 21f457684f3ce156761de187684a5d882cf55e7c6dec74c53fec374aa6500d6a
SHA512 2b4d57a18e09b6e1bfa246561648ec486b92bb94c2aec0b36738d95d698ea3b05c62a1f23d95fb6ceedbd99da7b85099088aa70e648a45be6f351f47e809601e

C:\Users\Admin\AppData\Local\Temp\rAgc.exe

MD5 db93daa85a011b0ba03e5102a9bfdeb7
SHA1 055c50b79170d98d4e49dc7e33ffddd831264a5e
SHA256 ae450f6718a5f8e16928a7f3b69867baed02e97b7422d0e246d5e3bb3fcaf07e
SHA512 9be9f46b343592b0ffc647631679cf5e17d386f3df0052c7c02ba35f0aed07eb8913d4f1b42bbf2c59e39c9d07a7cdf6ff9fe736fe9e3199e893136f3787f7c0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 657a23388de12ae2c7ee74630cfef01b
SHA1 18b0135c0d895f8f5c0063ab690d46d21ea8266b
SHA256 d00fbf65068f0549a41744c2071286582de6e6d0881df9218458bc3400e94d0e
SHA512 205c33327551b21dbd26974f34adb1113c3ad1b657572f4620ec22d2c55523a83cb2b45dce4888ef62463bc21eb8c6cab810ffb8704161481509afb80377b30e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 d913897026d7e6e5100c0546cf4313c9
SHA1 9108444ae16738de91504b7a847b5affd1e5af07
SHA256 6aa26fd459e9764d09954d2ef6c15f638bb4caed7492e06a5bd59e62e9787def
SHA512 97ee42da649adb5af33d58da5a77a8901a9579789c5db1291eff1a7c8252314db5a711cf4b152f509f02862764ec7f6a6254c20c681fb40cddb1a1943dab280d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 025272d4d5a7e246d7e1a23300f85fe4
SHA1 c74f780a9292f560d1672abfbc54a2a2d47616bc
SHA256 8eff80dd4d590e219e08e63ea9972294d5e65b0d0a9747079595967a9ad1e9ea
SHA512 86c328609b7a47ab0fa289ea12488bde76b916a7e226706b25e9190651bbff0c3f36f233097006862560edce2e12a327c157895f201241898abb79625d881fd1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 0f221e966f8b5e485b7660eecffe82ab
SHA1 6ee70415a7c03f9a02aeb31818ec38e32dcc91b2
SHA256 af58bcad1946ab9c4d07023f1fdea4adf2ffce93840ba9254ffd4dc1878ae29d
SHA512 e0f7453dda3f52815175321ea92e0231fcde4a8403b2a961fe03351623003b926025571af8cd2a3833c69e563051fde28c4b4cc1e578c74228c8bdfe44eb7a67

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 fd407e82e2367ecfe6b384bc8604f27e
SHA1 bd983c27c58fdf0e3910230b4caf20427ca483cb
SHA256 a784c5fc888d517d17abd43da8d96c6fa397e9641eca7092dc829345822a4a93
SHA512 3d11e76eb65c0dc430adbcfef571667784e17679b6fbc43c692010bd3bfad1e2077ccb0c1bb460e1637bfa1e38a14a36b1d5b9860631e9ec7c27f6a20dd2107b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 7769109fb43b9925f92ef6b972a6053a
SHA1 665800f73bd02757f6bb69320bcf23237040b4fe
SHA256 299f5ced3ad5d1d9c9bc2ca1a91c41c6c7980032dc44df40a0ba26f403099b9c
SHA512 0416b5bd8bcf82636aaa6f975338a9a06b597e9de79edd30113e1244ebfefd2ebe192a357c7254bb411ed25a95ce04ae0a2344fd078f1b991d3c9fd553af9a33

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 0c389da0fa98ac2cc4a34231f1977f94
SHA1 37b95bf6b89ec3ff45c39d50af506a2f1721b7e3
SHA256 e8fc70ff2c8528f834947a994df1d52e884b4d1abbe64ef4eddc7984728751ed
SHA512 2a099d279edbaf4b37e79848eb7ed1873ea3e3fc8fd6b91da2aacefef43863e6f672253122ebc4a93f811fc19135b173547de6e7bc8dbbfb39ad5a615274458c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 d1515fbd20d396ab249aaea6f6787be3
SHA1 d1549936e0b89759d119f77df31e5d54b4f8d0b1
SHA256 3e56e8facce6b7cfb62cd888c27113e0b09866d00b76606c9ea76f98dba0718a
SHA512 fee1a48c38f0e20f29b1f1a1094630be41b29ffbf53f49b645b63a64ee7520b60abcbc2a9b99e3226f002d3ffd36d125abd8cdf3beebe042a20caf9276256b90

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 b23570d6d40bac0bd8bfa497b22a1064
SHA1 aed61a454f36db097fb359af0bc0bf5325f35236
SHA256 deea567393231a1e7ff911e205377cb3f49375bd625b954a0c84de4130560372
SHA512 6c50d914a58cce781839babc762660a3d183ad90eb2d787ba7530f149a0c1d632efd0c92b11e4aa2d31a9d0206cf4501bffde7372cebaeee14539bf2ed0aebd7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 45d02726b19bda2c60a40071eac35e03
SHA1 fed4bd55676ff4fe5a414a4395f93b17bfc8b3a2
SHA256 98f72996dff5b0e8b8a0cdd5826a32e40004d18c370a14aa0e3c4691ae8f546c
SHA512 4d2259fe60c02ab18e0c2be3ce59d50ad6460b19068ef3bd849c444525a8807013f2df8f6f76a7f48bec31e7053b92a167dbb8ae37679b9f1fa0e22d2b8bc066

C:\Users\Admin\AppData\Local\Temp\mooQ.exe

MD5 632ee75d90c6573290a52285d1808e7c
SHA1 2ac8ee5832c6bc621fdd76366480691620ec534d
SHA256 b1a20550ce39e77a0c538fed9cdf7851609aa098213afb0a5e4d0a110085fe56
SHA512 211818d128b20b8e787cea84d80e796e499f3cc6fd28e7ee4dbeec390291f3eb9d1fa3c8cb8b5747a6b88ce47e2f56bdc1d5e3fbf218b5c87f300c65aa7a5c11

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 cfcdf1d010120c5f34605912dd9322e7
SHA1 4ed9a42a459365e3f399d051c6df7e834d8413e6
SHA256 d1fc0f31b9139edc11b6d52d7875adde773be3dc26617cf6ed167d5a27a5c39d
SHA512 016d69165e7925d727063682f21404260d046160e3bebb71ffe0449b45802f2478e9d409a193ea8e2ab7787ea3aad5cdbb1e70f6db67327fed086318c636b824

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 ff170bfdd821d3a4b87badb4d0e89571
SHA1 54099b1f051dd84dd19a5ab7225058bcd89e63d9
SHA256 101a49f299f26130c7924f46789e845e64ac606250f08cb3a6b733bb89ef442d
SHA512 8085ba5edc3199ae58e3ed0914147b01599830aa20ecdceeb4fea14294fb8ec850093637e011c1b9ce69549fa2033f846a26c997c5ac9be8368282c1d06a9d06

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 cbd3842da2aec3265f721fa3b8ba7a56
SHA1 30103ddff4100875c48fa93b4df424dec097ee78
SHA256 baefbad0f5646cd08a8f420183c127c92acaa4b143b953634732cdf87d933f63
SHA512 d6a0d61d83e7d6c7f89f404c3672f2e90b814d277811e1e75fd1bd190594d5d9aee3069ea996ee9293befcd347f40d81b71c8d5a230368a15e9fa72a8032303e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 1ac65bc473878d95ec7aa6a741f55cfd
SHA1 4760f1b2c55041abcbdd7f86b21ac954441f7fa3
SHA256 f81896b8af991e7716aeda9d04aa056fc553539a731a247314b3f94b0d66a1ed
SHA512 d0775fb7009c9b4a45d89cebc51b91a2c1286dd9eef1d1ec8926c4d778622d45ad87b2ffbd186facf8188b56d675d4ea2e90e9f8c3e89f4675c133a9e6b770d8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 280e7171680e9ab8f3c1ec0a9902dd2c
SHA1 568009a39ddfa7fce4a5ed8e3136dd1f11362fbb
SHA256 7b8cc71ba129688580cb3bea39ca0a2714a1563bcd5644b5ade40e9eb4f652c8
SHA512 14e20350fa41db839c0f46839d9cf8621c4cf22e9ac2697e6b75f70f9d08865276c0c66be768e802ce8351656afb16b4c533dacdd241f3d6b82d29764fcced43

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 b970f2324d58d457774ee5e096707d97
SHA1 5760a9202e351b33e3ae2721fab4154cb2179c18
SHA256 6a1968ed89cfcbca71819ad2a9ac77190d01ef9fe8c03caef76e1470bce4f334
SHA512 7bf2f7c5cee5349d10afa4ee224cfcd0bdbaab5481f84730489e98e7a2932205e5f878299aa2617fec071824853bbc1f04b8de3f565caa48b0a99602ad51c2ed

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 922ab42abee0d3c86664d2ecc9613fb4
SHA1 9c13a2436e3bbbe8349b02a66f4ffb39e335b4dc
SHA256 7d326562b12b79c479604420925730948544ca7961a4191667a973ddb7b95940
SHA512 19a62d1bd308370794f50ce13e900f91a6a2ff9a2ac2908c22a492adf16d54022cc79bb1e724198ac611c4f663e003b0997405cf57a460fc6f0302951b624d92

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 1b5c3dece1ec1e4a84727f22a4643cbb
SHA1 ad3f85733a725370f167a7829c96c7ff61c38c0d
SHA256 4a64a4b246369be2fe3340ea14487ab18eaf5aa0db0a68fe3ce6262bad59bdea
SHA512 40220c58ddb09b3d79f1f79e0ab05724aac0fd3d6e2421538b6d661fb5ce6bb456d5e17202f4843f4bbfb6ea6afe1f91ba68697e9f619b34eb731965cf5f2724

C:\Users\Admin\AppData\Local\Temp\fckE.exe

MD5 56ebeb9caa70225a60f59aca1a9cf7b0
SHA1 b863e4bdaaeeb576346a7970cede60601525d03d
SHA256 3c951fadb9a56f07bf92b3fa27c24969e75772225fd7325d8de5de0d611f71f2
SHA512 1e6005136c3c9c5d40a92db4f355ee96f18cc609b19075af0cbcc9f90782ab1337c33498b3c9ab240a45771bff5872b63190ca403929879abdbd095874707069

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 caf38567551f7dc4e7472ecf524d77db
SHA1 77b7ba6843b41dde3dbf53003236a8e71d370d58
SHA256 86a2c205f4ab54b7ce82a4354a2c046eeec380ae586563420c058ae6a0045923
SHA512 efa29d6f44358e50ba337d456c41f08fa9257a23939f82c7e6ee1ee5c8371697eb278081a1db7371f528f02f5be324c50ffaada901d16e48415750e95c4653f7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 af56d5f3632adbb9b74f52ba966490a4
SHA1 2929ed59515ceb633a3c3230554769db7da59e35
SHA256 47428c21a05dba6d18a1be11ecad3e479b1bf8e7597890dd6926aaa3cdfce144
SHA512 0c298fcd979503be6a08637ef344de1fb276028c6f3faef67f25cea8976d781e5ff3b555c2d352b39ff327679cd2ac767caf674c4f1ff0924c509b781fb34fa7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 b1f40ed993a6134daec221ae4c7f2f7e
SHA1 229c0369541db0d2f848dd7695a38ed4938e9e9d
SHA256 432adc9ab843ec551db0538de3e43b27f67067e77eaa79495def7fd3e77e5b3f
SHA512 1071cd6562d92340d0b52cd60b967b98bac0b44a257e36e7bfb1fc0af0ca440d04155b719414b1b8a39b68ba6233fb1c7698882450c322cfb672b277d6ff2f53

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 1d9c7c74b5a3bcf81060e67865682e3c
SHA1 620059554cc974486f6b7fd2b8870ee3ecbc3034
SHA256 7470ba3442527f53c9ceb0feb32f60ed4e2a4b54744a9138ab2d66afd3fc24ff
SHA512 645b72db785e4077e3def01376146c9c72bb208102db60ddfc8ae3996d176cd403e300d3351009349de96267d0bf86ff325d3ec2b2c44d5b54a5c99c49102045

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 0b0db62ba62a69d244e806495d77f46b
SHA1 607e63d99eb4bb30a88a820f5e3c35ffb086160e
SHA256 6468053625e0c2db95d9abc217dc9bd8403e3d4c5f82c823b3772634ad36d896
SHA512 92b6963e3423998945c8b7c6d194dfabb84a606fad6474a2fe750696bef9ac6a76a2057ac8087014e4003f9cbd3d908ff2dfd533c01a2ead1d75b2d8cc101a3f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 491ec7ad96bb231b6e39ec29a481a24a
SHA1 a162cec49670f4eb6cbefc943fc1e3b824e5357b
SHA256 3b79c1c212974a46efd65fa9b9d3904befa69636133d38c60e9995e7e7e0b64b
SHA512 de205b387a5db9f67c478e32933494d41b0157795bf48713a606a9bd23a37c60f50d16f66274f7f5f32d9ec89f37394e912f8da4f566372857b0f654a26c35ae

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 0fa135e983cc1794a310c833b76d8356
SHA1 3b18cb189347f16f1bec396552e1b25f4e7f66d1
SHA256 c28397cd759c05f0fd30874f5b6988881cc0a00bea6127fc4d3a638ee69c6fae
SHA512 e01fa79d775ad9cde20080fab283a4e43b3ef09f4942802573ac42534720c31dc8f91a0685d8cd7b4d2f84759f2c163923100e87108d5738e2210f8778f9bf88

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 d10bbf14b0313c8e4e35ddec98dd60d1
SHA1 b3b47b586089761a7348e593a154aa3a544430f2
SHA256 da0f6bf6c02186de94f15f0dc922fb9b6ae4205f459a57b4122642135841d823
SHA512 1bda3a9e9744a29ced495b87ebdf2d99cd3ff397c38af0d2257a3e6d8150268c67fdea47b73c20a5e868ea198454ac241d8c507430e57b3d04d8e215a041636d

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 c3c6c63a2d74b574c72e63ba671561c5
SHA1 aa517ef6564b9ab03fc6363170fa631b6313803a
SHA256 f1f9eb19044258089a9ac715debcf0e8cb41e8c239edccec2c4749bd762655f8
SHA512 21bfc67f0e670ad92d5ad9081ba3baf076e4fc0ffc48779e68feb96adf7d7045aedb93566bf1fcc28e0f32d96be6cb2710286ad0e7f36a5709163c58777150f6

\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 1191ba2a9908ee79c0220221233e850a
SHA1 f2acd26b864b38821ba3637f8f701b8ba19c434f
SHA256 4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d
SHA512 da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 d5d17ddc41d6137ce294aaaa0b53520e
SHA1 2595a78c582026d135d4aa3a701bd628c1c713fa
SHA256 b95c9acc0810dbee4ccf5d2862bea44721da3418ac1defda541ba4f81cba26cc
SHA512 b1b0792b973b392f0f7bf4d2ad2b35af95ab6983301fcb908ca61ce9fd08bb2ee6c96586ff856bbc3fac215b7ee270cfe0ae3f362987f09f393138737867f244

\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a9993e4a107abf84e456b796c65a9899
SHA1 5852b1acacd33118bce4c46348ee6c5aa7ad12eb
SHA256 dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc
SHA512 d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

C:\Users\Admin\AppData\Local\Temp\tMcO.exe

MD5 041546769727317be81d69f7a88c6979
SHA1 a66345b20076bf870d889cce46d85fc78727d200
SHA256 b4122e02fa1691111c7258d7e9fbc15ab7c3c0e63015181997e6a645af407eae
SHA512 e2710ac56ca5568641e72027e5a57e3ee277cda9b0b3b7b2b2b4742c5ace461711548aee22a7f49c8592ec3f9d1ebac0e5363364fd21203e0aa18df599f077f2

C:\Users\Admin\AppData\Local\Temp\McMG.exe

MD5 3235acd0da0b6593ef11f4d443a37f78
SHA1 343fa673589bb2340927655d519232efb132d8e9
SHA256 a0ae7c99a1f52b586348543e2f8dad11cdfd64a2a586166d85dd788655462068
SHA512 3dac334b5ba127365cb172fc8ee75f8e86f7741b19ae2e748a78113cb8618444c33ed42e1b81e76c4971ffdc9c77f10612fc0769b8327a23a80ec6e71df1aea7

\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 e9e67cfb6c0c74912d3743176879fc44
SHA1 c6b6791a900020abf046e0950b12939d5854c988
SHA256 bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c
SHA512 9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

C:\Users\Admin\AppData\Local\Temp\Xwkc.exe

MD5 112f1ecbcea84d450ec6137fbd64a395
SHA1 845319cf3b5612b0c7a6842e742ff4a9d6fd1240
SHA256 6435a14b44b3f89d354438a9010cfef90b07ca65ba7e0086b0a7d99ef493d92d
SHA512 353382a311ff1d7430cf7fa4c233db831daddd6c28fa8a1b40ce639d90721f532acb798e74727dd701379faaf9bc56d375b3fc11a59b9fcc7f4ad98036ac9e16

\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 2b48f69517044d82e1ee675b1690c08b
SHA1 83ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256 507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA512 97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

C:\Users\Admin\AppData\Local\Temp\mYMe.exe

MD5 9135233eb4bae9a7ca0b385438a3afd7
SHA1 01db928c074a2c763cceaed58e78549af3a58cce
SHA256 347a741172299fc4b21835191cc445af0479be762f72736be2e84a803a4de163
SHA512 1ed2ca94df19104222301728be5be0a290e8baf937b9d36278540fb8f92097474a911241e4c4bdb82b7ab759b4739cdfc5d8cf9d6c93e689f3d7256208000d55

\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 6503c081f51457300e9bdef49253b867
SHA1 9313190893fdb4b732a5890845bd2337ea05366e
SHA256 5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA512 4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

C:\Users\Admin\AppData\Local\Temp\XkAA.exe

MD5 6b1c8652a655edfc9fdb1af01d5135da
SHA1 c27aba5a6c85c5740cc9d6160b9c61a7d986db47
SHA256 2f368ff2a7aa078efbbb83b5f8caac6b7f62490bba680af8594cf6e82efed257
SHA512 6e2c06eec4e4f5511e0aad48946a501c543135be0f47fa55bf9cf5e9f07d45fbd01f8f3b3725f061111621967854cd299fbde3ecbad73193007c0fe7eb327a32

C:\Users\Admin\AppData\Local\Temp\iAcO.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3cfb3ae4a227ece66ce051e42cc2df00
SHA1 0a2bb202c5ce2aa8f5cda30676aece9a489fd725
SHA256 54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf
SHA512 60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

C:\Users\Admin\AppData\Local\Temp\JwkC.exe

MD5 dbb4619c580f60e7c449a9a9faf4f4b4
SHA1 1d6a09795fafa913f462a5223c7740451b78acc1
SHA256 96740aaa7402eb2450019fc728384d3d6f17b3caabdcba3d791266e65c963f4a
SHA512 1de26bbcd03ec56c38cae96749b70800e6b2c9b4103573a903757868df8d5a2d8e02933039cf9df58b8df6a647c13a0672a5f4286d9b78afc256861b67fa1af8

C:\Users\Admin\AppData\Local\Temp\dUoM.exe

MD5 5d0e3416a1d0135578be65dad9c2445c
SHA1 ce3bb1b9c457128d97f2356231e3369e4e2eb10c
SHA256 ff545f55299d8c5216445cc038597ee60fa5f10e1c761c8b8df53314c3f24430
SHA512 4a4d6f8ac8652b9734c6ae35020569008483f6a025acc1b7b9fdda8c678f6650ea74eeb410d3ecbecca1340ee5cbd71daada6022e1206a0912a5cdcbd65cf69a

C:\Users\Admin\AppData\Local\Temp\BAEk.exe

MD5 40e66078735b461c24dff514e05ded07
SHA1 8bdecaaea263fe278ac669b109c676d99d9ca8ae
SHA256 758180e96a7d5184587f83cc65c6a946924c425e79704553e9cdc5363f738b9a
SHA512 844af21af95279ed063e99c325018670840ebf55f2191dab6ab97ef7ba16a34ba5d90a74310e0ac76ac2cf5288fb2886ab1a18e216407c1348f4a61b2a5c5579

C:\Users\Admin\AppData\Local\Temp\rYAg.exe

MD5 ca16451c57356ed495cbcec12037e783
SHA1 a5c8befb6c6315ef12b745535065e60171e3a1d5
SHA256 194185d4f09c6c6ee9cc35d55421527ea01eb54e0a474ca55311b3507c976226
SHA512 29772f80e661f31e17dc8f821f412bba0d05810ae47bed5b9dee7979a42f6809c48b0b337c088f8989f80d5a9207131bede3fba153349640918daebb3eb8b47e

C:\Users\Admin\AppData\Local\Temp\NIsU.exe

MD5 1632c6f07889e39a7ad63583c74bf51b
SHA1 cf1598b6dd30b9de7aef98207937909da189ea4d
SHA256 3a3ccfd66f48a8f73407a36cf7048d41ea04d3fd231f79fc81ef5ccb3eed6330
SHA512 18645827825a909df5edfe8e1e92a3bf8ffbadf41b748914357d9d64bf80b81361574dbb1e9a4f67b5ba66e9ea8719e11823ae8d716a0949f5763503c2bda106

C:\Users\Admin\AppData\Local\Temp\QcMQ.exe

MD5 4370f2d78049cbc68064332ad7582352
SHA1 5351a9f9326293d0cac51ba8f6147ecfbaba1999
SHA256 bdc5e92fdc9be3fe2420966b4cd43660199aff4d2efafc23ab06958a3fb0f246
SHA512 7dfb1fb20257d97822e52b5944ff60288da0daa670c2f8c1709fbbf941aed470d32acabe0c2667cfb91e8ddf593627f148e315edb479a0fbbb5b2feeab05b97a

C:\Users\Admin\AppData\Local\Temp\sgwi.exe

MD5 9619d622c37257480edc9e4dcb352960
SHA1 f3d7a4725c6b085b97fd8d4b4153244586f00e34
SHA256 48a575f0d509c6acf83a98fd886836571f2b18d26ae5e3e443f56abd48f23050
SHA512 635ed48766cd03dab5de8d7ec2f2f88db1a19c3f1a033b47a0ffc2d88779875d11c1bfbb6ebdb6498952d091c882f8de7554d40e66a1a23af99cc283a0c230ec

C:\Users\Admin\AppData\Local\Temp\PIYu.exe

MD5 570779b186a1019a353d1bf6e13389e4
SHA1 3ad4674a5f870ef30ca743e3aaa9c2e043272b22
SHA256 ed3570158fd8e77914912eeacc944215d1fa66bc731945727dc3eb2eec3652bd
SHA512 ef5f45757ce2f0a4465981f98920afb0090632f2939fd3b091f7c8f952225281a7837ba988e005dc174aa1ce7f6589b25a2e659b30723a5003425f9f235a171b

C:\Users\Admin\AppData\Local\Temp\RgUY.exe

MD5 8f320c24457249d8d2835ecce8d2fc33
SHA1 be10f43d4df165ecb14c9d52331bde30cc8a9ac8
SHA256 d683b9f05d75dd4f39bc0bb10840d1ed452a51763574829e5ed1723a178204f4
SHA512 d7eb5542efffefcaa28803ada9b81eccadbbae2b5893e093af86f31bf71a8c7fdca48a30d71977805aa93ab75fc9f4bfff8c87782e97978fcdb7237a8a40c993

C:\Users\Admin\AppData\Local\Temp\MMgw.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\ygsI.exe

MD5 04c70829424d13db4c04a35c4caf7628
SHA1 3922fca757fb9a6f3e59f21a89af39f7aeaa9ad0
SHA256 582f7a8eeb697bbcdfc783f28a34333692002082e1fbb2f2d156e57e7a10d1cc
SHA512 63e89eed8b67916023b0ffa050c1e66ee47a67dcc4d2fd310cb2233f8e5b8bbb4f0e29bf060ed4d238d21f5f602803b00cf8a375f70a078dc9e2db826adcfd38

C:\Users\Admin\AppData\Local\Temp\zoki.exe

MD5 6fc43cdc6a920634e03f16426be031ee
SHA1 5a1b9b5a5c042d323c3c4dcaaf6d17c2ba1f4bc6
SHA256 b40d457b30730fb627d6be3096ebbf224b0398b189b5cdb8f6e48030feede74f
SHA512 947df2a2907950a757af75c708ec592e631169f7e4873da509d330ee8f586c8939055e9d66fbf10d9185fe3b83d1419ee08e80d7966e2cf83d176d0bf2855600

C:\Users\Admin\AppData\Local\Temp\zMYS.exe

MD5 89c179a2cc35ed92c78607e90c539a7a
SHA1 d521f27d96227584293c663185cfefd238c75f7f
SHA256 536df67c0a165a7f2c939b8860c80899929d49d7b2427cd47e071c05e7ddb279
SHA512 afccb8e1ab6b1235a16b80f4918a4a9e4d7cd89fe54abb28e68cca3c753aaacf804c38012554bf4f401bb48bfab318eb70196d4b13b74c40211a7a451dd96ad5

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 2ed62b3dfc7243bfa5e7e73d8a893ad1
SHA1 988ddf2913edc9a66803f9c80bf4bbf4985506e5
SHA256 370ec5b8df3a48822599f1edf14ab955e35da2e40ac96960ca0a5c6c6caf515f
SHA512 4c3424fe3b7a3e36763309c02c461c6ed1988b533bbd84ab751a75b56296a5ac2f2937770ae95ec8e47c3106fb2a287dd726cf0fb2745638fe74e8eca4a05ccd

C:\Users\Admin\AppData\Local\Temp\cUgW.exe

MD5 dac376c2e6187ba8b6973e3f978e0930
SHA1 f778a6c0be9a4360b5eda9f32a18296f8ee63bdf
SHA256 e3a2f6250f282258de71c398e0cb5b5e106004b4f106c1f396035f41d6d98f44
SHA512 3cf95a2f1d92a984c1062a4d37f1ce45c9f73a69e32f3701406e753a1d85a3f3e0d6a701cd81738dcb6aa08d6bcffbdd77f45ad8123a78dd1513c5397cfe82dd

C:\Users\Admin\AppData\Local\Temp\QYQW.exe

MD5 159c44268bcc17f6293e18a795566a0a
SHA1 025be50e52cae3eef157632ec8be70a3a14fda8b
SHA256 b57bcb894eb573e4a984461075191e33492349913da8014cc1dd830c1b9600d0
SHA512 70bad61de790fe62665bdfa63feb9d8cbae5af28528b7e713d8d52019bb4f04fa8bae14bc249d0e8dbdedceb713cd7f3b15aa8ffdd49376bb8116aa05ab1424f

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 a223e8cfc8f3653aabe68267dd03c8f6
SHA1 337a9bace3502c539a1bf7119d1295d8c74c5421
SHA256 1118415ace2f2f40fc0d71e6e00675bffcdebec6da1fb9529fe47776de2abd72
SHA512 2cd298154e68f561dd55b1b252fd464a8786810ab0b56f308fbd22be03049cb7322f2ec7ca6f171d06e5db43a7063887165b09c19bf3e5cb56a87256460fe82c

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 4ac86a649eecc1f71d30fe6b3368ff6f
SHA1 572d02829c73266c84b8e52cf49637f2536e68d4
SHA256 668834c3fc8f435537cf1862a856e76e10b716bb6a10cf44d4fb6e84d2d0cfdf
SHA512 6680186e27769d99f60333892cc61daf8b74f70cedc541bc23d6bc45f618e1becc31d2cbdc0efc91a1a7bd8288f4dba67ca85a39cceef34e87551425c65fa0c9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 ad85315142c6706fef89852e4a463a17
SHA1 d9ce140210edfef6235a14129bf96351b3d9c0b6
SHA256 b65422bb1a4d1336f613e4ec606096276f3953b4ec5119eebc56f895ddee1b1e
SHA512 0ed932ec572b9f42112bc2d94fd59f672409b3d630183d38ba59efc36ee984d0fba764ff15094fecc6cc487a32eade9ac8b7718b848e90f10659c9e66e181efb

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 841e6b83bdb984578bcb518686db6d7c
SHA1 afde8147a5a17f462a17e0ffc22a43e703ee0e89
SHA256 af17dea7f1b7af8faf15bf4a4571a28f6ff3e6a8c609eaa3d3b981ab12a92fe1
SHA512 36e5e2553e400dd7fc8adffc2f4145b5ce1909c590a6e08b10c80736a50ed1ffeb7bd16e1ceb413d5ee9508ff2bddb9e1fc0871d73478091176d19996c2e6151

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 5b89abfc8085dc41b97329a22a744500
SHA1 7b9a748e22a8d8de698a311640f4eab42316882d
SHA256 b24b7b621586c9d69481aaf78b9c26d0ad2cff3993208e9dc139f17176bed9b1
SHA512 d64f6db50ba9ea4137c047beb661b4ea05e09c0efbfe44746eca7d6a93579571056ee5e3fb4fafcaefe253a33bf41e2f3b1021508246f3ebe866eca49f6a0ee4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 cc6af0f7dcb0804e9f75111fe9aab488
SHA1 1a7285eb0b98969bc68b7ed91b2d60635529e298
SHA256 546b0b56f1c92913ffe03fd10cf137a6d3d683a1cb822fc1a8ec885471c09b02
SHA512 4592f88ebed7d411383e98afe4a04df77c36042b4c9c7142a53f38c444d752b98016b661f1874bfe819b9c90db814444347ce816e5cbfcc28a1717afbd45e348

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 f05dfccfced2e2a526a7721ebee46376
SHA1 7095dfde32c6a5b5ce24c2c5fe36dba4d7a26f8c
SHA256 e687a2cf30d7f831aab1a6959e9887f158aaaddcabe86b3e7003c6e0b8550636
SHA512 ff3fc47b5640d636d791eb6e9996ca4534aa1281423e0324b050a77d55065fc356ca54ce8945b784bcc250fab55818e8486994212182e39dbd27ad1e5d2cfe82

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 3c581476cfbd1f50d65e159ef612e37b
SHA1 dabbe06b67a00696fcba01da239d33ee03063708
SHA256 f3c79269db69bb4a4e5dde877bde94379cb934c1d1e474e1ab0c5de22018d3ee
SHA512 d6bcc6732553f65157e5bc696a36d233ec907952470f7cf2ea3dd5dcf3a33aeda0866a66dcec45479a8590b308d1a394442b9e0db7450398ec6a57750c0e4691

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 0d19ae7cb22cc292e4ec4818164237d1
SHA1 183ff314bf481eab5321357c4ba94bb8357b718b
SHA256 23050e3e16768c696e619e554c1b75d608faf4f3bfd63b522dca740ae16f1b13
SHA512 95bfc4ecf2b196d71794783075023c755e1f5785b17ed68e73121570fedbefd66bb2708fe79e0ad400daefbbf900b1ff3a53923cb5b28d525bf7ca794a1bb923

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 1acb8d13bd2b827869ebaaca6e57b818
SHA1 eb952a4902ccd2fb78ec10c73985028ee898f6f9
SHA256 1b390f076ac71a658ac89271ea53a2f5b4f98a4226f9b5ad18f8a591cb8b3e91
SHA512 a21972681cf748cfe66eb8cc1e45cd3205ae79aabcfa03b35daaade19caedba220cb1a10710b26048200b2cf8a04dd1c4e309db6db3b5976512affa66b8031f9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 89c8e2df96ab4ae6e94806312755b7b8
SHA1 0a6cb12c1390da35b12d01893fc09fb21a72cc51
SHA256 0574a5bab62b3c7f270f7a17f51aa435e0c6fa7b3197a78bfe3d3221ac8aefb5
SHA512 eed2acb2144daced79e3f68127892f9e1e212000d11b77ad59312d4fdfe812eab4ce6b371f3b52897374392365055dc4d8b738738aeed55dd8951f2f7133dd7c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 1b054774f5db09b2d657973014833b9d
SHA1 1fe0569813cec70273e091d5f987be9c5e823ed8
SHA256 e14dc35a98a6271a7278423d6b6268b4ed21c656f7336a51e434ea071842f3e0
SHA512 8a29f1b60c38a14942df15b26135be46037da5b1ccba778dba46d38a7fe34dbdd1b24d34d8e1c5fbc1dec3b6df7035c341f778b87366e51abae6880e8ea2b358

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 21d495ecba1f901a48af59f0cda3fa66
SHA1 6ec4d1eb5b00e08b87ba68d652a416d239635c75
SHA256 e6f13bb91e9696726581bb7ae938135b85923453e0dec3e507da22945753ad9d
SHA512 f3dc9d25cd5cf00bd32a02e2cee79b72473c118ba78c74054c34b3c0bacab9dba220028edf621456a16026d395c75524f8b28c318a7a475ea56f4b417460009c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 d827495eedd252653f2b071c73efcaed
SHA1 2b7943d85a531fcd77b92d705edc55c2c0db2007
SHA256 b76c3c26c7b09968fbde4a250f9144ab165b9b6035045c7cc22a33eaf22590d1
SHA512 d138b668cebe5ded0cd1b6020d45714c5395607beffa40515c1d83dbc03a73d67a518c01912f8e48c8561ff1ebb9128d808ec0871b133e119c3ad55902dc7d82

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 faf7437cb1268cd8e7643667d98e5e2c
SHA1 87c95ea39f40c55804ba8d800c6c311451210320
SHA256 e01fc54c66772ba40d7ad0e207d7ff07f98e111848013c37ff447326c0f24e04
SHA512 cbc2d448c1b7c12fb7dab652498541629bde0176c55fbadf703b07780ce5dd4e20138462b0868459f6becf8dd3740cf8873b33df12062ba5d9d5814b899131bd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 dc1aa7e06377def9814cfad9b5e64828
SHA1 d0d90e00b6a1c5edb1854066a7afb0d7a8c9cc4d
SHA256 2da351cc45bfa8f9cfff031363006e617e93bed84ba6d59d28fccb656bd1809e
SHA512 4998e8a27934fb4f003afc3fbce0894e2ffbf30a7e14e70507bdef4c2dbb14a4a45f636189a30390bdc221fbb0591587ed94375a2ce72ccfa025246869e6e7d9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 edbb71708b921e1d0a49d19e9fe4df75
SHA1 add2a5a80d2656c0a8ee5c0540eda105db8f80c5
SHA256 fe638ecc76e7287b3ac60f4e2781fd3cd6273877ecc75d675a324c2641ab2a73
SHA512 7ec3a9386028790c893af4dc1c5ed621a90a7676466f3c26f68329ae2bbbdd3d177a13ce546ae5a4c887a032eaa342667ca76fb15f3d7fc881e79cd983eebab1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 9d5d75d4f3a1591e05814ed563ff7d68
SHA1 32eec14538fe7b1d4022a6eb547975fe3fce0955
SHA256 80d25554cb5d636e543b77e80190468d8d02f6953b302316b7a7b3017f682e39
SHA512 0e2fe23a8f8eb3f8d1df605048a036f926723a497d741d938e25ec600026ab4e4b4fb712ec5a3ea581ce18a1b139e37c9822537009795004d70ce21bd484c4d6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 45b01dcb6db45e71eee9b0e65be3948d
SHA1 7ead77b1d4408a393f795e045bfcafaf6a254325
SHA256 9e4c37af08aff6964cfe3f95068ec9a029981c1b24f9a92bf2b26dc68269b9ee
SHA512 b01363038f74e10d943e0ac6b25d3627cbdbbc3918193710e9a39f96bd920091445930fe095fbaa5fc2c8d4e219655e573b7185367f84e36a5d036625308b6b6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 d31abfd3c4a29959eabce4b1d17e44c3
SHA1 5b4b7c74fc7f27c561cd7c9c39ebb420f7ce1bfd
SHA256 fbe04d9e0501e03a6bd2648fad0e867deb89736790f744d53aa0144174a07baf
SHA512 6da51265d286f6ecbeff2b0baa34ca8efd46457efa7e023f4e3d04f37e94f3cff8dbb8fde97a8f232475718da5844ece36591f3a62d9d6f51ebc818b39130b98

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 231055c24a0879b5fec821f9c5428d02
SHA1 a25e575d9e3f8db49833e3ce1a36c2c326632752
SHA256 a56cb3da3ae8af5d7a84014e60b29438f1cad782eef81add33e617b5c81be31b
SHA512 fba623d7d9e606e955bf79a5826c5b99ef333c58fa5670acb4517c08c50916f7b9f80f88223792d6a77c085caca0e78fba9da421612740d0184a0939a2f8df1f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 869feabf1c7393ec5782489bdcb50b8b
SHA1 1bcc82818bb962a0a1faa8c22a83dd9c627e4acc
SHA256 e1f7b923854fc83c71bae15078bc524e07b8642d79aea4c2815f9151adc70439
SHA512 6b5674631ebccd1c8897e543565383ee5a66f0f9a1b405afb76316ffa78b7d6ffb460c139d71a595b6de5e147a9e0a5498a737f5a336ac673da275e347edd3f3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 b35b00acfe4b821ec92e9e83622694b3
SHA1 3bd86b69e8cd8fb0cd08a1e5c88510d0389955f2
SHA256 a2fca90b5e7c75eb75f216c9d16341c5ac6063a5d6f5d862d271ce9dd836311a
SHA512 01821df0620b02e3c43f40cedd42dc46eae03b9271ace189d5b7a46717adc20bf3385bc07919018cf6dab80d6138f76ce02c865e0583ae5cff982b3c072f61f0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 5c1cb78e789afc45fec903402d323510
SHA1 d724221bebe5ed143f542a5cefe190cfbe1bdd14
SHA256 e5048e5087c744d0bd5657211688f2a1b6df4a7d43e88b2dd45fff078c59de62
SHA512 8652a9413939409665149001bfe4f59fdc11ad70e86ad18517dbacf53007d569b514b25d0d88593e956951dc4f486fd06c89d5852c6647a44e20033fbbee6f78

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 172b2af9cebba6e2015002c7f4c79ebc
SHA1 79d1ad57903c6e773651a5aa2d880293aeadd201
SHA256 ca5296b2caceb57dd86bb6a3d7c7d6979721ffd652fccbc2e6ad240cb38252cc
SHA512 81328ad274e295d7dcb41a9c902a8ca2a7f7516fac5bb2b3718dd55a59959d0c5643d828899d4d3d9682af3848fdde1d26c4a5676e3419b186983ee9e72c3651

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 ded8289a99558b75566ba93b1160abe7
SHA1 bdbd3ba07094d070198dc9b7121a6268c1b2cc7f
SHA256 f418e225f1a793fd48c1e4e575e4c421c94e3e5779dfed06697b562adfcba2fb
SHA512 e80e2f48dcc0614cbc7c93dd0bad690312ac51ca0357a0a62fe8b9dfc25556ee43ae1efd052c15555553e321e293d10b1a36df3d899c573c24ddefb55ce5b412

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 0ed0e9ecc0d923dde7f8a5fbc2dde7c1
SHA1 13bcc4fa6e3d3fa9f466dc2f86c3a60c000c5332
SHA256 2e473d6b134046427eebeb322a6bca3a464b1dfbdd5853dc26d19e5e180323e1
SHA512 689775ba9fe70f902045e5f5962f33096f99217c7eebede1735f6fe1bd81d9819032ed8c8a7fe4402ef760399898f69ea646b3c49bc13e3a454bf9b24763395e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 453e2d15dc869bcf972aabab592623b2
SHA1 76188f25db9670c9fe626edda630dc858f315658
SHA256 e7780b5501f4287fdb8a4f8c9770da3218387bba37efe7537c498a7c35b78681
SHA512 455bf32deb48350acaa686cca46c65dff83458456765ace183c61c05e6924ca6b7c5ad8ae7859a2aad2581ae1275d6d9906309a0eeb97813ca289f2360dfba22

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 ba49ea166afa579122fb6baaa9c21299
SHA1 cd8fb590eaf0c8dddd0a2795c607ccb137b84341
SHA256 2459148195fb743cf33f3ebc7ab3935a3c5f134d90491619377a9bbcf53815ba
SHA512 8f58ad1ec5d6ab8ca913c7a86be9337ca9e8e5bca8eb659790721dbb74ff9718d3940189e65ed011cc14beaee742c9af9dd53bda4f00ff6e127ca2c75e19d670

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 eed6c5cae8bfbdc3aaa4093cf30fa8c8
SHA1 7909bf2761eb6b7f8003b9b2ae62ebdd6031eb32
SHA256 6cca42cffa6f2d20ef246d412c9d46553f6f076f7137cf5b86fcb0a3557deaa4
SHA512 3f220b2dfc6c7d98319366118dcdf8a86febec69f8473dd913a0fa4d72366af22161353692f54b4a2f786e310bcf3d8ec938301a4111c0d5536c68d74cd70d54

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 9bb956e538fbd747635253a72fece3d1
SHA1 95193d9d805c7a817df64ec914ad106c48dd502f
SHA256 471682ea54b221e6efc80cadcf87e1ae1b2061ed5b5998e21bb7a09b582758ce
SHA512 3003febfffc53b4620df8cfc6c4312e366113c4ed09e528bb489079bc5aee5ad3be4120d0258c5bf6fe1ad67aeb6581870d550532aa6523c132226713919e9e2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 64c14af9e327a1c8cf3e4aaa51425076
SHA1 fa310df1486fe067d0be54dca5b3e4dc0301fe56
SHA256 275a31b4fe70e2194574e42aaf911ddef6f69fb1d1ceddba83fa753600ae06fa
SHA512 04add4cf9fa3fa5ce58dce3bfa87e0b4167106b51ff59f5150bd154a99de91d60c4224d1f4d48fd91fac667b621baf13981ea6039b00e2723f6bd53ee781cfc5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 61bed1453b6f86b83876b00ae81a770a
SHA1 49c09829e1866f425df9a42c214dde3c0a63715b
SHA256 b340bfb947b9874e8e75c9c8014197d5d7da37c6faa5cc0951aa86eff30bf12b
SHA512 16f19e1947c7990f4a41605238b6c193983fdc6f1a72da5e0fd1107b184fb800ad6c92f16b38e3b31f8ba16768f4367ead797537fb5609ae493805b5e10a88c9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 cd6ab9855275575d64f390a45349f3e5
SHA1 093e7942cfbb758a01d21ffb337a5bb20bb4dfa3
SHA256 331491e472bc0b6a52b3eaa542d6df9b8848736d22971fa87925293bcd258af1
SHA512 5ca7e6647d5a7d0f209970fdea9930421b89d0a5cc57a557a53ac19987781eb1277a4f1579584e80530316b9977d282136c5fa69afe1643b93d44204c17750b7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 8143c2ab5b5d84901e08751da51eba1b
SHA1 5021306d0933aad3341068cc689eefee81aa5c25
SHA256 9617f212dd2e82a60689903710ccb1b91f8878693a013fa4016369da2239b243
SHA512 f8ecf38413055be032e5430be74eae829f94faebe596e930157ff58b03d492b1894365fa84bd9b03a026f65c45de95468e03af6af7a330240eaf427e8430fa61

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 e37bab0ac5a80abc8e4933b8a1be20df
SHA1 ebf05402e79201b605da9d09875fe5733f530809
SHA256 93de1869be1e45d9d16be07ba7b94b1a84d72f27d50a5b753d52153e37631faf
SHA512 01955dd2f5a8c22d992c35865c3c6e001c023f824b9caaf7d34c815f92b027bc5283ce63601fa9fca784e4bf88166fd62753e89c00dcbeef53fef55d1240cda6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 9f56a1a530b686a72099eaf9282b84df
SHA1 6f748d4db66add1286a26e6e0a59486a15f946a8
SHA256 59684978461b4ade59a266a2ee5491debdb7b90452f2f57b5d2c6fe05e3c7187
SHA512 739b776a7eb7679347e1577307aac7e990571169bc271e9aff41e60c064bfee31fdd780c5828e3743ea6b6c66aab459e9e7c0b7c99d573b2c0ef3383f9cc6f75

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 88966a2d2f929d7c22aa679d08eac8e7
SHA1 8e7f77353e29a6c1e64d77966bf35beffa277adf
SHA256 3f2bef307d54bec2bcb1e789537ab66b6d1ae045eb83e6a5459897e5fac34937
SHA512 0295d2bc1a87e14604f03db591f471b9e4bf20d1000bb4fdd79d9dad5f8e8fa7b0384957d6299a9944ce760efb60743690cd433d2f2936153652949112fcf7f6

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 6e4ce63f02782430413a0b3c0127b64e
SHA1 3f87809fb8c9ddfc91ae172c71fe30144cedcb88
SHA256 796b5ec16a7251e461d88741861fc5f92483ea605ac6a0884bc7cd2b5695fdab
SHA512 bf20da86ca1f43f4d18e0a52d0fa451648dc926d83966bbeb565dab5244fa943a6e1f84d90f464e325c080d2813d508f6a4c24a69730aeab77e60b38f6001ac0

C:\Users\Admin\AppData\Local\Temp\zkwk.exe

MD5 7991963e080768db076fe9ce84d94bb0
SHA1 05eec8c62cbc7df94271ea3cba5ac4dcd0f31320
SHA256 6c476f885a329e40ce7227b844c338c2d15fc07c7bd7d0bb486dfdc10f69b4a8
SHA512 e4fd23c40e8d145a4f124591b499f70162e84639e574d2e61c2a9f71fbb174ecefff717c123aa16563ca8bfa7967b227566a9dfc2216b0ca481f7a6eab9dd182

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 9a1ac1e7644a9c750d01f03ab9cc8664
SHA1 a1233ad12c5490dbb5154b135073860d9e8b4053
SHA256 64d22747de3f426f3738e06202d8b5ad3903ff4634b37211242dc81880266791
SHA512 40564e1040f892659bde6c3567a3daf884e1a29edb38234be878a7c263a718e4b3d9e60871862a95464d103de0ccb8bc764dd8b7bc1990667884fb828f493016

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 f8fcd30265be954d0b610279ed52b172
SHA1 a93a8d0e8b5f3cd8122a1db63a947c33cbe5f9cd
SHA256 b7c20a9edd4ffbcee6f125d510c6c9a74a83d0bdc14686d39451a1f57da7b628
SHA512 d8e7707d240015530e7f1d593134561fc4fd9e9094d910d3e4d9a0076fba4ba6162146f822beaf26afc3d9e2822ad10d2dd8535ce247804feb9d871432bf0264

C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

MD5 aeada27e6aa0937816b67c8c32b5ca01
SHA1 a5161404cc950ea454be144182c00f5a03470314
SHA256 3ec655ba02baa72bdbc7dbb0d97de071184d68f27c110e78ac5e2b82d2b5482a
SHA512 6b8023ff669d448777650098e07ae226621c7dd4580b3d3e3efb78b8e9364d2b924893e85c702f32f3c1c6e963d864283c4e36b126f9d80e2ef891e93344db7f

C:\Users\Admin\AppData\Local\Temp\wMgY.exe

MD5 4d926d8473375fc28553f1dd2bd589f2
SHA1 94e6602e38dd5ed4a39371b8fae9ad78779963da
SHA256 37c199d821bdb976955e6e420efbac64b0e967c024f5a75f964d93e83a16154e
SHA512 1318687ca07f27ddf00bf88343de326ed6a7dd0dc221090596b66995e6ffa65150cea5561e47912c422010e30a26faff44af7fdbf0b638c569be1e8f384ceb2b

C:\Users\Admin\AppData\Local\Temp\qUAM.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe

MD5 a3581265bae43a1879cb2e1327362195
SHA1 d9c8943e7f7efe48d8d9afa7ce0ee25f8449f0b8
SHA256 a65b5fd4153404964dac4afb76b17aa2089af8aed5d7610f46833ba34b7b5b8d
SHA512 700255aacb2e67e145951269a360f07ecd39c3bc8fb3775c8204ee9be9826e5d67cc85d76953b80d23b7a83fbab4d9ec80cdf40a71070edddc5a9e92357b833d

C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.exe

MD5 50363bd4e28b3fc64bbc148b145c14aa
SHA1 a4370930e0507304b957d443a3873f79aca36571
SHA256 1b16ca89c4c86113a9315bdf23eb46bd09138bb1288e30c5e1d2abdcb1040bda
SHA512 7ba541ff66ffbd399ef5a9a0f9106e7ba450a4fffce89e83defb696b2fb85a667f17581aac42016a8853c7a8d08606622888cff55c88376104c198c86b01840f

C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.exe

MD5 e10a7a78efdcd374da1ba6768482a163
SHA1 979fea650f4f2c1dfd0a8a5d06f1c3e5d5217141
SHA256 7bed47cf9cb4242717a0c112f5a23ebff2332d177ee56b013c9049d1070d3124
SHA512 1e17f4b4c1de1eccb0b0bf1ba4a4d0ce94b0b73e46f5d899ef05949de1f91f03d9ccf87b45fd56bed6dea0ec41a2e0e3b2dddcd8e1bad96c5a8d42b038a06c63

C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.exe

MD5 05cc62b3c977a78a57afd40af40e9507
SHA1 f237662d6a02bf0bcfdd9b0b82354b3c6ca5671c
SHA256 b5a0a02e3bf1763fa81b02ee7bda4882ff61959c278826401926c44366950a50
SHA512 4a3aa3054a504e799c6e895b9755e93be2c21473f78eb87fb34c44363d080c9118a165fede7f323511ea71263c1e8241c04673be75893a7e9590f234ad3e4979

C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.exe

MD5 ef91c5b430ed87ef2c36b7a59b1c3029
SHA1 2f27fa19b792c6727805756c52635c2c6acf6c17
SHA256 f0f4e364633f4c4239afb181452cea02a730d73d888386b458b0d2fd16e65141
SHA512 abba752bd9d80947c7793279867a52e251651d1c66bb5d5056264f02b46d60a3c32fb3e8afe5c1c955b20a67c697dd9a679d0f1d1dbad9f9ee8dffd3bdea4919

C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.exe

MD5 11e892467355a681001fa4707df6bf37
SHA1 4047e4dd21324dbfeee548178321873e249a8d94
SHA256 052a06b486368a43383e7373bb5cb2904119331af29c1a74128b451ce930ff7e
SHA512 b4ae428a6c303105279e03774e79f47c1d129a70e7a099a2bced8ea85d98b5634d0aeaf1124d6fafc2c89ee4f293b27a32088da27821944ea5cab17733d7f20a

C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.exe

MD5 1c7b5d2f900eebf7a0c87e5222946721
SHA1 754eed0c3d3fdc99c87bc81ecaada660a1746634
SHA256 727d283dbe924b0977f0716d014bee128be8cc49f74df59b72132d814b39f6be
SHA512 ea71e99cb2d27bdb800d0e1bd5d38abbd3b14591423670315c8d34846ef8140b3e68546c996a3e48e07c4e250644261c33bfb7afbf333ded411752c7ace2e726

C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.exe

MD5 6a1b1ff061b6478c70cda7cb051c80b5
SHA1 8ece08fe31ef30517a793ea88575d7e54682e935
SHA256 a024428dc742bb200d882de46c69c118b41c3c82f05a324aa999f9d88c625e58
SHA512 5853137a410bb1acbf38aa251792ee3ef26a87c9adc177bfe90ddc22d7fefb3a32f1198cbf01c1cce711fafb23f746d3a5a95d377632424f5bb3bc20f1e622ef

memory/612-1705-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2452-1706-0x0000000000400000-0x000000000041D000-memory.dmp