Malware Analysis Report

2025-01-22 08:15

Sample ID 241026-epw5taxkbq
Target c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N
SHA256 c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3

Threat Level: Known bad

The file c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (80) files with added filename extension

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies registry key

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 04:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 04:07

Reported

2024-10-26 04:09

Platform

win7-20240903-en

Max time kernel

120s

Max time network

60s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\newAIYEg\hgQEoAsg.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\hgQEoAsg.exe = "C:\\Users\\Admin\\newAIYEg\\hgQEoAsg.exe" C:\Users\Admin\newAIYEg\hgQEoAsg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\hgQEoAsg.exe = "C:\\Users\\Admin\\newAIYEg\\hgQEoAsg.exe" C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qigoQwIM.exe = "C:\\ProgramData\\ZmEYMkwU\\qigoQwIM.exe" C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qigoQwIM.exe = "C:\\ProgramData\\ZmEYMkwU\\qigoQwIM.exe" C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\newAIYEg\hgQEoAsg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A
N/A N/A C:\ProgramData\ZmEYMkwU\qigoQwIM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Users\Admin\newAIYEg\hgQEoAsg.exe
PID 2900 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Users\Admin\newAIYEg\hgQEoAsg.exe
PID 2900 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Users\Admin\newAIYEg\hgQEoAsg.exe
PID 2900 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Users\Admin\newAIYEg\hgQEoAsg.exe
PID 2900 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\ProgramData\ZmEYMkwU\qigoQwIM.exe
PID 2900 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\ProgramData\ZmEYMkwU\qigoQwIM.exe
PID 2900 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\ProgramData\ZmEYMkwU\qigoQwIM.exe
PID 2900 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\ProgramData\ZmEYMkwU\qigoQwIM.exe
PID 2900 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe
PID 2368 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe
PID 2368 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe
PID 2368 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe

"C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe"

C:\Users\Admin\newAIYEg\hgQEoAsg.exe

"C:\Users\Admin\newAIYEg\hgQEoAsg.exe"

C:\ProgramData\ZmEYMkwU\qigoQwIM.exe

"C:\ProgramData\ZmEYMkwU\qigoQwIM.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe

C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2900-0-0x0000000000400000-0x0000000000692000-memory.dmp

\Users\Admin\newAIYEg\hgQEoAsg.exe

MD5 0ed0897e10def6dcea19c2d0225ccf78
SHA1 956f74bee4160b4c67dc3c5c6793525207f4e77c
SHA256 246f43c66ba239721ff41bba82b6459d31054d9a282bd4f92ae075389014b529
SHA512 a185b556495f8e05ce4c097e1ebf10c6a8cfed5fa8e67a79325c10ff602a6ac59229600145ceb3bc8a3907d65df54fe37089b8c49bad88c15b06f7476054f36d

memory/2900-10-0x00000000003E0000-0x00000000003FD000-memory.dmp

memory/2900-9-0x00000000003E0000-0x00000000003FD000-memory.dmp

\ProgramData\ZmEYMkwU\qigoQwIM.exe

MD5 cd9e39ac70dcd6be4d932e880d730708
SHA1 cc09a6275046fcd34229cd62b9e2cc5049256cca
SHA256 8be247320d5c548ce00d2e8aee97f62d0810979c8929a7a7fd41f9ced77cfcaa
SHA512 c644d17d7e75da2186701108b091c8f659bb1ece563fa306ba5c18b69172d5e9a785738abe9b17ff48f04e2b585bd7719c4184463c6fd892d1bb085f0e9fd42b

memory/2312-31-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2900-30-0x00000000003E0000-0x00000000003FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qmUgcMAY.bat

MD5 a61ece113725dc9adef8f98fccf5c1c0
SHA1 a8887c88a574613a22f0172e76091bb8f86e5df2
SHA256 259fef5439eb9d826c1ee93394a0e88b6d8fd42fea2aa971aa9fd2d123195443
SHA512 d4209faaaf41d8aa73df74b2f8a489a8d7d24806020e0ae33f1f5fff60aba6fe42dbae83b12682da15af0074a8d0726d3585c65af42e794ef796211a0b4bb3c4

memory/2900-16-0x00000000003E0000-0x00000000003FD000-memory.dmp

memory/2900-33-0x0000000000400000-0x0000000000692000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe

MD5 d998782cbfcffe2b57945e303f02f176
SHA1 bba0fefa7823b0951f33b79708b23a47ab4f2315
SHA256 8b29c9349e7a814e30cce1cfb788f5a21740c798268b0a45ab805195faad9105
SHA512 4562723ca09057817ce66eb5596de858ec3a674e3b3b6a644b52d6ab1e5d4f8650423356853ed68a375e328c4a97b5f33b8639b31b32d8d58075fae7fa37734c

memory/2840-38-0x0000000001360000-0x00000000015DA000-memory.dmp

memory/2840-39-0x0000000000C00000-0x0000000000CB2000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\aoEw.exe

MD5 0a2ee1bbe2a8c90869759d2a0763f4a7
SHA1 3527485c8a7444a04ddcb7746ebb20bb752f4bb8
SHA256 f1d2096938b1ef475a3716433fda356dc6dde670f85648eec0376115e98dbb75
SHA512 0e4d4cf2944d70c2ae91113121ff15391a29b514b03f319065fcd803e45a20f8af61d87af306c931d6a06d69c01e76ca50239dec7bceaf5b409f68c1150d4213

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 d90f1b7fd5fab817c8dac44109425f00
SHA1 45f04654d1426ba27ee500b976ea378f672d9b1d
SHA256 228e36d92ce22ae78317ae10af52ad66c785ac783b750056065938af9d199379
SHA512 13d2fc5dd9ca51220f9023186d8461a302c7cdc0c19ad48a3e54e74e17c2e8deeb5859d5beb12e1678097c0977f69670317a78dbf720b1e039e7a463b56a6443

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 4756881d61951ee520215065bdce5fc4
SHA1 4fcd41283ee406121f49712bf545afa3b6a9ec35
SHA256 d5b54b4ea1dce9c3f740c9a899068a7b3ac9dbc466738378bac34860336f16d0
SHA512 e16664ef722968872e1b37254bc28351ab77ec4334f7affa08d3f3231afbb7f199dcd165488b10b6ba30f81571a66b0851c23bc64002c7c6d41d5b37d75261e6

C:\Users\Admin\AppData\Local\Temp\ycwK.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 d25cd5d9766dc18e6b1a36ec4e9e2757
SHA1 3cd0d17b95d0c5624cb6e8d8cc3c4b5d09611434
SHA256 3c0f5cbd1b3f36b3dbf68dfd82da539c15ccfc548ccec7f9c099eff36b07317f
SHA512 bbb325bdfab2d23feb226f090daf9c67ed29308fc11d0385b371c8e80a7da0799171aa43e0522110ea843c7d851968d1b31bc1a321a1a148da0dacc9f350e0fa

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 cdf37280191e191b4cfb50943b1083cc
SHA1 f7538da970f6c898c3b52d5d642dd124200bc8ef
SHA256 9be6ca7ee180f35e09f007ce6e9c2a7b539e36814fd42751f5d7bfbb98af5c79
SHA512 a46117d67b55b8863a232c8dd68871ef72e4f05bd740831d53dfa304f5c51c9be94b71268518274a4c8e0494e4e2a1dbf82a6d946c522a8f5b63c1806223cd27

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 1992a2a228274fc926770f0d7ba2f1c0
SHA1 b80d14700ca64a6c63cb7c9b7c5426058b8646c3
SHA256 76dbac395864a9467977ab378d4907b927f0297241070736c96b7b72c74ad04a
SHA512 c1644b7435f8b9a9c35f6d59f416f6e1bd18c30d7788bd5f3f90f1c9b882591e31c6386fb31bf7130093b73c2b2f2d87d397f3f9a361b72ae92a14ad578ece4d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 3ad5ae7c7508d715990fea9ba7e96a0e
SHA1 b0ed12a0e9b1184a119e75a7c1049f7fe7a8550f
SHA256 87c89b89a2b5358668c5270e5f0af54f3da9554403f0b368dfb863312f88a58a
SHA512 682a0cfcf719237ef270eb80e9d75bf6e8063547258c099f6abee7ff3a84867d4a53c0a71791d7a591f403a655027b5ef7a5ff39bd72e896a7f9517852b30907

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 8eeb764df6b62f60fb76351bff5bb3f1
SHA1 43adcc6636d1bb999424be65e75c9889891d9d71
SHA256 5300b855d632f5985e30728132140830a45567eeed1896861e565f9fd7f33a66
SHA512 8ba36f5eaa3018681d6aa2b520a402917028fecbf387bebe39c51c65f1867a75f31b5bc43b50fb7514d6974b7c0230fc767d7056edc9ec189a139aff0dfac4ad

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 9157cf493e05d942bc497cc9c60ac2db
SHA1 ba6e56143ee2337aff791486bc677afae0152d1b
SHA256 e0626c420d0f8ae2ed43aed77dda9eec7d8f4e286e6b6890aca3d1b547e286a1
SHA512 4cf9ef71ceab7a80641a1c87fb8b3f93c94f105987b1f25f4b9907bafe5f039231b2363d1c771987bdfabdddf15de0d1e88a2285c0d0982c25c2d5bd38d92f71

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 0004777b0cb1129fe9b5be9e4f297224
SHA1 4c7f54c7ab8aa2b63e6a9ae6ff4ac7e0186fdbeb
SHA256 0ba12eefaa8c7b866d14ba32dfa1cdd52b3bd2874ad000f5c6c1de6d604e8fb4
SHA512 7565bc5caeb7fb7775026eb747fc9c563938031307cf7b6f5f68ecc50635e8023d44d29b0906e4608e6ce3f4e75dde9ea56cd822d23958770c619874b10a5e91

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 d84c66bdc6455319974d53e4c7574eda
SHA1 c64dbdb205656663e46038874cdb4a60724ebb82
SHA256 370a337554e5586a6b1328a0b7ca254712aaf74b250af089a56e5bdedbe9af1e
SHA512 23c5b55a73d02e7f5812cf1de51445b72ec72d8c73cc02e5a0c8c3c8ab3194f45b4ceb74defb83d0892e3c15affa5858ca83c96e04e3a0dbb15779830a284b0c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 019bad8435b91f742c86866ce7ec4993
SHA1 26553dd99fca8e634fd5e01b1ddc62c5e323dccc
SHA256 be4d084e985165cf1a0a545ea641d59b9c6786607d10988c862a1f717762bb0f
SHA512 5eb7159f48d00d1b90ae5bf8f99cdb5104831a882d8dd5d50bea046b45ded21c712165cb0853cbf8c0a1da702537ddc8892377e6f16c3f4c7ef9cabe783ed696

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 06738a96a7fac6fed58026d989a0ce79
SHA1 7ee59ed02f5f643210b9f89f8e7770e5f7a21b18
SHA256 1b1a5d6868cdd50a7ba1988a0622ce4bf3bda6ae84979c2ae6fbe99e6043cf78
SHA512 65cdbb48761e68a28cafe0a1034e7d30327f4c04ac86aa8688f1a57858217430bb9dc62a3c6ea214e90560b96b49ca6e89749b9a57ad1991c00f86e60e22d707

C:\Users\Admin\AppData\Local\Temp\SQUk.exe

MD5 bc74ce449f604f0643ea15d1089ac6fc
SHA1 0d30b42ddb15865d03dea2009a9d4a56fd63c19f
SHA256 a78dd9f0ce8e8f18e349b72391944f16aa6986faf50560938fc18e59caddca58
SHA512 414d21b8f19787eb3b6a957d07a05b9e49b4e0653da94db55bced91c4ab0c547e2a4b86f49b739041c32501d9ce385974dcb62b6fe85b2a3238f23caac785410

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 ceadc2eceec2ba73a2b79e55ce3a8ba1
SHA1 32aa378ec921dbd3bcefee6d83d046e13e069b4a
SHA256 a313f7ad894ad2dfa769cfeb93f29a2a923821108bc312c628e3022983c33e9e
SHA512 58102961a3bf214d8cc74c6e6e9fa9d48bf4a3d64ab6ff4834d76de240135f99deb0fabf67430dacfe49695aa511d34092bc1b10c177cc67a1996b8b9aa7de07

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 6fc30d7038dcb3714abb7cd5e168b18c
SHA1 a93e3d823796a9bbc943dab92cdf83732a2c894b
SHA256 cf084d29fa4f6779d62cacd0fbb62d32776082a099230b23c7d36d0d76d6bf1a
SHA512 e0dd8a1945f0c7c4129b9e7aecf40566c06da01060326a071b07c21373009591185ce911d138ff3a678c0f3533725d05acb1e84323e43e2976a9ce987e5c042d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 09eaaf4c223f98ef7147d8d1b25017f8
SHA1 21e75491564dd46aa32512b68ae119252201f2af
SHA256 342d51e061ce60f98ed17e8ef67cb2907b1876179ba9632678bc4abda86a1631
SHA512 7292c5cd13e2133a72dd8d17c1c3af53dbcfd62aea0176b5b1a6fafb858448f6aaf9e765f027b680775014f78e84f7f96da8990e75ae5e188976381bfc69e1ae

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 2a7ad7087f96695a31858a7bb63bf0cb
SHA1 b172ccd4e595fa74befa0f5f818681e5fba26f09
SHA256 c63feb606fed38835c31ca1fa50481826b7289bd1eb79979faa0d6e0c6671aab
SHA512 9b582a1333a4b4bf0dfb59a36731b099281557c4adb013c1e8e8cca28966b7c14155bbacd6405a77de2147d10393c4f257ba48cbc0744a5a5821b466bf439798

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 a08a132dab32cec3a28b2955ffd07f69
SHA1 8c7b0363153e4b67ece1c1413dc00a138e090422
SHA256 00e740f56c64bbbfa46002ee051b9a14dd0cf9020bacededd131ea5950e55694
SHA512 db169b671a07b888ed77c9628f6e9aa9d27c8be9b53da7cbd8c6fa02d37205c42db7eaec9aa596e148bafdb5d790bd60598797f4c944373dad8d8609c6b7015d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 6915d6633e5f3a9de3fe12fafe05ee8f
SHA1 bb9e1fe45ba09c63a684be8c5a7aa500bdd31c09
SHA256 842913da25a9d0c451a4a70e1e85b730c860fbe91f301a24be95431725beccb2
SHA512 0a624a6ac3f788706bb950cbeaad2c752e6441f0896f7aade8b5dfb8e76c80e63a37b5a1268f483997f0295be9990a3a2e073a128160506f7a603ed1a841c0b0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 ea1e9b05f80ec0ef6ff9205bcb5e6373
SHA1 0cebd6d95f0d5eedb0c96c79c0814899257f198c
SHA256 557434327a554ab4565eaaf5df9e7f606dffe6470bb4d250a0eb0f4d5b35130d
SHA512 82c7f226e6cc6c3b32721c1a87fe28614633db37f2573a7d05ea9d945aca4b5da548a7bd758da8cf19c75c7bb3eda05641e16dc0f00b44bc7985717f28db00c9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 589f80afc7a124c83a9cbd973bc97d06
SHA1 a0472f054dfe018eaf89a665a262bb22297217d4
SHA256 4adaa5f6eb51359f89da66e149cb860b6c35fe03a94b601cc973d5a0dfa8db31
SHA512 164f0a294ccd7fe61e0d8e59390fef6e774c48d8d796904e9f795da07b4929d43a7434be65672ae5528d3565c750f6f4adffbf18f9dc80fc3d0edc120b81b909

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 e642c1d448ee4a12c79be51db7d38652
SHA1 e93bde46708b118f9b4a97560e9e8d8aa165b549
SHA256 e800b1124cbb222663d4ce8d5b889f64e43d8d9f63e147ba9ff70792828bed66
SHA512 913774405cd7bd53fa51288e094af9356f07b7baa01e18eefbf7407aba4bf065f417546524abe67cf7ff72786425cd7069d96804db53cdba314c5bb03f691bde

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 24afa981a41ff9c4edece3506212e8c9
SHA1 23aba7d2425bf8964b5d6671cac1b05c31f10baa
SHA256 a7321d6443f2043c7644006686eed1996772269211f9d90446cb658b388f5972
SHA512 d1db5d5c35ab3c43d88661281a9956baec16c08e0f4424605a1951812ec0cbb2a0c2dcd09c93fa75ac8b48276353b293f53096eba115063ee74caf062a33f523

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 ac39f07ef1ef8a9e49701339743ad111
SHA1 a28e30c462556970fc615e2d26b589156940361b
SHA256 1b24d7839abb0668e3ef7449f1143b1388f7a401cbb7d8a92b288d93cd78c31f
SHA512 232638f90a515840ef7111e251a24710ace1258ccbce12745ae16c051a61ded4f57842e191bd0172caa9c6992fd6bac1a45278d24719177bb76a3cb287477e9c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 404d7fa2c95f6dd3390f267fed53bac7
SHA1 a30f644f03568f784dba07cb78fdcc8edbd6489a
SHA256 e24d1f07961ad3aff4c7254aa5c4514e6868c5131d22ae44c1f6dd10b91d50b8
SHA512 26392107ccb2ea3255ceebce119dec761ddbf7149c90dcd296cdce448dbf4f8ee9b78b9488a3008e36a613fe132c4c3f982e30153516ca3f2e40019407ee659b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 0057b8aa62706a0540a12b3c0cd4caa2
SHA1 885cc01f875a78a194727c172e4937edfa1d0fec
SHA256 00f5d7d6fd595e42e5b3991c5e75c3773e049770c9c6612ce0c8cdf1391237da
SHA512 59a690a9421345cb1e159fd696521997130ca8a97ce4dd12551d663c260cc382b20246ac264b85174d0fd4b17d1d32f731c17e87529e249a4978768f566afb2e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 d4e520f007cf804242259324dde939f7
SHA1 cd7ca0e33a1af2b172a966e55a12efef0ba4c110
SHA256 10fea90734486f031d6e0d8cee41f7834fbe8c73e1d10c225d802c3bfe738c61
SHA512 5b55bf56f834dc8de5febd330805672755abc805b51a7222b4390c0d4b577cd49723d37c7c9a3958b79c8f96d181df0d4fb6c0902073a968c18950c8d1b59d84

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 75462c3047a84fc1a2115c5ec635ae4d
SHA1 d05a9a9b8bf45c307e3bef9097ccc40d74b9cb6a
SHA256 49b8d0a9056af4b028dd4fb5f6356b16f3279b6f9e4c248bb0ac875997a6f8d2
SHA512 8c8b0bf18898396c546f41a63816810f5df9adf6583667f9f69a39e0fcb5946de6189d7acdbd0bbe7d541c7689448e882dd8af575b36b41138596b647cefcbf3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 49bc740e5c81bfafde8589178d011ac9
SHA1 8066ddf971adb08aea0ed393982a7ef6c1d4c9be
SHA256 75ce2e51ddbd4908e3de4b468c87f00be40da2088f3d5a978ce1280a811edbe4
SHA512 0782523abe571431903b33a09bcfa5bf35bd6d74efa3485cfd4cc0bc3ec4684cfb3e9983eced74b18f544928650942b08cdb0b6fab80e6347b6761f2faeceaca

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 bffcfc3412411f54843ceb3b71aab918
SHA1 10479bb225599e538bbca7215160c9a839be4dae
SHA256 c695460ae2d327c18a150ffffc60c4907715e75cee35320f99d1098affe8851c
SHA512 124b56cec0997e84fb4410d642848cedc4474065f507f35d1a2f3db0d3b9e5f90a708ce741deb6c6d124c29890a1f8260c295ed73fa6e402a8a16db0b368c9df

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 4abff9b07460d6831a430e998bdd6b94
SHA1 d57889a62f32b36a027a9d1758ff82860c633009
SHA256 1669ad39844a2303986689d77054baf1897fbc57fd7d55bf3258b989e0c9aea1
SHA512 08569b29a88f127c050b5e9f1b235d5fb7608c35bb3b9007d71d99cf78dab5216c2b2b9e1583396a6c107e33b330432eb08292af120d39805a972be09543267d

C:\Users\Admin\AppData\Local\Temp\KQAg.exe

MD5 4284834105b95979efe1b55eb5c61a55
SHA1 cad35c8d1e641f96023d6773f3baafa1b97c84ff
SHA256 7d43c5fb4ea75871224d6412b494bc3d977eb10ed369388e438642f45991c70f
SHA512 7c5c5c60b6ec68773cb0d1940083d4737ae141e35eb42e9b626552e9cce1dac83166eb02142f1ebbf150f5231f9d1416e0d380df1ce5ee9cd473b4c6bdbb1278

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 e0a7f7425e838889de49b8ef4c2ef75e
SHA1 51501f5df81282935e79c70e87aea385dac2f2ca
SHA256 1e42decd3e1f9477f9be8858ae2185b7b8df04e661751871d59e10b761dd2b94
SHA512 38a023f9444b6353178631eb374497e46b16ee4f1d64e46a7463ccb8be01ec492e22346861009fb3ae4f6e2d46394a3837079ee9e2b3854646e0c0cc95a2ebc4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 b2d3613d4912e0f414f80d63dcfcd077
SHA1 dee494a8498c2c0bba83c2bfe7727b1348100aad
SHA256 d533a0f429fc478aeb131ac9164075fbe55f3e7e6f9608a555d7c7106449740b
SHA512 0023149f1587302f4c7400633c902c71bfc279d418ab24df54946ff29c5c518cf8ad2ba4641d1f4f5fb2bebd99f733569409b39e3eb62aad1969c79568db8002

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 869bb43b740ebce8711bcba135f16918
SHA1 d59c88607bb52841eb5b4b0258ff3bb8da3faacf
SHA256 b776a252f6f707e5c5fcc358d0b45d01e0b2d8fb58c3e1627701c6f7897cf01c
SHA512 adeea0b50564e1d60798e5cd3787d8f853ff956da2a0b6fccd6c15ed4fe6e27b16753e748d3cf744622ac9923763095a334d7e4061660a7190a691e60ca14cb5

\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 1191ba2a9908ee79c0220221233e850a
SHA1 f2acd26b864b38821ba3637f8f701b8ba19c434f
SHA256 4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d
SHA512 da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

C:\Users\Admin\AppData\Local\Temp\mQkM.exe

MD5 2a6b629349185a6c8410a220ef7a8f61
SHA1 459087a26e8df5c06ffed327582aeb5f85ce59fc
SHA256 62cb4e620b8ece8cd3b0cd47543b9b5d94a6fb5404f6339110cf5c4f5d05b1d4
SHA512 f3df087ccf804d6673e4332f46083e3d42c55483ccaae0792c8c1656e2454a73a49b2318a622fe7648071fedf9705b0eea1e46b1aed5c6274ab68e19add063cf

\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a9993e4a107abf84e456b796c65a9899
SHA1 5852b1acacd33118bce4c46348ee6c5aa7ad12eb
SHA256 dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc
SHA512 d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

C:\Users\Admin\AppData\Local\Temp\ewIG.exe

MD5 cfc834de0ee7f305125912a01e86d0fa
SHA1 2561a6cb744c7ec24c2cd678f5e7c39b6b4a1f13
SHA256 27fba954af6446f7780903626c226d840d531d0eff5d9bf80bbe090c99f943e1
SHA512 6f3b09b65d682a8f1638c5b774e94dc57dd24009c7a96642c4bce53c16f4f52ede7f91f8af9785166bd8fc88aea6b30ba3d68b946b4c4322f0145ec8c523bd05

C:\Users\Admin\AppData\Local\Temp\ekQc.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\wAIS.exe

MD5 83e31e9924df891d8838fb4864031f71
SHA1 9689cc61c3f52eee0208b141a941e95399642c86
SHA256 d969467a59757b17fea482bd18754cff6a11ce82abd56274c82ba83af9a9086e
SHA512 c38742425961940c728bbe1f0cfbc3d95a5ee272acea64a82ea9c179ec7a130c54b9093cf8e4a7f28184da046448af0a0838e0ebe8ae57fc7d6fb4f2128fff76

\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3cfb3ae4a227ece66ce051e42cc2df00
SHA1 0a2bb202c5ce2aa8f5cda30676aece9a489fd725
SHA256 54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf
SHA512 60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 6503c081f51457300e9bdef49253b867
SHA1 9313190893fdb4b732a5890845bd2337ea05366e
SHA256 5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA512 4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

C:\Users\Admin\AppData\Local\Temp\OgQc.exe

MD5 23577e0d757fda72d52a51e4142aea61
SHA1 a2b934ceb31bacef532b74e75c2bc3fa14b2aac8
SHA256 fdde6852594fc13b17bebb9687d0cadfffbbf69ef14779e1067e31abb68760fe
SHA512 b629ee7aa19c7c42818f4dc45e24a4fa7c96dd718052ebc64883e0f6ce0ecf74fe65e79247b5cd107beab5b71de1939a8b8007951ed5482b838c155853a88afb

C:\Users\Admin\AppData\Local\Temp\IYUc.exe

MD5 47297f656f208a56752bdcf5998cecc0
SHA1 9bd8e5a0495bc26f4c28871c7ecc4036412234f0
SHA256 083898f551e77e3eb8f6a3f475b36376e3f2e78a7c52f79e83976ea957168766
SHA512 ca5e27f8461152b92b3337af9cab6f28795cc78d9aac7930ae7d59257696ef62bc73ee980311b78ef17911a52a80a873897ac30e748fd19fc706c9d72c6625a2

\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 2b48f69517044d82e1ee675b1690c08b
SHA1 83ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256 507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA512 97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

C:\Users\Admin\AppData\Local\Temp\CcoW.exe

MD5 c018265800074a32ca081286ba0c9f88
SHA1 3b5488b2d844e82657d67aa42b0cf2ebd060ffcf
SHA256 c001f644c354eccb40183008f759e15c1d57f3d0697762600212a96ad1ce9699
SHA512 fa4196d2efda8be647d1ec56380baccdc0b22c25e78d2dabd42e73dc2c901df0cc0fa41f3f6a8580868fd6e32c4b3db7895d611c522e807a744db885a3b353e0

\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 e9e67cfb6c0c74912d3743176879fc44
SHA1 c6b6791a900020abf046e0950b12939d5854c988
SHA256 bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c
SHA512 9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

C:\Users\Admin\AppData\Local\Temp\Yswk.exe

MD5 fb6956d9f985027dd98f2c8b60bcb689
SHA1 6b477caf88c0e13ed06c6879e56c674c0adacc6d
SHA256 7a45e57bdb8db87f2e9b5db218a4de665f56dd325fd1ff44b66599b8768be8e0
SHA512 415ef9602aa9b5ce41fe31c8fa25d1d534c2c9133fabbb3b1971949b05f10556ec92749289ac04885a7924e8a718a35e101460b9d1aa70c071f3d1ccacbcb9e3

C:\Users\Admin\AppData\Local\Temp\kIky.exe

MD5 e6b5890519dc647506da96a63d861607
SHA1 8af78614a0e8b4c8ea4da827986382b965d64891
SHA256 e798879bdc7aa7c602d268918fe5f12b7496605d02c77c57a82c51761836a47c
SHA512 3b408d7075da7cafe3aeffb8e0830a9b59a57ced8eb5bb3fae9eb6f5c72fc866a6c56b0c9c75a1342d6c178487bad3ee1c158ceab64c3bea9e3d32dc377e939c

C:\Users\Admin\AppData\Local\Temp\GIQW.exe

MD5 80a3a1489783c48fbb84094574c4fbdf
SHA1 79abebe8affd5b56ccf9d0fca7306773995b4f38
SHA256 ddb6e1e2212046a7eaec2e44763e75545313c8ebfb70131ea67b7b6d3a7d15bd
SHA512 52799d88e28886109a88ead7887fe3e1dd68f753bd7a6ad0e0015b8a2f7dfb68faa1280468bf7c959e3868c74b4e2ce5bb68ca0e6e5457d3baea1db749a3b20d

C:\Users\Admin\AppData\Local\Temp\msEm.exe

MD5 0cc056b8fc989a37287eaed53b50d31b
SHA1 1ec55cc2b4c2215b194737e8e6977d757584a014
SHA256 34f957ed607bb0960b707b758762aa0ffefd7613d9c52fa253c42423084d8541
SHA512 a2f95badda1d08db39d513914a52e04dc0ce4467c3fa0e1c5d2f489e6a99bbed67bc3585ea246857c15ce3b8a6a5dbe3421f63412d44de82b4bd0fde738dd9ea

C:\Users\Admin\AppData\Local\Temp\UMQC.exe

MD5 f1a217f65f08e8df114f6b3cf4979232
SHA1 69b4fcc9f1cfb2d1f938b41a3feec571ef0ffb1f
SHA256 c43834d6a0a0f9f702b108bf3dcbab1350b0291fc8fc377cbda47ff6fcc09c01
SHA512 06adcf79dc3baba669a2cc2d6f5dff4f8dd08ae72d0cd89724a96f7641f8b5f3cf929b9c5507fbbc5acd269c1280989999ac0440226eea438edc4c1be0eded52

C:\Users\Admin\Downloads\ConfirmSubmit.ppt.exe

MD5 6e798f164b75127c9fa49cedbba73115
SHA1 b1ddf61b5fe1db1e2ecd17c364e6d8c559896edc
SHA256 f8b9fe5555bc2e559a71b6a639664eb99096a3e5182df6e6939902d4a722cb63
SHA512 07e085d99abadc81fa1e0f471dfaa652c9226a05c6cefc1fca115c30b95f00b9b7c19d65496eb96d9a8d07bbf28afe6d1f3993e98e7f230f05f472bfd992a4f9

C:\Users\Admin\AppData\Local\Temp\UgcK.exe

MD5 c8af0d2f4f4fbebf46bc0c7479fbe7ae
SHA1 145c43777b387a0d9837af531a27898ff83675b9
SHA256 bc7698181659d53f80f0bb3257479ee6a54b44f9e8e4ec57f0e6da717c7418dc
SHA512 2f6feeac1aa67ace6ff33315884f9c2b0615b2c2a774a3ec79e5bdf42bcb7736189ad987a7055dd97b66324e0e06952493221ecf03ff11a60fe88220072ecee6

C:\Users\Admin\AppData\Local\Temp\Owkc.ico

MD5 97ff638c39767356fc81ae9ba75057e8
SHA1 92e201c9a4dc807643402f646cbb7e4433b7d713
SHA256 9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093
SHA512 167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

C:\Users\Admin\Downloads\PopSplit.zip.exe

MD5 a2db5a77f20e86044850e6030d7713db
SHA1 eebd08fd353e44395ff72cd6e400b844f0a0dbf2
SHA256 1bb732dd646a2eddd0886087e3fcdb01572bac3d086e13c84488409f30798695
SHA512 d698fc396eacdae5a81d90511b148a13c129edc5d4405c35cedd51d0dfebcf8fadf073dec569ee1e09f635f5355e2b69e87d7e5cb8672ec987ddec58b3373283

C:\Users\Admin\Music\LimitPing.pdf.exe

MD5 869f320d4dc2462c04ec3ae7df50586f
SHA1 d1393f692475a7bfa544aa627e6708f67389f7d5
SHA256 df9d31752b12dcacc442a31ff7108151756da5e8eb0fb0703c72df80c72a3321
SHA512 041ba42cc6bfe55750f4844d4badcefaef6d1f25e7b927b2145d76be9fb22aaf9429077f9d01edb13fe12e5a739b28b85081b1b15c1c21cc7180b8dccc3e3774

C:\Users\Admin\Music\PublishSplit.gif.exe

MD5 1a96d20feea16cfbfd897a7c47ac8728
SHA1 eff84cd6b99edea0a0840ebd7723cc3cba6434d1
SHA256 a0fe53578a1ea4e271ce8c762d4231d82d0417dcaa6428b1e649208a9c2950b4
SHA512 75ef1484284796903506907f68cc687c18ec69d8b5bcb4001e0be9540822caf922c034766542fb2d424b8948d48491c07ca6cfc1e81d79be5c5fd7bd4b714790

C:\Users\Admin\Pictures\AssertFind.jpg.exe

MD5 df077f49a47d2f7025b5c1df56fc5585
SHA1 7c96ad1e32c14dd7c5c327314a1b3872c9bd2bf6
SHA256 283d566ee4780b791d9ea0138f9204598c1dc80679be663ac333d7d4bedf1c89
SHA512 79ced82e51234841a551c59e1f6b67e5a82394e0e5aac4bc92c6f4bc018bf8a1191e8e2fcdd96b4723f59358bd99bed12028ff01d4667b4acd25007baa6be3eb

C:\Users\Admin\AppData\Local\Temp\Uggk.exe

MD5 6ec27a048b721bf28c138908a3d58ce8
SHA1 f0a6e108b88a1022dca1d65443b2890f9122f697
SHA256 488eb147ac90a792e5e63fb7e769b4881b6519bcef7472119ad24e1f975e7531
SHA512 ca64ad9a9ec25145cab1f9b36c66ef9a2036cf447c0da4b84e02cd7c4a54adb182f9925b26bd9125c5e8bf8a18e8781cdc14cbb5a22e45498af7c27ce67340cc

C:\Users\Admin\AppData\Local\Temp\Mokq.exe

MD5 f008b0e5a46fe191d9c81ed87d2f3181
SHA1 4a02877a1b63def2ceb9c0413c9b378dd05ce554
SHA256 c8f7e8146b44f49ab9f75d3cf391e7a91f904f6721ea28911829c0992400fc34
SHA512 10367c7c2e585bfd91abbd331e54f733676e9cb63f50b60d73c7e5ea4a9af752b30db1afcc233f501a1316be9bed92445da14e25043410a29bcebf12ba4ed6f5

C:\Users\Admin\AppData\Local\Temp\gUsG.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\Pictures\InstallGet.jpg.exe

MD5 a1dcf5223885668089d706dfbbfea66f
SHA1 eeee1f4ae766e143d07d55526b3c50829d1a4f74
SHA256 db9bfef77ed107d1a4e37951f761f23f2dfe7cc782f3f911f6cd63e3a9c9934b
SHA512 70b0c308375aede5bb1c08e2f1b7352f5de7a5f3e0bfebc6719f8d60ff96bc025172ce49afde9e5192edf2b018f3c5d55d97191be080df1f99dc6bd2eac66f87

C:\Users\Admin\AppData\Local\Temp\YYwA.exe

MD5 d2ca5fb52bc2dfea27c5bfa52c017db6
SHA1 e221c7ca2bce147e93c8dbb15d400079df2c69c4
SHA256 4c2b2c1e5b81b52f1596b3bb1592fc54cbe94306b8f14d3c13d5a058e422d64f
SHA512 232eb25af1b62d10a9b659dbfd4de9327dea5ba452f41c27472d40c8c271d0b631a4ce71e3f04a6d57150f7ee555999613a3e2b7807ed93464c6cfe1c0594e38

C:\Users\Admin\Pictures\ResolveWait.jpg.exe

MD5 16d7d1fb0cde14ffd4cc79665a2c54b3
SHA1 107c8a406ee1cd7b47d878b6206ce20018334a42
SHA256 beb66e4783052de56413781bea8a14432a4db10d82c5891d7d15e0d7bfeb486b
SHA512 3c56d98fe98d53aa4d6f1e3690e474f4de338578638d263b2aa6befb843660a5fb8160d4ec2acfe553909b856b60010c9a904e17d3896feefe35505320213039

C:\Users\Admin\Pictures\SuspendLimit.jpg.exe

MD5 36d665ab3b3edb1ae830c20a116ec186
SHA1 e137e73c7102f776483cfc3cd399d54668ac9f28
SHA256 8842ce6842f31a24296bb5d476da40e960728ff4815b35d98f3c2d34220cfea4
SHA512 0e1565b2af7bbc2e97723e866737500722cbac3a7b7d46e16269b2fafbd232542cc9edc121f0f7b513420900f0f3d5fed887bc847c04647f68fd6ed69aeb00f3

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 0a22ed29ff6365185ae30b4f01c1bd46
SHA1 19196d1fa0a8f765ad249b4f5f31a84666e88faf
SHA256 01e4beea426578d6a98f78f2bd3f5800e22e14ee02689237e1f4a456e322c1a8
SHA512 b3b816b3c7c6e517c5b99433d6af8a2d408aa7304654a123846ea245332dfab3776c70d20b9d43c2b8b77705e9661bd33bf17e45e6a487637dd0335ff8c27ea2

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 dc9072e3b6ffc38d89c69e1772dca18f
SHA1 bb0b99311c2787b97827e5e7f1b1fae89333e14d
SHA256 9b8da80981258b6308d0dc9cd6f1a0209d4a5229bfa015b413636f9304a764a0
SHA512 b3b076894bc849317d9466ab7473ae271dab0d882d6279941a9bb2ec66eb60c9306f336b1e29553ee5b7b66a73bd503a2aa1aefd712db5262bc045737180a135

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 9a2ab6aeb533ea6823885b9021c27f96
SHA1 4584b1da6fc00b3c039b7b5f50b768b327dc3881
SHA256 4ae3909204158349490148abc643f34c6bf4cbbda2db949cfd663c69c0af68cc
SHA512 c5832c351e4ac538c565361ef5cd9694e7572cf58cad1af28e1fa2d648428c4035eff6edaa0a2ce5f91697c976daee0a024b158d9cb0cb7bf66f1c76b8a0398c

C:\Users\Admin\AppData\Local\Temp\MQEA.exe

MD5 0e4bb877a9484e9e36c073b5e34df651
SHA1 22778dd088ba25a5587732e427045b8bb3edbdc0
SHA256 558767532abecb18a7b4806e3691c02ebd067fe16d245594885c37d2c862cd2d
SHA512 955f83ff9542f64bdd3b027190559cab09b1a8b5195b73421e6f635dbc23d6c45c30101abcc4d7bbf16d9b49d581a49e4919ce45998a0dcdd1c774bc8b77f588

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 a48928da21841389ddd03cfecd71cd91
SHA1 2b95ab3a092ff2c761afd68df11c5fb77f42018d
SHA256 e9842e1bda84cb550903faa65e94589e7ddd7f6171085ea997e1dc7b63aa8cc3
SHA512 ad890791713e5ce6881001fe1200b3290ebbed4126472be0e8bd6dbcf0728d7b5e99b051aada0f3446f6decddff8ca978090f1bdee7136c0cf665a887598eddf

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 e957ddc541f98e781d307fbd3a397126
SHA1 b75a104558537095ee5189b9492fd21c1c3ecb03
SHA256 a440566112651a60ffda3a6dd0d1a85bbb26e65e60be17b7fd582d2a0188f54b
SHA512 43a9244a1fc0e0a27924b5c6a023dc0c537d6284b4dbafce5adee3249598a676cdc9ec2b857b5fd331d36b9e9fceed1ac8269ba222825d5dc2c09fa2a5974212

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 ff0f410cabcde46d44d18d52054d06b2
SHA1 46408230f68aaedf5c58716e15aad930941dc7eb
SHA256 685a0b01f4b4eb0242c862c330f36fb816cd4640f3581928c6a9e767ebc82250
SHA512 8004fd600aa2076c8cab4bf1194360ad6fa087800b702f00b93c7b5e72ef9cac66323e7d1b169f2e00f56a4c27742ab2e573cc0ade68abcb998e7566fbec73b2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 e5892e4b03913306900e8226d067bc01
SHA1 9327c67664ecd764c6164aa51a973249741130e6
SHA256 0641b775d540e105080e4c5c189d639883b83bf30554e568d3d55e8abcdb0791
SHA512 b2bf4498bde0fe6c150bd4c3b477d4a4b9461d90feab597a22a900e5dce5922583d75cb70486ce369b4caf350e8a219fcce586532dc46ce63d496dfddb0308d1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 cf4c975be683e6fc39045215601a0caf
SHA1 567e16550b9490acd7d86143106e315c2432f225
SHA256 cb1a8b95b8b6486272ec4024a03879e40c66c1b4be340037169d3915e782db4b
SHA512 a79dd6e16a98e4a4b6f11b87e25146beb7f6ff94f31b87449d0ddfee940d8262960b85fc028b30f69e438dcaed318cfdbc68ed98ba34a369257db3d17568fdef

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 1d071f57c475092bf4d22c4c04f520d0
SHA1 4b8f241fade6c8e6993449173ea1c431f36c2e67
SHA256 5b5c4bfac89830417aa553da5ef77eb0e2656e1d457a823fa60bfe8d554c2330
SHA512 b809bc653d86ec0038d839d68d9c88bdda65f0263e07df9589dee5da960070478654cf2da2be9f10b0ed5167a0db365e09ce745a00164775a9543c7d84c893e5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 3f2f848b2b692aac73c47638b648596a
SHA1 a201541ab77f2190a548ca581ae961c39e52f9b2
SHA256 59cd6c519b822f87591302885843529320b1dbd6b59b5f4bfd97efadb7845c62
SHA512 8e57ec77a006b557dc052eb7b9dd8a4651350785e3ac405438ec49e5888a07e382a3059e6e356bb7ca771bbe4735baf78bf0b5d5e86a32ad6d740a5af602fc8c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 b5c8a3483d706af06ee84ded4b1fbf8f
SHA1 ec753a65cb117b8a58ec49ba7e7d6a8d2571cbee
SHA256 f3148dae916e7cb56b1f946927e875ca42cca2c1155fc285b1fbf33a3c46cfed
SHA512 f18d02d2a570db416d5653025922272713c10e305b00a84aa1cad4dd3a4c37992df9d1f0f6741b66c713fe2f6cc765d27be2fbb41a97cb010eb7ba16b7fc6628

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 9ae72c39ddf9003969ea0d0c01a077d9
SHA1 33bcc67bb0da146231dd172df153beb36c45056c
SHA256 b921d62ea02d9d362e91ae83d0544aa4c984c36f1e15c0c6a7cae00944064f5f
SHA512 3be6dbfdbbbe36dd5040ed0cb23151f5ed3882fd9953ce43749252183153f79d87b1c7d851091c8f4a8639fa9ca2e902ed174779fe0e6013ebbae29e1082d916

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 eba7f4c6e883a738a99e3e067c06463d
SHA1 0c8763c3ffc1cec174070c048f7f4587c267dd15
SHA256 d8705a00961e9481e5cfe46a829c6533bec1b7218daddea96e2c7693021aa600
SHA512 f230ea28f4529b4c0e6cd77f28b711a2e0d1685646630acdc99206572b73b3cfdec347af90b2637b4fbad288688ce9ce4beac9ad6b5dad0fc888656b193bc116

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 b7d16129f18bc57850eb85ff50a8592f
SHA1 e5a1043c03f26b97a7c4145248366c8b68c3bffc
SHA256 925dccc81d945826e2f4c1a6044ca9128cbb7025b37bcbe8dcc5c5fe1295bedb
SHA512 7622077b38fd2aac23c229e65a7423f40b231766e88b39372ef9b698e20355a97f885d2e487ee6db815b259ed562698f781b625279d4bf2ad1750ff718048d71

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 1361595c02d56d0132edfc36a1d59382
SHA1 1eb3aeafa84fb9e6d7b7e11bedd03b34250886f6
SHA256 1a0013d32b6bb99cd795ef8fad0520e8a84f2ae075e6f22f21e456046735128a
SHA512 94af1f57af25c476f694353f2da412aa765d2a7d54956173db8f2fcdff5c7bc4e80b0cda01c1d1114477a6077ef6113822130a607d332287481162f2a5941302

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 a090f306a17d6454e43e4e5537312379
SHA1 c635401a987966bc649ce6ba816a1332a804154f
SHA256 7bd5116364fb1fb5a1575d78bcdc3a94d3c5f9d2c66f3f228a866a55e204ffb9
SHA512 f3ac67459f425f2e6b69ecba43a6a3110b2d174ec3c89009ce4b622cb6dab01abbd134915ba4bb84058f3902a4ab2febf8844be02db4a416015d97e04748a88b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 e72edb9416f42833598a55a22cd2c22f
SHA1 32465c17710f02e618b83011c35930383a406c7c
SHA256 8bae7c629543c204e6a0dd5a53fc69c04badf721683a0b007fd3bd39263991f9
SHA512 267aad064621c90792ab74c94d3ac0a8bade2b63604dce870940ac85712c6b17abf29bbee40f5b8b8f2e06bc7ae5f2b63384156ca1be86d56275ca512b166e47

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 41d64d8a2fbb394673b4f0eb2e3de108
SHA1 972103036fc47f0a989a0aa14616272f73784e86
SHA256 3d6c2dc2d297ff9c91fb23032b0762a92d5e3ccadc255289240519e38533c56d
SHA512 64a79043b7d50d6ed1c7b88978e905159821d5797b8cba7179286f24351aef7c7fe0341683a8da3d1610206f8dfe336ef631990c2e7c9000503b1ff561f227dc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 2a71ab9c97fd6888d49cbcc3ed614b28
SHA1 d87e81e25ee114296beb64bc980e361a4f9246ca
SHA256 d85437d7f0da209538bd79fabb86674047f90fdb9f9b7de3fe1552171d1cda30
SHA512 fc13c89f627691dac8820f3cfe1706c6f745295347f97add116eaeb780d9f24ad51e1d3223df1381e790be3b9364cc67cb336a605f29e7cd9593c732825f9619

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 3069b77b357c497e7f1ded9a72606de2
SHA1 151ada4939f7dcac268bff9b3277a6efc5303c57
SHA256 d46c0f3bd73537f545cafb63c582021aa18586445af6fd2c61c038e01d76ac31
SHA512 2091762c560a801d798a010c255690de578c7cdb21f48e85cadfe20255796872155b9e7642b86c9c7d927ac1f1c4f30dc2002e1a25aa3ab75cc2404eedeb1cad

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 7287f0891b24a4186f19b363bee98c66
SHA1 c5964cfdfc3f6aa4fbf326229c1d49a5cc95a954
SHA256 720667a4787fb141aa119b7634ebec3d4cf0dffe7efed70b5145e577d1785c3f
SHA512 fdacc222d6f6636d9df57b8c8d599bf5f9446cb6f721faaeaba91cc21a4aa69fbd96c0ef6ddf687ef442b0a72a60174ddb2be022da58ec7f15e0ec730982647b

C:\Users\Admin\AppData\Local\Temp\ikww.exe

MD5 6370da82e47e14f996fe1236fa40de6e
SHA1 d75bfa544dd0039b51b0ba94793c62016b6ae60e
SHA256 6aacb08bf41a2a1ebbfdf081642b7b253b1e2402f1f1ae7fb5d19037262da22b
SHA512 15565b017d7eb49f0371f56b8d5ea5cbb97a17f13365395d111194f237c025d4b162fba6f2973a667a7113cc67365f7ebe63e6ba0db399ef799923b9fedf62e7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 d4fdb460d212ca7b171564d634a62ce5
SHA1 da9ee901351a4817944d76b2b903385bd545338d
SHA256 e8fc50c590d76679a4f82db6a7670331d79d6127a4526a18fc6ad2e6a1e363eb
SHA512 17e2672d4cb05eca5c8b0ee3d3d636d95f00c47f70cf26046b45c6f4b80009288ce76acaccc06078899278999848ff1cf6d9a86a207b63a61f91d602a627a694

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 7638e555670e7b375c893d246ed634ac
SHA1 9548db81d869b5d77d50d016d812b7edc52d4246
SHA256 961b17083dddd384ddeb2d0376a158b6fea59f130c721586574ed65835a5d4e0
SHA512 d58e1d311ce5c7b1e549b5b49a37c37b4e6fecfa01fa686cc89628e4bc85b70850b671d5ddf5cea57fa9d46a5c9d1fcbd289920687381ce19532fe48b9935e71

C:\Users\Admin\AppData\Local\Temp\iQQo.exe

MD5 32782758298369c0b3168460301c93a4
SHA1 96b474b3d626dcd0f0fcf76826c2195f45df5a15
SHA256 9452c45e546bfc10959e2e877ec47fbbf989f98601c775487609a6455a8d7e1f
SHA512 e226ec59cc7ca1dbcb7920fda8e44780dc104e21638e2fbc550a46c1a402b9dd01fcb3a71e808282dd1564e5be146005d1b87a4e9bf16bb2821af99c8eec7fc1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 3795db9017d30cd171584d1dcae02c46
SHA1 c6a4a1bffa4db087d14212bab65745284d200b4b
SHA256 683c046f74940accea83a0b522a3dd665705968e9eccfe62139c4b4a51aef19b
SHA512 c6bad50994416de05bc748aff00118a88014abaab860bc53854b00b27d7de8697467630658329dcf8d2a412181b84c73f95fcde051a400fdc9c66c410fcaafbc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 321a30e9823de1fb9dd79c8c408f08e2
SHA1 ab221ec681f6294f6de9ec32c2926fcc66c4a894
SHA256 fefcb3536468eb32e7f44df8bef4092e780dae97641cc5f5a50a0fc463062793
SHA512 4e166ef58014bc1184063761dc89b37cf7cf47886f18bad5153e52e7c50e13a3ef303078034eb255c484ee78f4072e79862221749956a4105b66773e1a5d3199

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 947447751a3cb0b6989e6d8a7a56f3dc
SHA1 98d8a242faeec7d2735e05edad9c20dfeb5ebe3a
SHA256 fb921564edc864448892308004dfd952b390a53fdef18957231dabc16e32c9c2
SHA512 205eeff9561da9a8ed6767df8a642ea367a90914c5134d0715deda871149ad51c94088e0680c374419be9902ff4cc42f1a5058c30877bc0f1e5de70cccad117b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 f8298a30bfeeaa70d244f9b9d3c1d8d6
SHA1 9578ed58755b1ee7178d76aa1d613a04aac5c852
SHA256 1dd5a876ffa6ad128c7ee29625de0c9e562a26266377554b89fa7eb161e6bb0a
SHA512 d45fa19f18fdf345643232eb05cba5dbc05b7d61ddccda3de57ecaba5a0ed20df9a6eb421480d4b820a0beea8749793cd32cd321d8a2d92d660c5d466de9762b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 897a72a0235d551735750baf626a7904
SHA1 da4a6ee3a73ab8838ea95388a669e9845bbbb227
SHA256 fd3f88a0222c0efc0c9c84d8098c816bd1c22e3653acf19ba7c9739d73f76c97
SHA512 014c1e8f676aad1752e49853ef35a9d3739104e31160f0542bbbe7551e87e376267852b9cc151e956f903eeb51b0ebbcfa176e43eba23e57acc01e20ee03e13e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 28818773f5959bd0f7a7b60e2653f4fd
SHA1 675dcd5e549bee3cab03796e49d31f658cf99a9d
SHA256 027185b8c1ab2cc737f2907fb5268897e3b339f4252e0167781c0067caf5a44c
SHA512 ef97ea77d4d662c871d608e1a0460f9f4697c874ce32052f2eaef4ba052bd394576ae7535345e177daacab2b84c9f2c6d60a198165c40e0c09015c64cdca146d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 8e6d181bb244a9129b1fb6d8fbdd66d3
SHA1 f4138cea98dc82cc689a7e43acce96ac6777d685
SHA256 956e8bd5748e5039b136135b0de4a832b3aef60df0fad6f289414d6dec62063c
SHA512 b4f0a330b997db795f0c0e602643ceacb4adfeca4c723987e64b656b5ea752e5a670c4a6f2d852bc4a0ca39d9df11688d1363c6f55fd6471059b813981a4fcaa

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 b22dd320bb933b5aa787331086b0faf9
SHA1 bd932ca8816ea4fd70469b61c04e1d2f76f732d4
SHA256 cdc689b1758a689fb3894782370ec62381fe66a63e7259a8059196707299389f
SHA512 36cfc04f233fbb12098b57ae4057462cf47a35832866fbc3add9ac99f45a89e99b83e8c329e6fa0a4275ac4a634bcabe10a7875eecb93af85f1101ebc264f168

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 7632bf675aac5bce9e3a54ba1e5faad3
SHA1 7d0831b4ba2db7d445e5cad6793f7c5b2979eb0e
SHA256 b3c2b4cd4c6f9ce0a8ac2576128ebb516394a3d39281ae4b91ff831ef6b3a04b
SHA512 d37d2d4f5620b7ed6cb1c613a02aba745b0b9f72631f1205ad970be1e93c29aaf5deccb2a613256c736cba703712c48319fb5d334c19594dd1c92ba0a4fcb44e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 49451ee3dad889e2b05f75874cdbe08d
SHA1 f8642c2a16b44fb16dbd5f48733987327a3eba3b
SHA256 5d57d60ae9db469eeab316cd56a696d9b053a591036b138a2eec919d72666b45
SHA512 e6d5b7b3dbafa33889a4046607b4cf4ee601e656b5580f78d57aca1b0d3cece60f5fad4d6d532fe4dd250271d684fa4b7b4ee66064b3e68b7cd67eab201efacc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 6d63de1e806c53798d6a26493dbe00aa
SHA1 b8dd62c5b709451c186570b85919efcb16c1c12d
SHA256 80d13bf2422e823b5a6cbc58cfbee29ad45afcbbe516dfaf7e01d29d465ca96e
SHA512 050fbd3489cb3f1eea1ca128eaa06816d45e126b2fccf8cbf612daec55dd6fde71905c39a3350dd46c8901ccf452e819361c127231e6c379594a1397eb884c80

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 cb0ce24af022de64a4fcd900378fc0e6
SHA1 ee1b59d47d5e5d861c8cde7edbd5f73305666f40
SHA256 01d3bd7e8e7bd81d386c4da7d3f495c624d37f86e995740032dc30ae004d4e15
SHA512 d3f306b85e09404fda7f214ce61b7522813cb51eae39cc7163b499dca3dc5a84e29de719edb501dadc6a767894c41c6d6c6b628adff442823ff64e52a96d573d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 0e5f6b7127a252820bb8f969fdadcb56
SHA1 eb19d26362b51971a65a5ba531e1c9ecda8a00af
SHA256 d010256f1ef14def1ffa1a7706a448d466a80777d50c0ad042f4645e06f927fd
SHA512 c6bed95b191f53e85e0ccedddb805eae5c703c1f1e941c7c93752b911d017227e84e8faca3dc214e964f7f003288ccbda8c11680ccf01efdbf9d75938f308240

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 67ef2bfcbc47b980b179d76a34674136
SHA1 37fd6a63e287dc9b502313b43d282f62cab96235
SHA256 c0c8dcdb861cf0e98a8bce204cf1c08f12dadf008137df80052a4f34e1e0328e
SHA512 057a6dad22cd0ff7e36a68d188980bdc23c7d756cee1283b1491bd9009c87d1b1fa71a7f62d27293056df9872478c871bd87d290931924047746d5f98568d418

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 84e5549bc6a1b889f498963180427ee8
SHA1 0932e6b45a72d917b7fc00a6624a18732d45ddd1
SHA256 236309901b1b96bd0581a3ea68f688a4329da49c41198ce14c1c6ac90f9ab1b7
SHA512 d4221c9fe2f7bdc1d10d96611de475208f640b98757d5ae7f59070a8631bb2a672ade87e23c049414cb6de07ecbe8dbe2ae7c8a1477061b8c13defafa82d2461

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 9f48276be34abd6e2fed6381144698a1
SHA1 b9f21e5f7992c47f3b480610161862986c7ac248
SHA256 ff1dd98a931026374187a2fdc4227b993773e41c57284b9ddb59f0fe6d4b2cdf
SHA512 1aaf5491b53802df69c21cc2b7fda18c9170bc6408aac114b1865813c6be22e1fa151cf33f20ae6fb15c6903d1a996aa8b4b2b70d0d87ed8b9f9a5fae02edadf

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 506bc017c4c5732f642556f8d0adfbe8
SHA1 b591ca2b38e2b9e0aa632883b0a5da9184b41207
SHA256 05ee2f11c6fcdddb167593338c7806054c2d362c73c6583e7a5bf663caed9698
SHA512 82dff25587670cc29f3b0bbf3ca038e7d4568b29f952fddb1f1a18cc80010e742ebcc8165ee842857f730a61dcd337d43f2cd0153476a66950ae9a4b0475469e

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 37f73899f53f2797f3ae15160c3a80ce
SHA1 772f839bb9573f7296ddb22c70127d455bc5be66
SHA256 d722f872bdaa498879b6a8734395fdbdc4000191c3d358615109db2f1dcd6c4d
SHA512 f6ff59f7118cc20865cdb2a36cf136efa40fbbdc8a3c2cacdcf6f1362dc54a788f80bad92537d8ef2d5212ee49cf5854607c20729ce9466a68a1179a78d2a08a

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 02838e9aac9263de3591cf31dff1b3c1
SHA1 244b812dfa6f2d71690bd3a6c4ca31bb10b88523
SHA256 283c1bcebbb8df27f740970b05b9ec22ae19445f630d2241d53474ff1a5c5345
SHA512 6f9f1158b9393dcc43d3740a83ee8bc6219ca70abcdde8330e8c72818a379eb4fb21e344d2294f55c9053b14db55f0187919565f4e938315be9fb0d256f1f3a5

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 6aa57bf933799f03f05206ec7f06277c
SHA1 425f146f3f9754df2e99d4d41cade30dffc3bc27
SHA256 0aab390bcc336976635f7d8f2b6f2afde9f20b359d8d2ab37d616015ce528fb3
SHA512 502ca8ecf2a0f2c20e560ba83a94a06ef513e3bf9b8a345354759cabbbe0e1a5842fa8ffbb2e4a303b38265bc916cb2d85ce2ad3b97f1ab336b4b852a573c315

C:\Users\Admin\AppData\Local\Temp\owEs.exe

MD5 f30e93acff5d08dae8367fee0f22d3bc
SHA1 dd19a6bc2fbaa81bf0698076304383f6018c5cbf
SHA256 7731c91f6d17df35e6f6eb6cb93cfad994a747e42a788fb169c177d738006907
SHA512 09e9ec264cf14891e0006a5921ae3226c9d7c46af170a811b197efda31a86f91ab4ee6027a4004ef898b48ac157e6392f554ae07368817b12cea18761f2d0eab

C:\Users\Admin\AppData\Local\Temp\Ogsa.exe

MD5 f34d101952d08f183c835bd2817e547f
SHA1 c5f268e8058d85b785bd9d3c36eb55a65ffff90b
SHA256 2e8c46d0d371d63273f48fc28851df0a3e610b653feb095a4abde113a5361a25
SHA512 689cc75a92d51a0255b561623887fdcb403c80878275715476a06fd3cf1f8f7405e0cb927c5ae4bb8acd48c67bf7904a81c5f9ce0dd45d19f14d2c9616ef1252

C:\Users\Admin\AppData\Local\Temp\IUEs.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe

MD5 f8afebd8413d9ce9e37d26893645d20c
SHA1 bcea84ff5519623bf731d8a8c04b3c9697c320ce
SHA256 abb6caf6e936ffb423306be3aaa2457762c0f60d37f930eb9a8e85f1cb5ce8a1
SHA512 cb425d78df29094471f1d688b43b6e5ed9d62d30231993fc6eff7f93397a21d9e93a0a448c9555e182c7eb546d854317943a9f9f288da6b0372b2caf3dd8ff29

C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe

MD5 673f9974ae690e48efe267e1d9b70780
SHA1 b11c094238793ed86188e0be30cc2a93c95f00e0
SHA256 f50e2f119c07a5cb54b76072463ff921507ee9ae2190c95f6f88b3bf6e3b0325
SHA512 32a714fe736b1498a0529162d19dbeaf2e502b63deac479574c6c4e2330be6cafe923d9a736fd228a6757f3de279416f5dbb8c5dd93668ffb8b4855486142207

C:\Users\Admin\AppData\Local\Temp\UMAO.exe

MD5 b1bc96a8a4a8f42d9da0d035a34f9690
SHA1 20612c5e653b44e4d0597f30b1477d51c14101d7
SHA256 c70ddc6a98d75043efcda4b29d561b5371f86ca19e637fffbede905181abbe1a
SHA512 14ad38996108765a69fccb7deb94ab7132e4e58fb1b17d7d89983135caadbe8ccd5170dd5a0d33c088d6a991665272e8a92b663bbc2ca192a893cda7d2611ac5

C:\Users\Admin\AppData\Local\Temp\YIoG.exe

MD5 b75d1725c7d9edbccadcd17dc2a543fa
SHA1 473d6fefbfaeab0fc8fe798f891da141234333ee
SHA256 94daae91276b4bb1df291ae5d2eeed244523186eaf7e60092d9bff729c3d64be
SHA512 75f8123c03285d44c8926b211f6d56653bd64f2f209fc5f0cfb606283b115390de9a0dde8029fecd57e8a15470f03f55b6e16ae464b9288be8ca33c1a4269f04

C:\Users\Admin\AppData\Local\Temp\sUoA.exe

MD5 8359093358af8382327c1a916fe4a0b1
SHA1 3c9b88130aa3dedf667d0465d7eb991d68b5ee1f
SHA256 7f3e98cfcfd06185aec61096a9871f1332e94ce36b5d2b7bd92e6379bf99e920
SHA512 e2a10e3098894bec86d11a0680dafc72173b82cf92b9c8805d94f404f8d2c1f98eff781f74f7a51c6e55867fa6a15714fcce3472d66bee9786667326a0285e0a

C:\Users\Admin\AppData\Local\Temp\cYwA.exe

MD5 646edb932aaf4fb19c6789695f987cee
SHA1 6151825f6847706b6e53d8bb6c91b89e88788445
SHA256 12d1b6876a7ae0766d62c6036aab4a2e288edbb7c54174545a7d840a791b9ec1
SHA512 8418344f113080a1553a7d045560a195c6d15174ce59f06fafa2ee6583b3395bd27e1546271dbdd7e0c427df0be960ff7e4eb4d42124476503232c0cf2b43e3c

C:\Users\Admin\AppData\Local\Temp\sQUi.exe

MD5 55f4ea9e0452ef843bd89c75dd3bf35c
SHA1 ff6972441ce029105ed32d7a22466e84f11af8f9
SHA256 77400c8f151a79edcb96ad1e2fc327844f0339f48c344b2c3f1eb6c146967432
SHA512 0c0eb6590a97b2a540e551813e501e0cba5b4fb1f47078b3aa187f7091ca8b19c797a32dead3cdad05fb13259e588bf56eb16c5384ce341f8f5d5c458cb0c9ec

C:\Users\Admin\AppData\Local\Temp\oMAa.exe

MD5 791c1ac37c9f1dfa941fd8da60bf4c1f
SHA1 8687e95195f0af4ea41a839bc3929a88f58cb9ce
SHA256 4e14d18603c077f9f43b20387924f13b6869873c45380eded59000ef07386a51
SHA512 123ae8799ac2aae59489cf8231476c4819713dcb3a7ebbfa495f9c584da5efa145aa699e98cf89c9776849395ecc7a46ea77ee97a126342746fe854c00b7fce1

C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.exe

MD5 96327c09c33f11bc790276eb3df75806
SHA1 724e8105aa1d7c38241d8c0e6dc7c201975ee90d
SHA256 cb8b3478f516853c75ec775be6d8dc61f1fcd71ecf90d1e68a6f00a620c68c80
SHA512 0c8bf94cbc993674703ccb998096920f42d3f5af2f53321d27423c426d6d66b4bfcf04663250e772f01d4f6d46bad4fa0faa84ab336d507e857e343aa171644a

C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.exe

MD5 21ac41984fa8dc1d8f9a7a64f2299402
SHA1 5437f6dd651c6b61c2d4e306da35a1f712e6a6cc
SHA256 c941aff4a3c1e77813d346e9cae989d936fc43a1b8ed40795033383e702ec11e
SHA512 252604650ddafac0dffd1894d4fd2024b00a09540834ced6ef2792726a3bd458222de646dc6daf46527b9df5e88ce187efba4a71d566cb64c0d447d5238b48e6

memory/3008-1845-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2312-1846-0x0000000000400000-0x000000000041D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 04:07

Reported

2024-10-26 04:09

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (80) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\ProgramData\AYcQUEQQ\AmMIkMck.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nIQAwssU.exe = "C:\\Users\\Admin\\aSgAsQIg\\nIQAwssU.exe" C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AmMIkMck.exe = "C:\\ProgramData\\AYcQUEQQ\\AmMIkMck.exe" C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nIQAwssU.exe = "C:\\Users\\Admin\\aSgAsQIg\\nIQAwssU.exe" C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AmMIkMck.exe = "C:\\ProgramData\\AYcQUEQQ\\AmMIkMck.exe" C:\ProgramData\AYcQUEQQ\AmMIkMck.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\AYcQUEQQ\AmMIkMck.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A
N/A N/A C:\Users\Admin\aSgAsQIg\nIQAwssU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Users\Admin\aSgAsQIg\nIQAwssU.exe
PID 2868 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Users\Admin\aSgAsQIg\nIQAwssU.exe
PID 2868 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Users\Admin\aSgAsQIg\nIQAwssU.exe
PID 2868 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\ProgramData\AYcQUEQQ\AmMIkMck.exe
PID 2868 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\ProgramData\AYcQUEQQ\AmMIkMck.exe
PID 2868 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\ProgramData\AYcQUEQQ\AmMIkMck.exe
PID 2868 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe
PID 2316 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe

"C:\Users\Admin\AppData\Local\Temp\c65ffd5ef2cc853f4b03d775c1787e191ce625e01c8b5d6bfead867f2c19e9a3N.exe"

C:\Users\Admin\aSgAsQIg\nIQAwssU.exe

"C:\Users\Admin\aSgAsQIg\nIQAwssU.exe"

C:\ProgramData\AYcQUEQQ\AmMIkMck.exe

"C:\ProgramData\AYcQUEQQ\AmMIkMck.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe

C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2868-0-0x0000000000400000-0x0000000000692000-memory.dmp

C:\Users\Admin\aSgAsQIg\nIQAwssU.exe

MD5 59e9ef451aa1be407891348f3d604231
SHA1 3ba12a95938b12a5e2fd38d7fb1490b5bf6ebe95
SHA256 a4a7d9265cea71b94ebbadb7a967798e96c48b8b720ff69d545b6d6aa28a1b49
SHA512 bd069e5661607adba2c4d7f467e112a43392be30508cdbb609c59c52973a8954a5fe9912505502bf4a3a75dcf74650cc5e1b9cfa155e970100696f308fbc64de

memory/2892-6-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\AYcQUEQQ\AmMIkMck.exe

MD5 646d65f9d688bbc0a2189cccc4afa60e
SHA1 5d904e9d155ac5e168493ae038321ee3d89a8e75
SHA256 710fd49df80590c329ac4c46253c4bc6276700f92db2ae40251862e6532a2e35
SHA512 554b7a538ac964d2aa4e914c94ddd0c091937aed9f96abe5e8239128b4e2d821f3c69f60e6ad92518c512b0d14110605ae5a9de3cb2114e39685b442141fe991

memory/760-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2868-17-0x0000000000400000-0x0000000000692000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe

MD5 d998782cbfcffe2b57945e303f02f176
SHA1 bba0fefa7823b0951f33b79708b23a47ab4f2315
SHA256 8b29c9349e7a814e30cce1cfb788f5a21740c798268b0a45ab805195faad9105
SHA512 4562723ca09057817ce66eb5596de858ec3a674e3b3b6a644b52d6ab1e5d4f8650423356853ed68a375e328c4a97b5f33b8639b31b32d8d58075fae7fa37734c

memory/1192-21-0x0000019088310000-0x000001908858A000-memory.dmp

memory/1192-22-0x0000019088AC0000-0x0000019088B72000-memory.dmp

memory/1192-43-0x00000190A32A0000-0x00000190A3316000-memory.dmp

memory/1192-44-0x00000190A2AB0000-0x00000190A2AD2000-memory.dmp

memory/1192-46-0x00000190A34A0000-0x00000190A34BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Gccw.exe

MD5 e15a6bed5a343b1def679e5d712b6b35
SHA1 f3f7781d3f462c3be2adee79983035d8551640dd
SHA256 9f985cf881ff467c528dbfbaad30220f97d660fa0114e7cb15b21a3825d68df2
SHA512 c7f083af2a47e8b9d7e3e8ffbad01e8ca16ec9e6ef06f08e257ebc65feb30e91b45c40230b6337a9536d618cafbfbf0d253731b6eda1766674e7231323a7e328

C:\Users\Admin\AppData\Local\Temp\IUMA.exe

MD5 a8caf865253fce69a291147b1abeb93f
SHA1 815ef5c9f86d152548524813cd5b097fc65925ac
SHA256 39746cd5f5871f55b5acdb8bb8779c667eca03f62240f9c4cc7246f9b68d5ccf
SHA512 add8cbc105b1d75bd16e28dccc9338ca77ec97cab302dc179ac35a66738d43a8efb991db0a7dfee2661547e555581e80086bbc06dd686add8f9d852fb2d06570

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 788d2de7139cd9072bc5f7626a693a08
SHA1 c46a4d7985b602092ae2ba3f7e2cc0095d60fefb
SHA256 3cf491a72c30ccd857c4639dc5360669740806cdd5a41ec47f296d166267bd68
SHA512 1cf2abbfcbc0ce9ebaeb75e95f4d5e00136cb1a938c76770b9d2da3aa78954a0b8e98bb76c54db27a9a31c16b63963766c48eef9c0183bb9f38ebdacfbe3eb6d

C:\Users\Admin\AppData\Local\Temp\mgoc.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 5d7592459ff397994a2dc0a0456996e2
SHA1 94e6ccf401673aadb9ebe3dd293f2d6ffc411302
SHA256 e93b1260272f1cb888e80df9d5446531a03ef98b8b51570aeb4428129a1009b4
SHA512 20030c2b35578b4f6097db092b50dc680cbb1ed556a777a2217529c2fea35fd157aa2be4c6b7189bc1bf1e5a86bd923a21c3429a87a6a513be1fab9b25b38202

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 6d16c5d9cc163de657b954d9ed1cc7c8
SHA1 a4f8fe984ac074c05bd8d6a010f9256b61adbd79
SHA256 6019b1d5ade48ae7b0b85d0921a4d30b6dbfa29a4b3d0af2201873bd0c63102d
SHA512 82364f34e7339945687da0876e3be40051125fd1493cf11fc9d15c92387f0bf9adede15417edb21c92ac528043e028d3c27ed8cf836545106ed490fe2e345eee

C:\Users\Admin\AppData\Local\Temp\goQQ.exe

MD5 3469c53422ddf11c91cf8604024ac5af
SHA1 46413458350f5d847ab949b5f1628091c470f168
SHA256 a309e71bfa0b32a2990441c16862e63e584b87b4e308dbe1b3e7938a80c89203
SHA512 c2f209b923b6994f4409721b278f6b6fa44f6841e6302a1fdad0479803f5764905baa4c0e8be3ac66367f3c5f33b084cdd6d046431c296d9de8c15d949d301f3

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 c3684834209944de133d75006c050084
SHA1 56c56dd7030b6166003dea2655582cf0009fce9f
SHA256 6796d011fa8504f71c7edb15d359eda2b9f3c358531618437be3d7a5f5a94aac
SHA512 a4a0ea26db6a2cab41afff73b09a39add3d9f9c3f374437b7e9a7e651c2669f3941a5a96d2afbe6c2f82f8c63ad3d3f9b952b7468ee9a77d2dca2ac10e78ab06

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 2794dbbaa7ad67aaa694b13d7ff22240
SHA1 4c674cf916608f6fb87aee2b3deaf68abb69f015
SHA256 25e6f5723223ef195c0ccabde0c3138969be9c724c27c4751d0834b489004ccc
SHA512 6c3116565b327659740baa0084d11546d1f5745f9840e15661e60b121c8d32e2fa6b8b717c7029be728e6c964a7ce4b6855bf0b99fa0b3e9e5fbcbe7cb6870b2

C:\Users\Admin\AppData\Local\Temp\IEAA.exe

MD5 6641e2377053e500192a54a886162f5f
SHA1 8b317f4528f0c25c15a6da4ab7485a4943e87c27
SHA256 c9decc346f3d463597126ce3fd27c564517545725d7da6b57b03608b6e433af2
SHA512 c054702552c37212f7b2c305022a545525d96f3efa4bc8deebbb8a422f6e08ba5293e50812bb589ecc22436e26f8b26553746ced0cf6054041b124750541242d

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

MD5 a2819ed0d29f912241bcb5f4437f0356
SHA1 a5bd07a972e523a7a1bbd4d89172d7753ba00d68
SHA256 ea3fbd5774cec76dc142c8b247cb2639ec7dee1561abb78c1a48e8e7efbab2eb
SHA512 0864195b7b8f171a955f79ce737f31ab324861dd2f37c5bbd5c7d0cb2da224f89efce1491ae850e7e981ec22a02c3c34a68118cb0d761454d80fc8e95bfae697

C:\Users\Admin\AppData\Local\Temp\eIwG.exe

MD5 62dbb195f4e4c3cd5ffb4236d03729c6
SHA1 c802c0bea065e1e0f7c8ac73234a634110b03aed
SHA256 d404a9736553001ce5340c2af002e329edc0974a149942b4d48ad984d6750469
SHA512 e7344f76fe050ba4a008a550c7bdf6300746bdd806e72b82e6b20cb09149a4e77d59446546be64ecbd63cdded4016dd0f8a45ca39fcaa133a3c8f81b6b86cdd4

C:\Users\Admin\AppData\Local\Temp\ggQm.exe

MD5 750835f72da1e3d440763f5f6efa87d6
SHA1 cc0e5baedee5ef7d910b6f4e5e2c4f3c7b6aea58
SHA256 ea60fd7b65c2263c9a12a4d97b1c44939bbe3f40cf8748327adb21b6cf1cee63
SHA512 d04ae2aacdafe8b98b45e4b4e62b417a5c1904381efde5344a1a116c00949960647e14615e1f1c5f0f899b9d480705911f5bbccd7ec7f240d9a14c581919bc41

C:\ProgramData\Microsoft\User Account Pictures\user-48.png.exe

MD5 85f628cec361de167d22565988e75ef4
SHA1 deb218a716310abc73b5e60f7f627d5cfcb43315
SHA256 9de1ecd7be52198a48b78c6052b78067dd3b1ae45f018eaf6a746dc1691f2a55
SHA512 1aa3e77f6fedd9a6ed0d490251005dc986678636cdf6c9536dc89425283d44ab24c0bc2e42cc9cf1f761965e964b2a73c820a5d4b38c25ecda05ff3589c08cda

C:\Users\Admin\AppData\Local\Temp\gsYi.exe

MD5 acc8d3b070f5e6766fd419e59ae54053
SHA1 03bbfe63b86947372938ce4318a078356aa478cf
SHA256 60956ba713d1fa6a51cc24a3d4def5e516cd45fb42102da4fe4d3eb16eba6274
SHA512 465b748a8229d66311cc50e95697035b711e2f2ef6165c9fe4a7aa39608b44c82deffe094e9d7a32ed18d20604985a32561498a3e200481c297fc035246816c3

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

MD5 d747a00a0876572200bfdb440dd2add9
SHA1 26e19990b688b83b4f1e40541835ba27bd9a3641
SHA256 8ab870a205348a209536fd54de8ce51e58b64ba2c5aa6080d564d7f2d7cdcf0e
SHA512 c7b884ddb0eef437496adddaa96c3d40c6b9da63f93e6b47c30bec57da682fc0d33fb7d6e36ddb7ec4c0f2185534f2c880ced887c57a33d28e8064aed4af7e90

C:\Users\Admin\AppData\Local\Temp\UUIq.exe

MD5 b14eacaa623ea628198d80dc7011fa27
SHA1 4d8c92965e00c15772564e70f0de0f0ab14693cd
SHA256 ede14b7911e915e6681c41c7e1c5b7ed3ae7c9f155df2e36ff6f53ff80600055
SHA512 42dcc57912228ba186343949c7dee890686963b2e913f7d0444366c532c01624fe969bbfff140574b6ce1ad439a61f11f0ae3f0056de2bb319b6260d1e4485c8

C:\Users\Admin\AppData\Local\Temp\KYcC.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 c8ebd3b3aa09677a1eae083b3f74189b
SHA1 dcbac94c173f72c865bc5fb02be847ef59f3db47
SHA256 39f5babcf0d4c022770767aeca15e55fe0dc866e64560d79ce9cf83252b2ca02
SHA512 f9a9a67850059b37000a601e3dbda5f88bb97d75ef1d8bf2f4ba6e320bee42aba024c16fcc70f2ba9aaf9cb897d7092b7c323a9490ee3cece253e0ba34ce9066

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 541f7849e57e561f00d4dd1a65024c5f
SHA1 bffa391e93dead5bea5c9dbdb0b21359702c4b8c
SHA256 3b578ea81bf0960e879c4e7e9ccf2bfbbba67113568ae47688ab0dbc958d2b13
SHA512 31e967c70a7dc1c36473819de5eea587954adfd0c1af627f7ef9fa05bf2b50949c7a4c16ebed6eca1626397493c7bdbf6663b08aa70e3e838588542cd8a2cdb0

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 96e770f8667e290a2ac4e18ea0f91d40
SHA1 55a08c56724fb91e78149653b48730d001404439
SHA256 75047e396077e7f56f9726d44a962f09f1969ef3fde56b1a833db2d53dacda5b
SHA512 e21862c1d42bb1a95bcc970e6154d19992f85b34057d7f218ece47c834beacd8ce4e26e33ae67d87d9d83d9b2245c6d37e59acb2ead06afdcad128bd73b095e2

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 5a82a6d249078f33620d81f08a4d575f
SHA1 9d6fb338955bd37e978b7200526432dbf084c2c4
SHA256 f823d7a7b9c4a74fce591c6fd718f5ad179d454a553a1206ae9fe261727ca9cf
SHA512 97b1670ff4f1112a6e5331ec0132e25186cef5472170717d874b69fc221678c84ae6efd3b5dd069a3d0f691cfed48c47078add6f383f391a31efdbd5e6505e9d

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 7b840876a99ce6d59d9530801e287d37
SHA1 5cad29481f1ffa58bd21ce43e65cf2afef8cad3f
SHA256 69f4d325e2d695cb80291c162a8814343b630c64d03c68a36d610fbfb6023016
SHA512 a7bff550850c9bed9e5ba90627824721efa89cb434a414f80db1568753db80b9270b2e770026b95547e9571ebb7637dcbb09fd618e1fc8036465728d46d75e40

C:\Users\Admin\AppData\Local\Temp\EIEY.exe

MD5 59cd800c77fd31bdf7224fa1562eb291
SHA1 4796fa3fd0a4bd89cbcc65c215c74472e99ef9d5
SHA256 48c1f3bef690024dec5b257991bd6c8d70a9905f46795b5981a3bd95a1f11b11
SHA512 5cda350aba7fefd234cc82cb5bf6510623855763eb053b50b7127a927222ace1e5b8f7b371e29e22bbacee9989dba7eb3a80326c639b6e3f66baa2f490dad09b

C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

MD5 574a8df0b2ea7f27b9de44299cf01f7c
SHA1 3e42f1e54aed48dee03495bc8135236c01950728
SHA256 a97804d0f4304d0c9bfbe4eb33a60725be5e461a95fa19ed479b00be70c741de
SHA512 1acae7cec9ed4cce4a3cbf47bd0d1224e11c15b25b5873a233ab2a3d94f22404d590a9594fc5c0ac5f784761dac844bb0f592fd3c8ef95f11c4018d124db5608

C:\Users\Admin\AppData\Local\Temp\eoII.exe

MD5 b385f78ac241ee37a7abcf6bde804061
SHA1 12def0a5d4907b57869b8a1e50010844825ae0d8
SHA256 a38e1d4c7090098195876451a2bd620b9e2f62732b702139cdc1e71c1520613f
SHA512 ea2ff3415149cc02e8b0e16a33dae6d2f0aff3ccec5082d51f112752f18021a3fe4c59da8602d4f9e4f4352d98cc8fdd69207f648291996f0c06a093016bad49

C:\Users\Admin\AppData\Local\Temp\WkQw.exe

MD5 4a5a92aac268d557914b08050a44b2f7
SHA1 b0ec9cc9d7006c2e221b9ddcee01caba52ee8a99
SHA256 78635ba44ec5caf5c32ef33bc953f49d6d86228d881f3d2ef1c981c67588000e
SHA512 f22bb6572223bd37c8a668b71da4f0e34bfcb07aae78cd9e46c0207ee6ff9f86607a329530cd50eb9d921dd28608e5d95eca50d83a3c83b01a25462e42bc9ae7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png.exe

MD5 2169b3db0b4b47125cb264bf10db5260
SHA1 d2ae62d859030b1badadb52f8c1f79ec0f65985c
SHA256 46411738e4baeda6d7ea9ecd1c8ea1206d2f0b9772aca9a90c3d926c420393c9
SHA512 3304fe6a201e7a70973788c311bd303c65e965c231852926ec3d93486d8a4c26d664afd76c3f57478e5296a3ac37bde5c96a0e77806bd32be3d23e0775c53134

C:\Users\Admin\AppData\Local\Temp\IoYS.exe

MD5 428218f94bee74d264240abd5e67953c
SHA1 fee554f568453b96f29a846610fe9e231d8a058a
SHA256 3d5fa6447d742aee2eba05eb86aac95511351deabcd31033e1b9914c7077bb86
SHA512 9db50e5c71c9c3e82e08cac13649b24edb034201f31e23f45cb8ee2444b895803ef4029de4e72ca063b4e12d603d4c0375bad373dfc70967308aa21138cc0ee1

C:\Users\Admin\AppData\Local\Temp\CkcM.exe

MD5 01e8c54989bdd5f5048995aba943659c
SHA1 0e784553d1c7dcc4e5147e87abc6421db37f9538
SHA256 465ac888f5e06ed982b51bb7e841e7f54522b194274f1a699965f26f6688dfd5
SHA512 642ca01f7835ce756beeebbe9d6e2c10ce97fd02f2dc157f58ee822e62f4ed7cb9ddbbc2abf7e293654e747d7f4271daad827906a0df04c3b253b562155f4aab

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

MD5 4be7419ee184943585e20928ef68b3b9
SHA1 1b4eba17a8eb14e0a14f4b041e8fb8f4094098b4
SHA256 5877c8319f5cc3fe591d0f72b3d26729e2798ed776ab4716724a48798225f25a
SHA512 b6c32edcf79eeb041d15bd3f1eac13640505eb6da95a5529dc6cb11c3e2de826602f67ddbd96324f77c93c2e6dcb0cc304fec91bd9c3f8fed640b0d70c9dddcd

C:\Users\Admin\AppData\Local\Temp\GEos.exe

MD5 92816ac368f13a2ab540013e20eed939
SHA1 297b9c97fb252fbcbe475010de7ed2f8975008c5
SHA256 cd1a514ba334e0164b08c0191e1d9c74f388acb9bf7c0ed28deb1be90b622b2b
SHA512 1b9413988cfa45bb32f1b744b9d74a44d179fb5b325260556e7f79f725f22575afdd0acadf14999c0bd48d07228930b906dd5b348bffa85d260d39e72cac3450

C:\Users\Admin\AppData\Local\Temp\QAom.exe

MD5 f53572336c461dd2a0d262e6a2193397
SHA1 c40efa7e3df9879cc4ddaee30f2b0efe3b7c6c6f
SHA256 2dd97c7d9137be4dd5a35bd2afd12a33fbe556b1e440e80d5170b051d3726d06
SHA512 423ee4ae26984eb36ff8e52409a2f0fa97f3ee057bba1280ee558d52b3e1d25258f1ae13883264df1cc770bbef0bc91fc61027efdf4328fe207ac02dd207b6ad

C:\Users\Admin\AppData\Local\Temp\QcYY.exe

MD5 aa978d11aaba5613286d6c08051048e9
SHA1 75ffc08ef8132ebdb115eb6e1828f3a645103734
SHA256 b8025f7c6df24e9040de863da9b2e9a0b0c0ad920d10df43b36d3f8b9566464b
SHA512 a20633a21095e842c12c118c7afb8d1c6fbae7714fa7afbcd21042c242013f7a345cb47e89ea3b70abf10939223587743f14319efa45c3758a1f95e22d1eb7e9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

MD5 3f9a1a3dbf50fd557100bf1baa7c860e
SHA1 73cc3d3b36d1cea155b875ea61a1d2a463264ff7
SHA256 a0ba9dbea12d0ff4de76f32a8cce6391a7ace0d6afa2bddea9bcd89e3c25c7fe
SHA512 2a8b54e1d2f76994f1f0bb30f8497cb73629a7f16a0dc8b95a4bfc3255f8f2b6eff210f0794a6cfc2de2366235819846f364979f8de3461f1630042cb72d426a

C:\Users\Admin\AppData\Local\Temp\gMcq.exe

MD5 c6cc38620c63b281a67de4e591085439
SHA1 bf384b4bb06f5a34aff4e7fbc2ec2c7418173a12
SHA256 f7880bfef73e45624974e7be50a42a2917cb3c7326398f23bbdc173995e85842
SHA512 2908d4d4ee3d223d447a708c03b4b2137179c8c92c4708993887d08461e40208ef4a366af3fce49db3ba2fd5c660898e5ecd9646910833d3c87bd9be1c702fc1

C:\Users\Admin\AppData\Local\Temp\UYUE.exe

MD5 7cf81ccd79f6b9182c45d46023d44642
SHA1 f3cf54d096867cfa5f1c78b6052005a5e1fc6658
SHA256 8c62f88189cc1a7c7d3241d396b0d0777168fa842dac7174087ecd0f6fc72594
SHA512 f570a68c684e72e6e01b26fe4212a76702a7295a5c6a1e2a11762faa10dee7a1f57f395bee03dff23cc517cfe1a28c86a0c4f09bd3081081b1fbdbe0d5041b30

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe

MD5 c170044f0c0e75ce39ac08e2d357190d
SHA1 af315a937c2588f885efafcd8ab20d8ecd3ce420
SHA256 a7c7212ee0c94f555248e283bd5558190077a8c1c5c4a3539b716a2d45b6d4c6
SHA512 a4fb6b192b2444642944ff1c2d7982be247780a58f0f0c4bb066786ecff5294473158c6053ba7b3f9ae9a2568620e2c53cca82c670f92d4bcffbadefac873800

C:\Users\Admin\AppData\Local\Temp\goQQ.exe

MD5 aa22c6f58adea299429c50728e982dfe
SHA1 7f9cb810732fc1af6ce5afeff45ebf95b28c6bb2
SHA256 c29b389c04707890188aa159462a4af26afc70d5fa1d3e9c60134146de9dc938
SHA512 33215cdcc94a1530c274d39c7c07f27829ed321dd6cb1f0a9f6dfe6edd49aa6f5553a894c1bb159f157406e79035cc2cfa5d2fdc144674390effdbf69f4fc351

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 ca14379101fb1d72aaebecc6fb17237f
SHA1 1ee05fe19c7afe02ee31eee14a6c59f571a5abc1
SHA256 4a66cf3fee53d2e3e156e6609280fbc71051532ac53c33dbde0efa978576af9b
SHA512 2defdd3086c360c4cc2b32c8e607bfae6ca6a0097a581a4ceb74b2e0ea10ea2768ce94b768e4c3e680ee0c13aa161d7fb1f40b41596da1f6824c4c6f46a51c86

C:\Users\Admin\AppData\Local\Temp\QkAI.exe

MD5 360cbb9779266ecd6d99c7c4a9374051
SHA1 d73430be04e7299dbfbc834c15b5094252bc8a6d
SHA256 844dd39a4f92e1f3d1874468576ca0f66d60d2a8b121fa7280577400dffcecf6
SHA512 54dbd6eb70728b70eb67d1a391967847dab997dd6384c56f633688ac8292cb57b46742c7c8d356b7176915e4292e9c8e6f9506558bb8d07af813228f707ce503

C:\Users\Admin\AppData\Local\Temp\wMAQ.exe

MD5 8421b85b2794a7516c52f40933cb555e
SHA1 4618eaed5bc59537b3eaf72d00e096884f3c86f8
SHA256 57072c5a12173b414de5a6a00a93e77156a43da84ee983fae0204a9b358b4546
SHA512 5b795414fba235c3a0a59f3def13756bfe1836176b66fa5d7a4753ae100ac08b91efde896e235511e64eb6fe729588c561895fcc23d4289d63dfc450ff0217e5

C:\Users\Admin\AppData\Local\Temp\SEkI.exe

MD5 e437cf43446a0650204504a353865687
SHA1 932f9b047cc945f798c75e3ae0b2d01ab47b707f
SHA256 9a9fa8fd482d76c7d0e52680c83baafc4f65bd4d862bbb83c039f8802784808f
SHA512 b773e72b13cc5e09ec0b65205cd51e9a11e7fa80012b4ae4eb2b8960a1617217b206f45a0f29c54a915a003f036b2de23474b54cb8445f421f1e4dda4f1798a7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

MD5 fbf431ae9c96ef97eac47f38c8a40148
SHA1 690884002b79154be6b945acdef8ea886999e610
SHA256 f1c0dca91095b95b3e67a8f2ab925349808bbcf90f44d79c4ba4f3e048da727a
SHA512 0147e516b3f3b32f349e3e4cd562b2482c5d38c9a40333e13dcbf175b4344cbc2114e4a83ff6596bb24ddcf05c6015fa66016ea5c506c1f6993d8003e19e45d8

C:\Users\Admin\AppData\Local\Temp\KYMi.exe

MD5 4a288400880979edc7e5b5a830d0551a
SHA1 97702f005a919226497b1930d97145eab039f0c6
SHA256 dbcb937edb8e2edb953f58131ad9602023f8dc620b1143a20992eb228bc5fbb3
SHA512 1671f36aafd205cf372b7e434b8b517e446ce2afa34db76bc69b7bc25a2d9f8894a7d896b41818547e3ee25bfce32ac6ac926b80a0e5f9f1a6c1df78a31366c2

C:\Users\Admin\AppData\Local\Temp\coIW.exe

MD5 9b044445dcde92e18fd02a87fd458507
SHA1 1dc523dc5632c7965948e6f376abd73af82a286d
SHA256 3e4656c3bf37a2a3a000f0f9143e3cbd670204734612868d3e0625d19f67add7
SHA512 5d170fb9e26e83c63983926fd3213834cdbde5c58b526c504e8867995c7d4ec89e5488a401b770d25d771c387941984aa28d7ebed0dcbf9db947f29f91dfbc4f

C:\Users\Admin\AppData\Local\Temp\uMAE.exe

MD5 201b0eb9739b327ea6accddc8fdc324d
SHA1 db3fafef4283924e0d8855134b86a8ef60dad55e
SHA256 987d1eb50de4f5cbcbf9f81a3f98e259dc758283315183b9b7524b4e608ff2e1
SHA512 a25545745dca45d4077d5c450e8391e568a138c982b176ae72748a02ccad53d3bd44c714e27e0d3a02a1db984421ed84cf308d53bdcd2ed1cd152877df539e29

C:\Users\Admin\AppData\Local\Temp\ikoi.exe

MD5 3043ca75152febce0a92af4cad6e9747
SHA1 8989f8ff329f4ac20c7699afb59e0c0f584c3262
SHA256 af6efd84ad83e9f4f4adb701afa71395e1586425c10b37e07b67fe50b28ab388
SHA512 c337b22c3779d30397d214dbef424c009d96e609cb11bec53b6a3f3be9ec6a76087c57cf4a272a32f7fbddb75981bf14f99d5e6550535fab23ac01875efd172f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png.exe

MD5 e2c11fa6930cd44416c7a61069e0f355
SHA1 d61053f2ccb532975ae5493231697815895a2f94
SHA256 09409eff78c1a2805d0732ecca7015d5ff41f765c7d78533b324e82a8d015a47
SHA512 226df2ea7f94cb1888cd8135423159e87063b59e81adeed1959e328ee1fcddcec9db5a018708078c9bedca65dca4bf80334ee48275073f4636a52448f3e1d35f

C:\Users\Admin\AppData\Local\Temp\ckoq.exe

MD5 6b822fde6bb0de12aac0f59986c6d8eb
SHA1 98d8628b43f1b4e1b4d9d9e5347c09c9cda866aa
SHA256 7528735a29cb40e6002a974067df21e161db959bbebfd566a57324d6b57e391b
SHA512 bcccf358ca849bf5a4a2a043dcff10a6fb37c0b8eb5960682867dda5cec25fa84722d2d4629204cd44df781c33ce3fdccee0c55fd45ac8a79e7f8c0c1cc6fe6c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe

MD5 b2fd4b95b2616d58cccdf2389a679b27
SHA1 18bd47e8be23dacfbec505c4fb922bf46c87017b
SHA256 111d280000d4e773bc919e1d300b07d6eac627d7e40488ad6ec5fb4c3f749be2
SHA512 83fd7adbd1e235cf2d6576388e7c9c93168a27ee4e8dd670bfe5e8c04d343ff73cc750b7fff5f921738b1cfec9e9251a79084eba1c2e459cbc03502f4023eb58

C:\Users\Admin\AppData\Local\Temp\csMw.exe

MD5 aa77b1e5abf52da4e50ba3f60d902f7a
SHA1 835e0e94e59856237bcebc3b696d5107d39f4984
SHA256 9befe262734fd319b62d6797c0e7ffa7c1d99db3ef6b385cb86c3c1e5e252062
SHA512 318ea6f1ad3f1cf36938884a8171a3214953d098d4d140f9e82505bb0e5d24d694e8fc7e85067860553aad11ff1f2a38cf451b77604cc13bfa4e28073d06a1f3

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png.exe

MD5 713ddcc5de8e9e06d4cdb8d378ddaf1f
SHA1 2ea8d5bc6c5eb33ec4d3665f5a1f9fd8bfb887ab
SHA256 f09a249dddf888375a287d27f53297f228c6154f4ee6a3f2185b5af5a5a4cd34
SHA512 1e6c3be9c834227e026186751fc485c5803ea2a4cc5536dc38360a7b903b41fd8364769d22d4ede3de4d598576ef1a751007e015c75026a36eb6154cc864d6cc

C:\Users\Admin\AppData\Local\Temp\cUkI.exe

MD5 6bf88d18603d1cd8e63fa9a6980c89a8
SHA1 3a12a8c3590e59ccb4424e05824e5e05467e1c89
SHA256 2a8e853d57d75aaf1f9bbde6cdd0fa10a9983edc6be2cbf0af4131644f3cc8c9
SHA512 d65883db3637ead679d4c34f198ebf20642e2280a39215c1cc2b610449585cd585b613d23ab1191ade56eeef430e8f6f0ee1bf4c18784ee9f89e979d524a85e9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png.exe

MD5 88e4297e0ca8765b57bc9a173d344c8c
SHA1 bf1ce578621d2bbca89e3f5dc93586ad51beca2b
SHA256 0aba7b29d03e9fa2f790ab054d7796023e2806e4e23413a6e901851be4f1bbf6
SHA512 d48f52d9a4889b0e4652d7783425df039cca8a48358e2b23fbd978e5831862b2e04f4e9493294357d2df56ab97fc77076052b81757c9cf3ba09d6406de5a0487

C:\Users\Admin\AppData\Local\Temp\OEAK.exe

MD5 fc6ad635069195ab288877715eb7ba6a
SHA1 e11b953a7b8e5a1b2542d61aedf08116521b7222
SHA256 680b4d7b4edab44b174d7ee95d1ef860e0d93d649f99cf124dc0239396c03d57
SHA512 e7b4a2e1b6830ecaef7657474b1b62d12e6705af47c3b9e544012e205d34a77334870ef9a616876eaca0bdbd0a8e03447ae0e3dde296a01537e4f60c7c970f8b

C:\Users\Admin\AppData\Local\Temp\YEQC.exe

MD5 777dc01a8327661a63b2d85da39008dd
SHA1 8672491672abaa4c6a9842244060a5921a87559b
SHA256 579e4fb52acf0befeb360416c73228843488e418bb5e293305d93ebc7c6dd794
SHA512 5d94356673c5e31e75ef07bd33f34611a05277d6c22313587e91fc56bc3dd2f13bb7f59bf31f048b95e1881798c59d2df9f35c769010c9073ad311bb54161211

C:\Users\Admin\AppData\Local\Temp\iogs.exe

MD5 5ba47df466a7d351f5d3bc0880f0ed17
SHA1 e8b413e9bf97867985f466251fe045788bc9dfc9
SHA256 adc08e86420d780f521f59e23dbb677b4447bf3e2ff66252fc2c248c80fd34bb
SHA512 faf78b7d10834e104a9cdb59bd0f7e49c95bb66d00a53dbafa6a2900061be9d797d2f6bf05d530b92426cfac644553caaf1d47a4cee1a61f6c7339e5c3841db2

C:\Users\Admin\AppData\Local\Temp\mQwi.exe

MD5 e353666e3ec52c34d6b6bd858f4ae581
SHA1 9a63e1fd856da59983f3989a67b808f85f5cf1f9
SHA256 d34e5a3b6a19972f6044a4fb7b3bc8645def25206c2113e3310eefe37054c0f8
SHA512 55ea484b98cc28d85c012eb502056c17d5309e3d22e6f11feec66840352a40ff57a81bfddacc5f659275c2ee79046035a85b8e48dda2abe54b50c646b4ed33cd

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png.exe

MD5 88dc53a5a69d03547f1291986b72e5e2
SHA1 e4dbdde427a2e4596872cb58222855bf08c100c2
SHA256 76b30ce042bb926f80b4468e17945e6bd03f0a7845b76bd874496c1d5bf47972
SHA512 7362aebbfa902925664c46e90cb9eebac03b69d6fe469ae89378b8be30b2bac3bbd68919c195f124fc9d8c2b4affc0b043d11656940bf1bef6278e364e396cce

C:\Users\Admin\AppData\Local\Temp\gMMS.exe

MD5 f1286280efb2ea4e93a5fa03c8689801
SHA1 5c961d8f5eb8ad386f1036586157f1a6ef0e1daa
SHA256 e1960cb7696fad516b472554f5b505de06ef189e2dc04f5a4ed2f78e1162e344
SHA512 5318aad9b37b52b9d6ce2abce3f4f5940b7ef32883b6462c6cdd496c74c6cd548d964f114b39bdc0cbcbf324f802ae229bfa5e1f83c4669d04fb4ea99156cd37

C:\Users\Admin\AppData\Local\Temp\WoUU.exe

MD5 ac29370a1f66378bd8054cd9be2b172a
SHA1 a3840d0121ad65d8805e07ab5bc22ec3d9fc7607
SHA256 cbf60c301ab74f89ad4d7880ce6d4c8aafdbf9bbd0e125c7dc80d1dff33b81c8
SHA512 7d4418fc722b05d86e07350cb44dfddc1381c01b324f8ddbd26a7df62266d9a69ce059f1c3987b57f7e1efc34bcfe66835a0055696f1bb35ca8d4746eab6215e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe

MD5 6f84a87359fa6ca93ee5253f4f0eadc8
SHA1 f7e993e4307ae0d63f0c5759cb558d88e3beba26
SHA256 c3dfb9b6eedde9882224dd842a500c4cb006dc24048d9cffe9cb64c6cc40e3ab
SHA512 0580ad0571548b5282fa10148cbe794e7afdc7c089c17ae3c7c974d8060c653205c8201f12a801a00ec93f7f06888c429cc3e750ea7e422c113022c2290102de

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe

MD5 96cf688d804e20e4c76bcd16bdac5296
SHA1 8269fbd5979fab4944da5364611d7e927b01da3b
SHA256 7d6be9b563a06bcf3b82ae63777bdb865bd08ab691342cb615420fcca69e231d
SHA512 74d16697938208b03cdd7a11867e244cae34f85e5bed756024145e7cc3a48662582eaf9e0d94533dd86b25036041e8ec514328a369a60665b0d1928926acac4f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png.exe

MD5 1b22b9092386df54e0a9e15b06294731
SHA1 6f22745f7dcd1ac3f1d80c9977b87da575260f61
SHA256 beb8f9221c9534568b9dd384c8b6a7d6bc47147751014d1d24c9f67f157d5280
SHA512 0e5f45d1063cc34c08c70eb08b95f7f5d248b5b9e3b4993b934379b393c7c960d5151a2935d531cab80a09270f3364ed6919e6ef71c720a3de0a479182d54cf6

C:\Users\Admin\AppData\Local\Temp\AUcC.exe

MD5 47349cbd267e7277b5fb1eb8481f54a2
SHA1 196a224cfc8b3d190a6482f0e6f6a1b1db371591
SHA256 d6af754d6d2e1407b2eb6ee8cad4932222e12ebdbeca1cb0d0896f54e02bba45
SHA512 973df0ae5c50003e26262a8c8e534f92e5f3e1555e31f251e948f741f71f5db5ae043208ed0e6870a173c330c934bea61c22f5d8434b945667c95636e40c0127

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

MD5 06e22d4379fe7c5cb397f8a13bb62b6d
SHA1 690f11fd7d80bf0048d5d418490f6643719b0546
SHA256 4e6ac5bd9ea5d16e8163c7fb43f55bac34eed5006f39f30ca537437c2a8270c3
SHA512 3d6d81ca63dce872e28d0a489ca4ac798f96f8b959551fe16e01ad0fbe9b99e2b0459a336077c8720fe4a619f24761aab6ecf0e878dfade88453c21cb4543580

C:\Users\Admin\AppData\Local\Temp\AMgA.exe

MD5 456aa2b1e6cb3e959391ee8f2244bc50
SHA1 17703d3ed0c362dcb448f2ae654298edbf1aac82
SHA256 c5b91426f333948cc2b82618eddf79437eadad44b717d2193bfa9fd1fd6422de
SHA512 918dd4f353a26f09eae44bd5b4729f6a0d2eb1bace1e702ecb0288d2ddca08a9f18a79d9affe10c65fcb5af1b848e03084285482323217e9176a22b2717daefd

C:\Users\Admin\AppData\Local\Temp\YAAk.exe

MD5 5e169ec800991b460a437476b98392c5
SHA1 e52e5952d5d6a34b181f35ad7d643d2b0e23e23d
SHA256 f7e878ab80c3c809a56fd63711293e8ba9177cc9f58241482c4f22dce03f2f6f
SHA512 d7fc7ade2a367b661c81d75ca278d8c5195072b5ef2e39b9b584a3f9112adea3fd6df9c7e299ea7c3696db69a4e5a9948129aafaae66a651ed53787380664607

C:\Users\Admin\AppData\Local\Temp\OQUK.exe

MD5 2ef5565bee80cc267dc2d77a57920919
SHA1 b1ebaa8887e0846cebf98883138b72768beccebf
SHA256 59ca5c1e8acd7b28d75845014bf154565fe0fd31493ac65899ca9643ea3036f3
SHA512 2cdc5da12bdb208137e0f543cd230e7d997caa257e4e5caf1ea3a3f540d0bbfa0bddf35802823e3e082ea513daf54525943408c3490bbd5e847011ea7c49e7e5

C:\Users\Admin\AppData\Local\Temp\iQEM.exe

MD5 8bb5815637e85aa72e2c2819b6ecaa17
SHA1 a87cbc4d259ef3d8c452329dd2e9d4ba7a05e5ec
SHA256 9bc5e435cfa7819f67f8c0f9cc4975fcd308a03a04e5d7a34ade7fe5d6c9fa64
SHA512 fea4ea0360d60ac66a79ab764926c94a24168aee67aa22db2915f0354a22bb5d15c101bb4606115aeaacadeaa041b95fb8544f031a822d093ca53d31b6f004e7

C:\Users\Admin\AppData\Local\Temp\kEwA.exe

MD5 89dd0e36182100461ac2e196fed2b72b
SHA1 b224a951eca4ff61ec196da01c3a94fef35888e7
SHA256 605d034a90ce1c74aa735a6f77be6a1b6504dfcad3fca00bad60d2e56ade3b74
SHA512 a26177f5a9b64d7a50a108e64c704beaf4e3b8310351991dd7de6fe123162a2f8a5141661123fc7dd286c85973ab51f2d709330a2821b27f96bd5bbf3c91f7fb

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png.exe

MD5 6e23725b304f993d146df7c01b5e46e3
SHA1 e50c5a9d2a2c29a683995e523ffc1ea6635b8736
SHA256 e25c82fd60a3abf5fbc6e6d2685c0445961497985a1c74fde92fd3d3422e3cc9
SHA512 61e5ca4d03de416af436d5d56c3697bef21be67534f6a3a6537fcbbabf659e93ff5761d001f2a14dd98696061f697d24463751edd8ae7bc79cb929406dd5983c

C:\Users\Admin\AppData\Local\Temp\UoQQ.exe

MD5 6a7987fa44e9191bfde7d15c42075420
SHA1 acffe6992dc7c9ef8e74dda22c29cc4263070186
SHA256 2337f62dd0d2e41f47b35bfeb7bfe1228cb343860cfdc74e2c4082809db102c1
SHA512 39eb509e165a3eda59166d38de9e67ee63bf2d3d4757bbf2228a20b324601e8cfca0eddbaddc50ac39cac6002d018899369225f97e7245e71fbf14988bb29dfc

C:\Users\Admin\AppData\Local\Temp\CUEu.exe

MD5 198c2cb28b5239975d268973ae284610
SHA1 d958a3b45ccd2a7664d19e0356f3f18d364964c4
SHA256 8aeacc9e71a54d6ec00d9348ad20768c75fcfa4eeeddbe41f0bfd8ebd2125688
SHA512 0dd1c49066abb91ddf0e23be4c4e4a536c928521b4d8cd6a6a812f34d76bfd9ac42c5daa9da82d25d48baadde7b4796a84a0ebea7f7c8fb8afcbbd57b2645758

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png.exe

MD5 92ed5fefbc7f3cf748ef05024609d70f
SHA1 bb269c328aa2fc2c0496b8bef3df968536a75f87
SHA256 ca2cd35a04a3c35b0ebe4f5b74ae465d38dd2d5950f630050cc6245ebbafc66c
SHA512 eab89ba82a8a82c01b450b9cfa3a4eaddef0ffc9796c29d3f5f0af29191c83a65e4cc587083d0b7161f2566e959fcb7c601c917848b57388255aa486177f8e6c

C:\Users\Admin\AppData\Local\Temp\GgMs.exe

MD5 b52c381c9024b46464fbb39b06bb065b
SHA1 6cf200154404d76eeef32fc891272e359179357e
SHA256 cfa2e082d0500695226cd25439c3bda627969f04e416c88243a94c5c1b252bd6
SHA512 fc0c3ee157bddd45d15462edbe43574c10a622771c4f2ce4a5e11d7daaf0a40e2a8b186f627ead5364a34555e7d0e964fcb773f47d093ae849629a2bf6c0c85d

C:\Users\Admin\AppData\Local\Temp\woMk.exe

MD5 fd33692f0a5aef125eb0686fc5e9df67
SHA1 2517db90f8c34129828766c0fd6b3b2a51591d6e
SHA256 cc729f38be1e8d85476691c1c6c45beba68d518accca71fb91fc352042982a24
SHA512 d99bfeb12f91d5e2e35c725bd27db70a475c79eb3e66c3765f6c02f1e36ce577c9482d32332a46cbbbc808acd55a8fb05f10ed8466e5356e6ede84fd0d7c5cb0

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

MD5 6f125177b49bae9fb64f81063204579c
SHA1 80528e22bcc6b06144982afe36a7853c7ac392fc
SHA256 2e7b8e0557bbb2c3a14360a2503967c3d3a0186ba3b0938bd36dd72cf4b7f62c
SHA512 0bc414cb0d1544ff0ede2e123ed8bbd1072affa391cc431ea974195360c7a43aa87c27f65c26966e5a06be34a808056648165253611883c2c9f6eb618d2df138

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 3c4772ad2ccbbfa6504bba5e49345852
SHA1 4092a19e4e0acca7dfa284c1b12e8e707a5cb5fa
SHA256 97ab7685a8f97e6a46ad7568ef63cf93621a100892ad837adca19ceee2e6a991
SHA512 14f31ad5ffd4889470d33a74a8f84b61872922a1d1681c9cdc368fb7df7c29709652746c3243ddc1343dd450d7536f27bfc0d3619e0597aadb2b09b974cdf184

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

MD5 1881da0398401e775c84497575781e25
SHA1 d1650d2fb8de2d9ad3b0f099ad4cf3ba033b07be
SHA256 f10686cbee0fedbca34e1a4b9452c8a86bf9c109d5af378d3a831fdd6ad014b0
SHA512 05988c8aff27c6f072649dae0d83d1468f0d9071cccfda30627b2e5cedbb3949a69722f59614d72bbcfe92455a8f14bfda562bad59950fd5b7eb3b2f3982b3d6

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

MD5 3c13d80970ae7da3afc41d68b5b0ae87
SHA1 e1ebeb7f8755c118e85d44301ae914e0c72566ed
SHA256 3e0e503fe8bc68582e3c33ea1ec6a5078fd77ca9d11a78ff1e174df2b4031e30
SHA512 72cdc8a9f10b8f80d440c93928eb04bcc6766cd297374aeb2a0f5b3f44e54da345614a49583a55be9311447106258fa342638bdb40befad511ff076661e8fc20

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 fb833a3d53a22f0239d99f656427baf4
SHA1 fa3e9183e44377d406afe93aa72618f243d73c96
SHA256 2d5389f8e83466c9d7a7ecd1318dd991dc8b9e56039fdb619962b1f8e28f6c25
SHA512 a5de5cf27e7a566a8fdfa67f5301037165c354f3159e85ffe159a03983c70fae275471fc6bfa27be8301e77b898ab2074522a072139c18d5fe63359846b3488a

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe

MD5 0ef6d6c8017e00ea63f515f82275fde4
SHA1 1572954c57f541eb6a2008c8b7e697054092f052
SHA256 4a1b1cf62a62f0aaeac15ae1037730d2d58fe91f79a3ee2f4afb6ffa2b57eb4a
SHA512 b9802001e81f2cf1a01ada953615b1b458032481d6f8279e2674c9313771b7f4e7673c9a9730c1575cab09c2faa16ad58554e4dec2ec12956ed5b0b34d0831cc

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe

MD5 267a669bca2b69d1e5d4d081b3df1df9
SHA1 f9bdd9d25f665cc6684dcdbde638af5acb249a0f
SHA256 87022e6d0af1f97c9cecd78241983287913617b48dfc07581c9ab15ea6b9c9de
SHA512 d2b476105dd5ae1232ae0c9ccc5523eceb8ed740cbdbe3e8268b97043a75a26ac430832feee1bcf93716c662df168514bb28f3dd60c602b14f4f2f82cdc8e993

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\tinytile.png.exe

MD5 c426b1c18360903af86c2b6155703a2b
SHA1 a7fea8caa859cfa1026a50914ae8f800d6bdd4a2
SHA256 cfbfbfa39cf8dff6d74df88691138f3da71a3cb0574e29446337216b0d084e56
SHA512 14282b7876fd466f9b0c636522c712850a6f393f207e7dcc7128411b3921551de270ecff2412b26dc8011c63e8dd42fca6dcc9d27237fbe00165f3ed262d91ad

C:\Users\Admin\AppData\Roaming\FormatSplit.mpg.exe

MD5 4c33073a3933169e604941f66c35241f
SHA1 6f3ada5793f276dbe17d5830155adff1b2e478de
SHA256 3db3fdab4b6137ccdba908e5e427f2daff5f321f11713f33b6c92629e787ff5e
SHA512 61b9a7c36e21812bfe5ad6ea113c7ccf135247020cd13da9cc64ff62a0b5975e6f0408510fff8714a112a577a3f0f907e3fcf46ec81b1776091afbb9c489af99

C:\Windows\SysWOW64\shell32.dll.exe

MD5 d2777f63516ce2654af17cfc5cf4081b
SHA1 6303fc8981bb2c8c43405797db6612fa5acadca6
SHA256 520fc784ed3c3ba28beb1c9fe6b38921bcac8bc8abba9a8e7066bb59bd2af17e
SHA512 0f72ae81cdf5e05a7f91789dc820ca8b8f13efff19c66e53fd00f7f3411c627b6778ae2cda8e93c1c0d9f2cdd6ffdc4e9313743621f180bde68a0e8360af51d2

C:\Users\Admin\AppData\Local\Temp\sQEY.exe

MD5 2a34aef5ec7dccd31d9a33d86fbff3c2
SHA1 bf3ea9951e4e5867f0ac37b58224b59e811011e4
SHA256 d556833482ea018a87db437a8a6839ca08233d6846ec87459ea186fd2410ace7
SHA512 e61b25400eb5a5eb63ed69069c42f6f670b4e9de801ea2afe6313be165e83a2ae0f669a0153a46acdb5fdc85ea40e23372613d7bdad30cc7ba34b07f45104cfd

C:\Users\Admin\AppData\Local\Temp\uMoi.exe

MD5 cc3ef305835e1a244f79d76330abaec3
SHA1 d2bac48985609fc88ff638651ac11ebeac125e9c
SHA256 3305ea8ff7250f3e8c08640fd01bd303dc431ccff16dd19ce2d1b0a23eb9287e
SHA512 e886670f87f486893e064ebace0e32b8d5c1cc9057f909cc652bab7bd44dd62c075953297d66511313b9d729d1c03434307037379c50fb1425d819eff80c33ae

C:\Users\Admin\Downloads\PingResolve.mpg.exe

MD5 9ac8a551068cefe0d179c97be6bc9c16
SHA1 4fbbdb91a96f72b4b0801c7d35b3ba31af0ea074
SHA256 fa233ab5edddf078c6bcf2f31545f2d7f99c0dc2707f1124a677a774f032bc52
SHA512 20d9ac0086403236489870f2f8c1b13b4981e7cf8d2548016d248562b3bb4f63d3e1aee7ccf3dbe97e2161124878be280fcc97f3174498c43d47b80e009565b5

C:\Users\Admin\Downloads\RequestCompare.exe

MD5 64503c9c2d5a64588b94262fa193f026
SHA1 48ad20b36aaa112b15a9f463dcf416d98bc7027b
SHA256 62dc8cd7f9d1361dd6154c6f88e62bc98c006c229d8b369f956b47f2b7dcd031
SHA512 104d4301d12d92814cc8574a1a76e965d36e6a8a14d9b45086352d738848d83e68324ec5a3a6c6f80a2abdf6acf5509b44b1255a120a9dd0a32f6850193091f5

C:\Users\Admin\Downloads\ResetSkip.jpg.exe

MD5 a8c1eb76e67ef1398272257cc41a6c3f
SHA1 a28f9b89cf0733544c50502b60c70dfdc7f3e74f
SHA256 7f918f9289752585136795bb014e331d729c57ff2670e002361f6fb68bc1bda2
SHA512 1b1270d6722bccef1de73fb47bb4b8e28b8adca034383b9f8a1d332f5ce9f045a82b92a407deaf99adae116ebfddc1c2a8bd8b84ef06139673c1e51cc39c83d9

C:\Users\Admin\AppData\Local\Temp\mUAE.exe

MD5 c6dc7da92fced1d673ecc5bf77f0b617
SHA1 df78a77ba42b6e16a51b1caacea34c7b092e5613
SHA256 86f4c0312cd7f98e8d6a1a25f45d119d74dd9181d627ec7e65653cbf601c79fd
SHA512 599b70627d335d2181c4fedac28ca4e4f96d0c596952806301d01926b10ef2cb7f247d9914f908612d04cd40e32cab7d3b734697478d606d1f4b4db96c3447a3

C:\Users\Admin\AppData\Local\Temp\WsUy.exe

MD5 d92f96b6e8dda1070613ec7bff2fa093
SHA1 1150770045647415df7a3e1715a35f5d84f778c6
SHA256 88e48a97dae66d5da429238483b800fd49bd34a79bbd00f2e7c358f08c456e86
SHA512 cf8cb5a60f747349e1a493584bd918a238582d9fe9bd81e4bf96d02147e27180f3df6d2cd3cdcf14878b6e49b03ba22338feabb31572d22e0e613ea5c931b13e

C:\Users\Admin\AppData\Local\Temp\kYUK.exe

MD5 4ee0ab18d09def737b56438bc536c6be
SHA1 18b96e82c998e518f5352733c1cf5e6c9094baa7
SHA256 e877e090d5240a70b6d8e567226a5c810f8f324303a7bfdf8a210582379f1ca2
SHA512 1d8c1232579b6c67dba555b82ab66d353925f92818f29d496027271212bd37ee1d0e329ac4020b2906ced9444a49d6b33d0288ebdbea61c90b61d3e61a0a4ddf

C:\Users\Admin\Music\LimitUnprotect.bmp.exe

MD5 fff0a9148b212cedec7aa7bae3608afa
SHA1 2812c27efb66e4e5b414f9afc1809b8b16a6651c
SHA256 55829492fd4fe02885ac116c8b85ab3a46ade5990c0f1114a00778eb47fed86a
SHA512 a5a512f1b863fd0d0c8530812a93306dc514583de8f1a92c789de4bbbf5978f44cfbdaa7bbf328cadde1c1eb05d3c963b6c87ad5473fc70300df38bbc4fda376

C:\Users\Admin\AppData\Local\Temp\Kkgs.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\EEso.exe

MD5 cd17b77771e5075c6bc4e7dd04997ef0
SHA1 0cd4eb834637571a04c338ad4fb6420014c552d9
SHA256 05ba242e2d029a50392f2b33669967168660c0ce3187254b5417ddc1711bcd7c
SHA512 30bab4f5b3a5ab9c88ec82d34853f1675c2a2b106d0e04d8f9a410c15c62a21bcfd338115dfe50228a445a70deb51aabd31351638322df4c04a4c647d1535885

C:\Users\Admin\Music\StopUse.rar.exe

MD5 f3c42867e1c7a0dd8b6157a7b0127cb8
SHA1 4f9d57dae123d772f6dccb367d443c5b5b2abece
SHA256 5f406e51672993197168efbf20a6685ffffd6fb310db57555831e6202a7433bf
SHA512 eb1469ead3362116a2dc03ba0b45f749f9c7e2148cb6b0d1fa523e9dca4ad21d61fd5b0cf306c5fcba388fcedcab5bd59a31a0daa63f73806f7b679f96558071

C:\Users\Admin\AppData\Local\Temp\YokI.exe

MD5 5f7b8bcef1a5498a6960912da26c3042
SHA1 0fd6f8efdaeb09a3ce82b3394553db578bb04991
SHA256 fe14e1088db134d6c3e6bba1786bf98c5a299cf59f44d51ebd0442f78f9fa921
SHA512 3dfaa7c449cadabf5e442756a929667f94c8fe3f6a5ce509d57c604052c2bb968201227eaae61392b12a765139ef20f749c523dbaba219282c955b878b51dbaf

C:\Users\Admin\AppData\Local\Temp\sMgC.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\AppData\Local\Temp\Gckq.exe

MD5 7323fd5f129a8d3cd233f0192fd8bd46
SHA1 5a5f63986790b21f1620c2e3fe2cfac826270180
SHA256 71d7975b4e2a8abb847fe88c4657c51d8c8c5957e2dbb0fe5000d69309d3bae8
SHA512 495d459525451dd6a9e632ebcad2b8f29753ba1ab9177c89893479b7b8774c9af7d1ae6c18744b7e7fc9b191d209afaf79e4f7a40c3f988c9ec75491612a51cf

C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

MD5 a256fceba4a13594069e458ccc5ddb5a
SHA1 fbdc53f20e6c15ed150d363f6a699729991d5711
SHA256 3d0b0948e7ba740a16652f1c03031b4604e13065c186d3293565c3f4d6b91b12
SHA512 b790634841eca711359d1e819a599decd1952a237bbf86c96202d290879b292c6517f2e4cd12d58eea7e48779db715a50de24dcc3f083fa34c9a32fb46af3bdc

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 0fcb818ebe7ff2a99dd585649c7d37f2
SHA1 ef8a7fc16bde432976b90898a13510bd036f1a4d
SHA256 a91451bfc2bf49adc7e17d7e28dbf555969c20775a33fd9e6ea0ed69fe1efe0c
SHA512 763c80e4afaa649039c7e10ef42e570c708bc84388429e6bd2a427878ed46d4d1025eab4ebb9c114423fd56ed014fcd44c5b13b6b60f749edbd01f048f4e4bd9

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 1d46bc6b3572a3973106e0f07330bfb9
SHA1 a66e8b7de22971cce810c010b2768f25fba45bcb
SHA256 10bee10a649e80d2aaaca4fc6a0636b19d4b60715eff976f56bb7cabb914b946
SHA512 efba27c8fbe928b6a951725f008ae830a1420909c8faf0b2b747f00abc7a8d9a64cf5fd3a18c5c7b99cc96c37c8e446865288033fd63ff3d894406589bb4c030

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 78c12ff5cf7a02bd9096326c5285aa2f
SHA1 fd5b27e39389bf858d8f1b2850cd6ee0f0587801
SHA256 1950ab6ae4b8f31221b03d0b4127959dfea937bacf2fb7fc5828463d6623ed6e
SHA512 1b4354285c034e9570fc4c7ed0ee03701e4c9d21aa6157f7f1a2bb96bb6e8e03a799c54efc6aaf65f83144427885feebe7981ddcbc2ad3ddf8617b1dbd3d9d60

C:\Users\Admin\AppData\Local\Temp\Cwke.exe

MD5 76ae6417ec80f35537a5fb08f80a7bae
SHA1 03d24b54537130dbf1536f7b04b53e6388cf4249
SHA256 e7c2ecd2fb06f96d2d0de34729c427849f6865b52f504424abe1e0929caec2d9
SHA512 1ba0f555e163702094bb484f47c6ab7224de1717e8926492adebfc71fb4e9b6b0711a79bdfd3503114289659c943967562b45652f216e69f3c33969a8ce70271

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 ac0de6a74b7fe61bce6520ee5a54e1d2
SHA1 2dcec293da0a3e8e5b2796b1187b0c6418ff879c
SHA256 084bcb49141f2b68e934f35b7712c090e0f9659071d65955b052b728ddf1ee64
SHA512 7167f84a0e20b51a4247903be5a707a53b09943ac42553908846c44f94ee3e15931922263e3dcd4753e76a214157d466517d7dd7dc5983d662ca3f0c9728fc38

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 c593af13c0c0769be73495a8ccc77541
SHA1 535328d4077d66ce309addf0d8f76ca306973cea
SHA256 a359fd26ff5f75a30de59991ed9fd9b2fba1319a2b2d4841bd68213fe18c7e53
SHA512 d3be680811238e2aa90b6061f9d1a410a84ef9aefa0e135391aeda8cd9a528f5ca5f65f38c0bbd7ba08b637716e45f442b25b77c5644b70122fe898a27a85b16

memory/2892-1568-0x0000000000400000-0x000000000041D000-memory.dmp

memory/760-1569-0x0000000000400000-0x000000000041D000-memory.dmp