Malware Analysis Report

2025-01-22 08:33

Sample ID 241027-rvpddayhrk
Target 2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock
SHA256 a234074508dab0f0a01abf1504ec77d2dffe37a322582cc23c3d544137012a7d
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a234074508dab0f0a01abf1504ec77d2dffe37a322582cc23c3d544137012a7d

Threat Level: Known bad

The file 2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (83) files with added filename extension

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 14:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 14:31

Reported

2024-10-27 14:33

Platform

win7-20240903-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation C:\ProgramData\Aaooggks\amsQQQsk.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\fgcssckI\DigwYscU.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clist.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\DigwYscU.exe = "C:\\Users\\Admin\\fgcssckI\\DigwYscU.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\amsQQQsk.exe = "C:\\ProgramData\\Aaooggks\\amsQQQsk.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\amsQQQsk.exe = "C:\\ProgramData\\Aaooggks\\amsQQQsk.exe" C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\DigwYscU.exe = "C:\\Users\\Admin\\fgcssckI\\DigwYscU.exe" C:\Users\Admin\fgcssckI\DigwYscU.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\ProgramData\Aaooggks\amsQQQsk.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\fgcssckI\DigwYscU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Aaooggks\amsQQQsk.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A
N/A N/A C:\ProgramData\Aaooggks\amsQQQsk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Users\Admin\fgcssckI\DigwYscU.exe
PID 2376 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Users\Admin\fgcssckI\DigwYscU.exe
PID 2376 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Users\Admin\fgcssckI\DigwYscU.exe
PID 2376 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Users\Admin\fgcssckI\DigwYscU.exe
PID 2376 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\ProgramData\Aaooggks\amsQQQsk.exe
PID 2376 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\ProgramData\Aaooggks\amsQQQsk.exe
PID 2376 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\ProgramData\Aaooggks\amsQQQsk.exe
PID 2376 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\ProgramData\Aaooggks\amsQQQsk.exe
PID 2376 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2224 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\clist.exe
PID 2224 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\clist.exe
PID 2224 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\clist.exe
PID 2224 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\clist.exe
PID 2376 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe"

C:\Users\Admin\fgcssckI\DigwYscU.exe

"C:\Users\Admin\fgcssckI\DigwYscU.exe"

C:\ProgramData\Aaooggks\amsQQQsk.exe

"C:\ProgramData\Aaooggks\amsQQQsk.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\clist.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\clist.exe

C:\Users\Admin\AppData\Local\Temp\clist.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2376-0-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\fgcssckI\DigwYscU.exe

MD5 6eba45f6b9ebe1763999f0414eed5751
SHA1 a41a01646d17e0b022dd23df67733bfdb116b666
SHA256 98121c3ef14fa80bb0ee7b39605401548f156099392863edadee61da57025288
SHA512 e479d8945596c186aaf526a8e72a2f7427ed95dce4b2fa5a3377cbb74067958ebb4249a179c7f8bea620f9e640da7d8ec3eebf16f16722d8f3b25dc4c89d4093

memory/2376-13-0x00000000003D0000-0x00000000003ED000-memory.dmp

memory/2376-12-0x00000000003D0000-0x00000000003ED000-memory.dmp

C:\ProgramData\Aaooggks\amsQQQsk.exe

MD5 46c3e6ce0820fb729b85289d2ff15282
SHA1 2bf277febed47a54ccfc03b0a8fee58b1d73eeaa
SHA256 81777563ce8b3b0c380c155062e6c1c72e46ba3a7ac87cbcac33fd89235372f6
SHA512 06c7d5d331c3b9f0388ee510b3f5b00fe869db18b925d7c0d96c08c846684cf3efe08d1d7a2e730adfaabc8c1bd5d65abe2e75723a34dd778ab1286833ca4916

C:\Users\Admin\AppData\Local\Temp\eIsYAUMA.bat

MD5 8ed70014d31740af86800c56743fe229
SHA1 222924e8dde8b746361efe48dd60272984e0d241
SHA256 7960faa6273e0c2a7d2dbeb43ff0bdea6bda33c6738b6dda39e64d3b96eaa44d
SHA512 672a1e6d52dd8b8cc10ca70ca748474af19326e1f68c4d59dbbb550d547b95913491be6ac3741fc9860a4a57f943b8a74cdd7e3796048f199eb8617f97b448cb

memory/2376-22-0x00000000003D0000-0x00000000003EC000-memory.dmp

memory/2376-17-0x00000000003D0000-0x00000000003EC000-memory.dmp

memory/2340-16-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\clist.exe

MD5 af6d4428fb42903b1578b31bd333bf16
SHA1 c0d52a608a428397140a772920b9c3ea627c2cf3
SHA256 52090bc03a83c42081d6c6329874bb6a0701adecc07499a86c59a0fa831ff0e4
SHA512 eaae4756d133631aa476363ef8aaed30520088769702264e64c1f1acfc0cd880e3145158940edc4b7930ff5b2fd524bb6663a48c4420c7b8432d9843baa0e71a

memory/2376-36-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2464-38-0x0000000000D80000-0x0000000000DA8000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 d227b71d0cc9c09775a9fb89cdc4903b
SHA1 63050254226fed1e9332b6f56d8653ddad81a3d0
SHA256 c42391dc30bd762db99202bf22c34f34fb58ae38cb252b4b195418b02fefbe24
SHA512 cf82d3fa6b9182b66e5e72f38a12dc8990a2ebc047ebc8fb304af52afd3ee9fe2840ec2344430b78360f89e6369834b72452e26928ec2852eefcae3540ff2bf7

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\eUUU.exe

MD5 2a70303f9f8f7b7101716edafd7e80bc
SHA1 775ec8f8c3fd0b8cad0570653fb7c2a88f7c0009
SHA256 bed92e5afeea0e9d13c855449f779f152da650fadb67d4d294a69fe5d14b6d5c
SHA512 7ba8913b5eb8fbeaa377807b448c432ab5f6097ac193df4ac51f58dc5f87e69eed2f4d77fd744eb3eb119f9a4356ca3c4501f5c2f8b8c4964f40bd1e84015304

C:\Users\Admin\AppData\Local\Temp\CwIK.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 bea04e43bfae9f01205933cb391e79fc
SHA1 024ee8acc380102f1d213c67375a53444cbdb5f0
SHA256 2a8baaf367abfe6282154ff9120c99dc666e105082241b0ab78becc27e8ec80b
SHA512 a9968512fc5ed2f5f54f5704e8924b41c3dc431c5e5db3f46042bba1a025a209bb7a926d7b2a7d441f346b831997cfb0b46059647bbe9c5efd6001b4c05b4d2e

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 edb5cef4f22f4980cedacdaee72b41a6
SHA1 a9ddd82919bb7262edfcfe9cc635870d8eba41ff
SHA256 e76cd3e5e2fd108d612b72a57f6a8145586adce91bdc737a66a65bacc1a719cd
SHA512 e36a913ad634d9433ae0dd604ecb479652c792b75bb8428337a058a773490b330a5f550a1d5f6c2e6b96a56305095f5a7484146f84eb3f79c3f94d39cad423dc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 98ae20f000202ee27e21bef904ab9c70
SHA1 4c0290289189e697689f1ae3036c9a0816b5e0dc
SHA256 37e7cb0bd52ba1a2011c95b62b5e59c4b85ed906002b6f8ecf947cdb93ca6b28
SHA512 e0987e3f6d31443948ce6cdfac5b9c6bf5f6a8053fb7c0374d7bfe52c836a61d067d59e75b88b1d907ea4404b765c952d9a221b1dd02fc058ea00ab07e20f60e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 cddc5f4f12b84ccd07918b30e223e02b
SHA1 0a4b844bd2751268b04c64b3814412afb7d299f7
SHA256 d92c5b779293e9e77aefc672232964132b81b9c8532a43fd261d6c902d1cee47
SHA512 a755324dcd72e48bc9b6b86a6dfda22de3cf42f9006142f282b48bd430c001ab5d3e96a1d4444aa3345345e45679b7a8e6747f16ed660b8f9170fe58547b66f2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 cdd0eaf4081613c8466dc92e0d0adda4
SHA1 74d3c76ed34831fae58e4415608a15afded47482
SHA256 550a05f4e15fe2acf005e07bb6672c01a5fe0eb3c13cf0324facc9e95dad4fa5
SHA512 bddd36b4f8be423faf39c959624a9e61cdeca9022fc5494b9a5e11c1ff2115c4e37d5762b62ffc7a910d113ca46cc0df925fbc324a1a57ca21009d415f1ea183

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 924b664940ddb9971260c64e0389d54c
SHA1 4dc6e2d13726d4166d417f1e65cecf67eb688066
SHA256 447b81ab89daf671f23eb359cccddbc18ddb72a012ed19b892a1ea458932fd36
SHA512 d48e1f46c6aedeecccd86a6c6fa7203f7d87a4ee9415e2754f6e7ef91c4dfccf1760df409831464b5fb4bb7260d3e80d7df4b89c59572acf5318b82d097bb83c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 675f818a5f836da0e30b4bc1c77d59a3
SHA1 116acc7cb257c5db18eb12d37666c4534ccdc9d3
SHA256 93ff239b9cd970b8104bddb882082e6add391b82984d05955143dd2344101190
SHA512 d5a0c8deed8f6894974c4554635e2fa7f20fc80b4af1e3a8ad89a4a2bc16ea5c2217dccaff5ef5a975727b6632db7a9f372ebb6dd66bc17efc1aa6f9b92e27b2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 8a6a16befa950753334bfdb5c7bfa944
SHA1 e6cb440003216e22f6f01b218b9a575ed48e96f5
SHA256 e508934ec58285bdc48db3c615585554969784f3ed449329a8494df9777e03d2
SHA512 76d3b24145fcd29868223d3dd6128c16d08825665fd73ea00047fecd7d65c75e40f75cbac1009961e6a09872f8924c1fa8e0b919d83b6818e886a3d4e62439c4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 c1c25b92b6f2112f0b69c63b28251818
SHA1 967d46fadfdb9b6d06495e1f4f11ef0eb637024b
SHA256 3a55c7dae4b2c7ebd60e051daad87f63b6569ae07362543cefc56e5f8a653f48
SHA512 3e08d3de441cf567d78f4168cd2e2fcb059c1a9324a6b61af1ef206b908f030e02e7c8055263c54927c58e0ae89cfb75cff1ba08d3ce867137f99ce05cc2bed8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 77fcfe6e8e2d61e4b9f0e61cab1a86d7
SHA1 df4a22282fa7de48633467633078fe21dd8bff09
SHA256 848cda07e286bb28b48bfc9a9015512bb34446cbce4e3555165498734bdfc423
SHA512 47c2cbd481c5577db3cbd24f8fa8a548bb0da86abee6bf0788f6ea0fcb6f39bcfe0086e0d24285c4e94b99729c4000227b3b356c35bb03b175f28131624e5a6d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 c34cdc30636b94710aa279ab7f64ce84
SHA1 9c0f28f74cdc37e21904da232bb902ab490692b7
SHA256 76885ede336501c29efc088d047812f8ecce4c289ef36f2a8d83b5a30d36b190
SHA512 e8ffd2ad70875a3181210b970c60ad3ac1de8e59d986415e3b90efd3a18310c6ecf2995d3d885350e3e6631ea0c2ae436332b04d0df3cb4984fa1d1b117e81d2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 0408dd30c6558a31dd6f54fec82dea97
SHA1 443fb81066b1aca661d5ee2f5fb91b6e1b827fe9
SHA256 57139570bb3548e9d400db1e0d293cddee5901965170768c3c130121e1cecd7e
SHA512 fdd45b91c0f615a24864bc8f5367497408a2e17079ad86bba64dd8dfdffd7b0da8142cd047ebedbece36d36fac189e73ab8fc59aa1ee0d5bd5b7f7346f0ae7ac

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 e2be122cd1efd9daa31762d20bfab5be
SHA1 f9d4e258a543688dcc1baaaf3c29e3690c75b160
SHA256 3284affa5c059e4bfeec589d767bca6064d3b65418b434a3232c016b42ad02e1
SHA512 79e1e66f09637f52cc5eb64b13a8019cf4b9cf5186b5d5e94f7ac002f361134d6f4f8fe2ad32cd90c769bf775368f22d0ca05f770b5a92c8d493731f9f18543e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 6e8ab31178a9a53f824c4a7af22ee8ed
SHA1 827e1f637482f548e946e87e023f0bdacc76e8a3
SHA256 1572d3f7038079844725050608f5081a9d77bac024d1ba5a0cb25147925de032
SHA512 fd94e3172ff6c900a25c836b6160eafa54e20ac7580285af7c7cb84484eb2fe77a6e207ae427d14765a49ba691e3836c1f34001f675e373243227ac63b9baa20

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 4a685a599eef5668edec66ae108162ee
SHA1 7041351217c9742c5e1aabe85afb9a737701dcce
SHA256 8ce5ea7dda04dedc79d7abcdba78aee4a21a0b67a4e17d5af91a9d2d6721ac80
SHA512 f653c3e58dd85a9dcbc3079f49ff09ecc2d618ce6bc14279d6127df26633fc1b772323d9c094abc163a4f7b1cab117009efbb6aee4c488efc87a71867f2646dc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 7caba627853630f2d7ac6c6c89356784
SHA1 236cb5c370ab0aa88f5a8dd76269295a1a81bb56
SHA256 d04bf07c035cda22feef9d5945e3e3e16eaeefb86882cfd2d172cba5f24c118b
SHA512 12a3c0c4c5e93e59ccb02a628c261b75020992b4817d68bd6853083accfc9eb4e3e73baa0a8c75973593b607a5567cd63e7ba0714615887995aa39dfcc67d063

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 f4957c30b9293c4c400f4ffa111c2f9a
SHA1 45ef7309a7d925aeadf32c43398d1f10f4ccb74e
SHA256 2f7af329c53259d0b075d3aefb7f1ac047f53a2ea5ead49c6f8f21068b095159
SHA512 f57b43641cd9504f671d11672e21e61d1df0d21ead960cd0ef74dddf491068a7cdc4098f9465758b87b49a1368cd2186d00f65dce3500989b8b65e783a0e77f5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 95e4c8478d74afb91dd1214a25156543
SHA1 43af667a58e9cb2d5a833c4d59b09169e3bbf889
SHA256 37a78eeb390b7f4df0394176d5a35d2b41200cac35ba662214b0acb017871c93
SHA512 83c39edd8bc9c8d3c308b6b96e506302ccce5a96675157074a3f5f69976bcf46c709aac02902041539eba5dc2a0f2d69b66a8eecb6390a258f0126da84a53d2c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 e828e91f333151fd903206f146427806
SHA1 d1bd3e213beb6867e78d1080860410f412e1cad5
SHA256 c71a06fc466dbda030afc0a48edda4d5884e5209e3cfa7ed4f339e9e78df5387
SHA512 9c7246e9c44f46f5e3255ff882b192cf17d023e7eda6950cee840cbce767c2fd06dbc39ed580f2464f86ec6ec2f58d8b69e7f6e2815aed248356ace6110560d7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 5d6be37e1c20fd36ccbb2b62be687f48
SHA1 d491af7e1b29caebb75137231f334b54b587dcf5
SHA256 176cc0f0974181101279f0ab019d136468484714c8b349d1831c739776fa861d
SHA512 c81be1e1dbed7fcc3bbfbf25fad2a4dcc08d3dd4fa0e57dfc2de16811772ca15bae93a00c864b95f88bae6c6816e9418597bb29aa483b744364a14bbc64b5efa

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 aaa86bc645e71a55f14490eb6b3202ae
SHA1 1e1a6657919848799162b53520b49908c874ad02
SHA256 8d97f7133f786bfeecd33a7e3d2b7d1e0d4ae352a06f2c791f9e4bca27a83f8f
SHA512 90c81344427bf1b9a61493ccc94d375c6a7b6dbf29147f6e5deb5a6d03a770c2de1dcad84862de07dea52a78e307e42666d6e0bc34b4757a629bb517db63d058

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 b0abad04688541d3eb59576d7f96327a
SHA1 cc85b7647a075e7dd3e9609eabd6b725dce059f9
SHA256 e00976a475baa470fa4e4a63dab0dbf91a1a071bb192258ff9fed244ee04581c
SHA512 5e6d51ed3e7ddc4459ac6c505e8078a532cf6790e825a3eae3e582ab1fda2a9b48eddccf65125ffeff7877aa28a3fc492135bf864e9b07e0deb9efa758803a3f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 848db19bd74c7ba09fe35eec5a3cb0a3
SHA1 28c164a5be4fa5e83b3a41ba50140dd8594c584e
SHA256 4d355fbd62118138628b96cbc50583addb0e6382881f6546ba472679cbba2950
SHA512 edeaccb9ca3321ae5e801cf838b1c42c51d84fb52992ff7956148cd0f1bf819e26827b66e514914989eb7ccc808d29b26236a67f62dd0a227eecd4606f4a75fe

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 d23bdef017871232a2f01617883710ee
SHA1 3b817806265a2f6da29265b1b0ed7b892a96f85c
SHA256 d11548f4b6f9d561cf07b2ff4b3116c3f14953db3da06b3b8caa72c8380bb7ea
SHA512 5fd40e4d8a70d267e1d19f12d2a149c38404baac8f926fe97fd68fc12162e51e76c1caa5341950253c44e67d6cfe451431a8bad8e56cbc277b60352a3561563e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 07e47a8d2604c47a0b849b031c7a8b97
SHA1 0494206d2450e9460cff974763790955b427509b
SHA256 dc1fd6d329e4e077ee23c2214b61950eba2a6fff7f7e2af7913afee668e7b94f
SHA512 27f19c6be7991caeee050636f8a71cdb404f3a2f376f37bc4f7160741adf49885fe1c139d159ea57b3134fcc4ff1d7ee1d50e85c3b66469ec74b9da215d36338

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 daa56e6c6b0dc7087410a3a9024a96d4
SHA1 c6e1f9f218bd586d00f27d416cbd30a9f8e9dacd
SHA256 99bfeadf5cee3336af5043a0bc5a9eca9c0b33fa1da275e966516eee9c07d4ef
SHA512 74a3ca535b48872813b8c507f2eac916227ec971e36eea2c8205df4db2bcbdae1b441a972035c94c66fc8b4a952078e944410ec5e7ba99d90cd22c1708e37c0e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 20a1e5be0a6caf2e0f02c5442b33c95b
SHA1 8a1a301a51a4bd20ae24515cc8d6046efea72d35
SHA256 f1d6af04b452ae62a56103fc7e1e772a1a2109136c556e895c978b1e3da30d2f
SHA512 9a771e1f119d9db912e9cc17cbcb9d8dfd6aac9c1c84e85ce0e500a6cc42a180483d2cc8278e22eff5fa688ac64c1825738736d304523531ecd188a72bbe5ee2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 4e96fb1e1e606dfc1a6014fa81d077ce
SHA1 36f901e99c16eac5fe2234896d6f88a0be205ba0
SHA256 d0bc3ea9e7bf90556f9f501c0ce9782dba13aff6928a24fdbc0eff502079cb81
SHA512 9d1a20f8a3105d89f2f9a0acf8a8fe2fe6b00dc0492f3047264e062796826000133b6e4696aaa252f95c611673659b0523c4f9237a1fe2498dbc49e7a5bf7245

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 276b2f4d505828d226c51b3f6efc088b
SHA1 21f8502543dc8de1d5652fd5eb91cafc92edcc99
SHA256 3f4b41f5ba3ae591762af0ada89349a96951822832e90d7ffed7a73c2966123a
SHA512 ab03ee132affdcba08b77402a024241a15c2a09e05233bc6078d3e5ac526ce2b34ca93a00a3c43c2443dc9ed91e7cf1ca1e1913e694a229bf1277bb298ab866a

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 67366f2d42f283156c75566441b05d6b
SHA1 4c642d587e5dcd147b9a6fd6351172cb262676b1
SHA256 2df8d0e54c5933ae978d2fa925af3af7b8366738bfca4a5231c25dd56056a94d
SHA512 c022ad5d909c3c186e3eacc2f5cd2ebd8e7e3ee85ec54b036f0f63aa38cd9a1316186d39e5fa129d9fc8d70cab739672232b2751270365e0f89768b97f968d35

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 aecf6d219117be3106c2680558438bb1
SHA1 7747effae0664c43963e0b4c8f1546c831fdd489
SHA256 f34c103cd4795c0b06925c245a11bf2fe067add6ecd64ea0797665651c88a377
SHA512 6d5f071bd7cf42bdeeebc9d9dcaf4abb4a9bc0e68b6978b20b831d02b190dae12e2ef72ceed918b8441d6aa80c6d27c02736e7a0cdfc46b25a1de3a2cea64dfe

\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 1191ba2a9908ee79c0220221233e850a
SHA1 f2acd26b864b38821ba3637f8f701b8ba19c434f
SHA256 4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d
SHA512 da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 572b8a2599289e86d70c9e608dc193df
SHA1 eb21efde1d4edbea1e9e88179d5d9acd483830b6
SHA256 02843f1dde5d04d7ef8628cad6c2459f7fbd795e916c1a9a565bb0e573e8b42f
SHA512 58a85c659aa54fc7ca9d6d6ecfacaff89a3d76dfd590caca5a9312929683e236f487d23b4992c1c84104165aca11627d5032c9392c08b394b7cd0e148bc8fa50

\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a9993e4a107abf84e456b796c65a9899
SHA1 5852b1acacd33118bce4c46348ee6c5aa7ad12eb
SHA256 dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc
SHA512 d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

C:\Users\Admin\AppData\Local\Temp\Gowm.exe

MD5 950d7bf0fc7f057595c910be8446ce75
SHA1 189610cf3e64e0960262d59f7fcbc701d19a853c
SHA256 fa3471a43e88019a44862df309dd75aa95691551fc066016e5a3cf17cd8135bc
SHA512 c208d287bd747d72a860eecf9758b0310b6f8934df048e403b41876c9f9d0ec10273e5023419edc9c62cb02f228dcc198d8f0d0a7fb7682182cdf6940e16ee33

\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3cfb3ae4a227ece66ce051e42cc2df00
SHA1 0a2bb202c5ce2aa8f5cda30676aece9a489fd725
SHA256 54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf
SHA512 60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

C:\Users\Admin\AppData\Local\Temp\CIAQ.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 eec0f97e49313516144b215e4ee3f5cd
SHA1 d8a0c6e804c792b595c02ac58e45025569c0278a
SHA256 22aabc52261ca4e1098b22caeece80735d5f2d6f1db0eb5d8aa8a3c2e0a8147b
SHA512 be237140f8ea1673c0c74d3ceffa2b473952a337980442c73885f3d99350c0eeab1fe17ba4c78bc90c5013a79f0d547d6268ff9dc9ed6ce1900c5378b429a911

C:\Users\Admin\AppData\Local\Temp\uQAK.exe

MD5 3dd56f8f8fb85cca605c7aea5cb57107
SHA1 0b7fa02c4b0c0e864ac92f0bc91f0ee64c3d08f0
SHA256 fbeee3ce2c046b59110643a071204d7f7473bbac4829b038b0d1b397180aa923
SHA512 7c94f9937e48e8e544b2046a4ff6bde536c0b53b038c2dd7e5fc84131c753088cb865f9c681623d5c601a056facd0c7eb2d770ff880651df3eeb4ec78b757324

\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 6503c081f51457300e9bdef49253b867
SHA1 9313190893fdb4b732a5890845bd2337ea05366e
SHA256 5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA512 4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 2b48f69517044d82e1ee675b1690c08b
SHA1 83ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256 507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA512 97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

C:\Users\Admin\AppData\Local\Temp\oocQ.exe

MD5 a2c1767907af448eeac79a29bc0de5b4
SHA1 8e87ea21d30222a0f9318fc8721d64a2a1c572d4
SHA256 9331c6e23e467b664ce9892772187b206f6fdaf09c1714da5e75a307e4c643ca
SHA512 ca0d6735f7dfa6c3320f4cf86d22d167cc6ee84f076a351e103e9d91e6006ac906c3f414d883fe62d268e5571b831a06e6a9c718c2fc0d0509511bb0ff1838e4

\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 e9e67cfb6c0c74912d3743176879fc44
SHA1 c6b6791a900020abf046e0950b12939d5854c988
SHA256 bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c
SHA512 9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

C:\Users\Admin\AppData\Roaming\AssertWatch.png.exe

MD5 1db7d27bee2a9d7eb5ac75d70de18ecc
SHA1 ebe41e8330a22427d6a6c3ef41ad9599706b86dc
SHA256 84ccfb89783706641eaf8a9c7ca1a434d726fc12d1b8c14638157aa133cd97d2
SHA512 2bc2a51fed9e03087888e9c71c58ad8c3cea6e098d118fcb1a1a0e245181c73c02802c07a2a0dde796a51f93fa7721727e77acea1aacd4e089ef51ca965ed120

C:\Users\Admin\AppData\Local\Temp\ogEI.exe

MD5 3f3353cad2a30a06bb0ef289a5516b61
SHA1 757af9870b530d13623aad159af1daea3c7c8b3f
SHA256 0cc593ef577019078d8626e1298264cb88ede3fcd703da98389f747bfd962ce8
SHA512 5f948c34b0c50ce9e4bd5ee6061b83c2815fe934f9435df63f8d3d56edec9f2d4e19481705e63a6a1e3f2911c9df49fb6329dde26df2143c1bd5de828e32780e

C:\Users\Admin\AppData\Local\Temp\YQcS.exe

MD5 0f11fac9772042b108231ba9bdc52977
SHA1 7055f88830454cb4f34b987d65ca84b5e52eb456
SHA256 9c112abe64f47d64c2212b07e56c60043156beffd6a04f11c4d1e90aa1235c77
SHA512 886702b1662f70ca8c26dd98546a891d3241a95d6abaa3f151de37d59386ab9f762e1c2d9f78fea24521d7c527877877e79a920b2a5fe43fcb6dfd53827dd377

C:\Users\Admin\AppData\Local\Temp\iEga.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\Desktop\RegisterReset.wma.exe

MD5 da1053dd331d6b5873af0b83ba2202a9
SHA1 afcecfcfc7bdcf01e0f1fa64db2b7f9ca2cadc5d
SHA256 8e4dc0ceaa03c298bcae3437eb52bd884ef9e2fd9097feb00856aa9b459ba849
SHA512 4f8175b90d77566c972fe6e8b77d581b584ea4aee6016318b85d96f279ef3660714efbccfa265d76c400e5e86da231f4e3e8dc1d67a7928930daaf7dba4d06e2

C:\Users\Admin\AppData\Local\Temp\OYUE.exe

MD5 d713246fc26a7a0c02715d87c720da9a
SHA1 eae8ce90591e38109b2508bd244160a681dbe03d
SHA256 4ad6f8c984568df681569e37ed11f20786b918d319f57342dd9c1edf8e3f81a3
SHA512 92af3fc8635192699d95e64c2527646c79d935c3145fe911e00bad22b10800481e8e03f345b88778a2e688754c13a4c13af5be7d2ea7eaeedeec260b61728dd4

C:\Users\Admin\Desktop\TraceMerge.doc.exe

MD5 7e475e85d0e3227d1949c5cad01e8156
SHA1 242861d8124a1aa89829ff9f0de74cdd40b5f2bc
SHA256 0e7c03cba169e941e7bc76e471ea1f14d59b2fe00c71be6c92c1c25ff15aa83d
SHA512 e2c2154b9de040ba808f6f0ed6c1688726b6a3ec08dff68935d9d757e14fb9387cd7598a13dd5053147db0bb9f292480fbd43b0e34395db340c9a3c3f1529221

C:\Users\Admin\Desktop\UninstallSelect.jpg.exe

MD5 2a7ffded6326e81f65af66a401ef774a
SHA1 0b3ad34d083dc01098d947e3ca4e937bbfa13785
SHA256 6160ce663609bd0d8aa79414e9d065ddd2c3df1e95d8d0fcfc770e8236230586
SHA512 71517999dcb37d5e380ac4923cc052a00c7f0854ec5dd72215c3bff2ec1061747ae6bdbd22d8e05452e94e7b5785a754f24d10ddbcbd6c191239213b97fca5ce

C:\Users\Admin\Documents\CompressSend.doc.exe

MD5 d2b1c49a3e0d852b057e598e65476afd
SHA1 b2a88a7fd38453a843b42b84874447317348f2f6
SHA256 790c02ed6c5f4c7af4a4c91a2bf39021c028be13c82a60ec4997e9f6c2302ac9
SHA512 51f879dd2d3aadbb7cc04d65b683ceb96c81878235f42ce95b597df64e1af7900f3ec49d73aa2f79f3b1d8756f0f4b141d48e5aa1390b717860c4ba9e1a31d29

C:\Users\Admin\AppData\Local\Temp\ScMe.exe

MD5 96fb0af0ffdd2aa7293936475cdd40f9
SHA1 9b4a296496480b695db1c19eeca5ee4e4817b6fa
SHA256 49a0c937e50bb6cbbf4c8222f4fdaf3f6761a7179b936db8bc5a601393ba1265
SHA512 b5e28f8cc7d758d48fc8a9db8aa5faf68178e7c5c6e8f211ad3283b72cce2d48f39dbf6c5c2fde47982641c17be0ec93b4cfa65c927b70864b8398dd32b7a6ed

C:\Users\Admin\AppData\Local\Temp\oUEY.ico

MD5 e1ef4ce9101a2d621605c1804fa500f0
SHA1 0cef22e54d5a2a576dd684c456ede63193dcb1dc
SHA256 8014d06d5ea4e50a99133005861cc3f30560cba30059cdd564013941560d3fc0
SHA512 f7d40862fd6bf9ee96564cf71e952e03ef1a22f47576d62791a56bdbfbff21a21914bfa2d2cae3ca02e96cd67bf05cade3a9c67139d8ceed5788253b40a10b32

C:\Users\Admin\AppData\Local\Temp\SQQI.exe

MD5 bfd00dab2cf1cdcd70d382468edcbd14
SHA1 f75835aed33cfc14d52a48f99a524960c0e4d0cc
SHA256 91ccd3c43826997ba03832a66f3944b178958b4ce231da00495a66b7605fc24b
SHA512 3ac15efe6e9b59d69206f055d936e86cc6db3bb5fce3a5cabfb6d7e2e6e8d95d5991397426820d0013445154e49d637a41cdc0bc79307d04d8562722efaaae5d

C:\Users\Admin\AppData\Local\Temp\IIEI.exe

MD5 e0bede5eecfd7033d2409968e10bce52
SHA1 173bd9de5c7b9da58779dedf88aef3971f7f9c1d
SHA256 1f3b3d41326c4b475768f73427570ce5c6d327bb2b3f326b480ab53bfd7b3034
SHA512 4ace4851df5ef0a9c4f6524498250ee3e6187ecdc1a0de2db8a63f20002a2b89d83679bb4488e7b787eef59bc68c677e348f020db591990134bccdbc108eb989

C:\Users\Admin\AppData\Local\Temp\Cgky.exe

MD5 c6984ba0400e7aec67200effab6c7bc3
SHA1 75256709f4e8baa2e04bee0bf2fc8c567483a411
SHA256 ffa5e9b04d0cb084a0ee981af5749cefbb37da60124b995ec736f09d54f4117b
SHA512 4cc109502a7d9669ccafcfc45ad8d8beeb2d752f17d9b390828f680113d987ffee59e0b072bda59e6772c4403e0fc71f77881378e0e6bbd1d0011d39cea123f6

C:\Users\Admin\AppData\Local\Temp\QYga.exe

MD5 b2c585a570e846a1d0f92ff1f88dae1d
SHA1 28a2c7fcae93e79a3456cd71338e02521dfb4cfa
SHA256 6ecd1f2c375ecf0ba7275a31f18a375d772d2f8124b36f6a2e38eb31f3194bff
SHA512 b0d63144080482eba498788d9f2f7ff6f2f21431069e74d489a70cb829dfbd347a27c217eb5920061e6ca1f530939c97b8cb90886c86bb0e0614025b2cd053ec

C:\Users\Admin\AppData\Local\Temp\msAU.ico

MD5 97ff638c39767356fc81ae9ba75057e8
SHA1 92e201c9a4dc807643402f646cbb7e4433b7d713
SHA256 9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093
SHA512 167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

C:\Users\Admin\Music\ResolveCheckpoint.xls.exe

MD5 1b496c53cb59c9898d36b5f134ea191c
SHA1 808430d99fc9771a5a793e99ab1df8d3cc5f0f4d
SHA256 97bef92e850dbfa18bd1edb45aabdc546963cedb50c3fca1b4ad8dbedbb57ed6
SHA512 23242db4fa3fea12bdff01470f1d5989e214cb9d4c50555275d1f546d95f444a6cd05d32ec48103f0e20dc736c155c711062d122a4e9c9766ef62449b88b387d

C:\Users\Admin\AppData\Local\Temp\kkYe.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\Music\SyncPush.jpg.exe

MD5 11e6fe1f385f8e268f0c91d73f86b87b
SHA1 599787d8fef773fec27ce7f62ef45f41e6a0c704
SHA256 e4a34b49c962719971471f1fde5dbb7fbe3c5ea0f245c09357ef16cc32044e10
SHA512 c10f8d8e1860323e3744d3c51d1cc7295e95ae66d173533d71501882211582a3a53f55359ea8c040c71708463e1e2553753877391a174d481281cc32df61050c

C:\Users\Admin\AppData\Local\Temp\WcIE.exe

MD5 a5fc6e9ed3854858b8b6a2a2d9a79673
SHA1 208c2cdcefd5ac1889fc63f9eb867b57d88b6424
SHA256 91a32861c6ec408eac8b347a6eff4c0c74a7401848b560f0092b25e4aa29f8c9
SHA512 dc1216017d3d6d50228175602a33106859a94497bed8ad4f3d9173d2bfcdbb2617102c91e02807b24b8b7bfd8246f5b841b3f95f470f5d8d85e5aa2dd0f29d3d

C:\Users\Admin\AppData\Local\Temp\gEou.exe

MD5 31f971e4e8ad511c4e4efb50fdfc1afd
SHA1 1aefe03dc0ed36cd1f9e691adb14a5bebf4e3bd4
SHA256 a4c2209a8b944ce06254dc0433e48180b9b1edca7d7cac8a89cae01aaba1b076
SHA512 4cbd416817268aef18c346ae332b865f10fa8348713646e469973e30945b9de063b16ed827372c71f53b6d6bfddcf3b7e216ff3a90e7af9720c0e7b79f1fcccd

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 3516fd0d6db0f53dbf73458640546329
SHA1 b50cbd8b819e8510ed25a6d36f35bc22f5fe44db
SHA256 5fcb5bb8b92b9dbdb9cca1b21dca7373537f5b6805e3615198b491bd33d0851a
SHA512 2dce583ca6c5238d0677d7b79c3cee949d3adb902db546942f78d1c9da73119112016e2e1738b38839ebe0a3baf1b95b6dd8182e50e8bd1ae101b5cbb2453d71

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 083bf464964739eed69af2eb82b8b488
SHA1 4c48e0f51011c6312662aac6a9b6addfb3e15e9e
SHA256 f5bedfe1127c230070ea0a59138ffb90df4fdc0f05b60f2a56cb65ba747fe9c0
SHA512 995cadccb6bb25523171feb2ff17e3ad7c38d59d45351c1466f589dc99035e6a5456341b531682c8acff23d481c0831ecf6cb761e1d95bd4a428fd1fd3da528a

C:\Users\Admin\AppData\Local\Temp\qwYk.exe

MD5 f0a81094ecba553b8dc6b6cc3aa8ced0
SHA1 096f1f47a5b313505b3e279855d580985f38c19c
SHA256 d2128d12e54476bf25f2e7886e7741cbcc735cb5facade094e54a35d2d481522
SHA512 99467bef708d1a7d9de3f1fba1e68d28b0512076690bd67d758c5bb4a688375d74c1d6072052e7a79ef4e3e2f4ed0a4e7c958278696a7056bc5c3a3c567d360b

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 a70384663ecca96c309673359b6bf19c
SHA1 7b94b43f8bb1d6a54ce079664a020c5c490ae206
SHA256 1f18a2babffbfbae903fff8e12dfdc6868d27a9b4181dcb1722d5836e0a805df
SHA512 4f146b678f449be3b44d639970f7aa8167fe634b03e1e7cf8d34e726e2e46eb108fb1af501ba78dae6b183c622da920d1701290f3d406dfc99ce541267f5263c

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 66d6e1864ad290b7a54287bc4becba52
SHA1 2629650b248e9e03f1d015ec345bb92d62e3cff5
SHA256 50189269a53a6c07f2752eb8d7e59ad57212d5afd149552ae7c2b94d0dff8022
SHA512 60ec7ba2c0c358443a1a73c56a03242785ea613f6d9754ff99b71fdd6da033c01652fa1d097713a43bf8a306a091e0082bec3a08f7f8fcc58ed703c9831188b8

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 8d400ea1b66544915a2a6d51a4a0fbc5
SHA1 7df7531beff4855334baff68d23b587ce1a8c3dd
SHA256 30e2bc14aadafbe8dd07565bc79bfd2d8adae5396e607491264a4f99f6e3f5db
SHA512 41aa15ec735b7ccfda92a22059d7dbe099060c41faa0037f4015131647b6e3692090e02cf1b1c381737659be014348dbaee74bcfdfb7e2cb52ebd86bbfeed252

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 45ca920d70e6b626676b6c8f49890b43
SHA1 f7a72f2701905eb7b1184de863de788edad64c05
SHA256 e6d525a4bfbfc74bdeb239edc28dcd4ff58a386d59732b8212ba735de7daad82
SHA512 ff7626d65ed67b34dc3ea609a24efe2d9b9768e3ac7047cfcfeb820281c2134223e18a375f50713fd70d61075957b66293765003a713a1315902b17f002d62ff

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 59fe5c01b8e542a975e4fc37ead1e070
SHA1 24b3fc07ffdc3c6a763c6d96fdacdb2ba62a4254
SHA256 84ca924689715ae75e8aec48514c75cf0e065f75e594af7089611e5efd938410
SHA512 eec2203f28cf6d0257346f30a95251b88f148cca6921d4470507d603009acd1ba68e66a51f0795635e8ade8ae26c6b820a81ae1ec29d801a4d5ef40912d3c33d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 0135901e0963bf76c4fdf050a8364645
SHA1 f26a6ecfc65f92982aa881b671eb959c57a1ea35
SHA256 a5f660b1edc22f2942153ab46e569879a2f150c9afdce6d36c7e638692e5ae9e
SHA512 c5a48a37d5482c107d4c6968485f0f1b3c07fe64818db62642ee749bc0db9c1d52dbb0e1c9127b0db054655a2399e3d4f7efe109ba669c3a98c287f6110a3376

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 e6e7b90b7fc86dadb4925baae6b63f41
SHA1 d8a3fb6c1f69a412c8aa133128a15123ba0d0c2b
SHA256 47069ebad60b55e1abd12f365fec0187aa4e059b4ef7d8fe03e65113f076e773
SHA512 87488a477fc9283b5143d2c9a366c8288ec55ca48eb15e72b1a217922e804eccbc42e68ca47a416148e64e4d9ba00fd00498f5ab36acdea4c11d62526c61f651

C:\Users\Admin\AppData\Local\Temp\wwsi.exe

MD5 b2c756a116d8a7961286811e7253ddbc
SHA1 972feb5faa5945d1b7839846b63517fbf805d74a
SHA256 7641fe76557493bd9898b6dc3fbcd70f93c340051ff3bc852ae584f6acfcb6ee
SHA512 b674ff7df7babe7676752732a1f2c480763a7117d666ebc8a9120ad8691d14e9ef90bf686606a7fc2d276a15640ec5ab1d13110f07204fe5d7323c63ff938c33

C:\Users\Admin\AppData\Local\Temp\GIIG.exe

MD5 41643bc721e336fb9bdf8714a2ff133f
SHA1 1665eb6360a1b11664de69258699042a5b0eef89
SHA256 7339734d6821e82a58513c90cfac17ed26937afe575cebc477fbb09400bfcb55
SHA512 c46447d14affb4795367634896b1d94985d02c253e8f1805d6064375b9116816a877e6c6f94a7107909d35a6bcca70b56c0c86ba51af24f25ef9fc3f0e1e51e0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 534d54f6def42760d5e8d1d9c0ae1b29
SHA1 74908767480b892461b03af769ed246256b3b990
SHA256 1c2ca27b0bdb9d9efa5e1612a789f9c901d58408cb7b3d512ed91caf284e237e
SHA512 29f1c2a6c13e208a0db10bcd66a0cce8b96ddb03b77cbab433751035ae85b1d214d658565f3ab13f59960bbca8648665774299b03a95696ecff2cb825276ce77

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 ec2b1e7c909df60ac2bb448787b3e772
SHA1 95293f3acfd8aa05309f55c6d856cc228b86b629
SHA256 3573f8dc3e2e443b20284854924fad5720c61be02c4e5818a04896cacf31b2ef
SHA512 4be3d50b495e2ebf390b6b59ad79615f269d9180d34a64c8bca1f6103a309288b133d573a043797a481902ecde222fecaa2d71f437e143e321e6d3a296226f90

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 c19f10d60fdf50d2f59d7026ae2ae103
SHA1 d56fdb9884c7547f441a5e2b9ac28fc18d5e86aa
SHA256 273916211f5ebbf248dd6794cedb7b6d6239a72d63a0d5b66d39823311193416
SHA512 eaecae84137e361592144652b996f78ac0a7945185c85a955c2a0af0186b412d7fa0176ca546fefb2dd7ffaeff987d1d76cb5680ae046a08902351e894044653

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 007064ec850a4a38898636d2de6c1193
SHA1 ef0c3224c03c4cce0ef81b43dd755e753dac3c78
SHA256 99d4316e78e1b25189aea2b03992be220f2b45d9e74822a4a96491def07869f1
SHA512 857249ba4a7a87f0b46e19c2bd289513347975f05267a6ee3cfc84f84e20ab3025316323547517210410f6932e6f6645bcc07973458de701853a86b5d422c738

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 639c0fb18cbf43e7f2915c1d882f5eed
SHA1 9cb206bf459e76572c53ee071493cac9a79cf228
SHA256 a0a90b108f51b411d647ebb2af8966ef9e1fd5a0ad2d04c1bd75415a691ab764
SHA512 6db0d6a0e23cb5591c049136fdc1e9b952e7a41906591fe00e4aa5dd1e1f6c33d6ac7996ece1a02fd7cd5d5e7dad5d61cace8c4f0be95c659e6202ebf355bec4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 8a6a404737dec0ebf0212dcaa55e2ad4
SHA1 36a53ed0bc7f2bf4fea80b19c10764e131503047
SHA256 5a454b83e0c7f4667f7432840f42b8ef6134060cbf406e31bbc82ad424124940
SHA512 ce9d5d0307ee4e912edde236fceae0007b439c85434793a61e3d70150a84d571a30f955e6d11b6fc61fc5b75762fb75d0690772cdcde4879c4754b1456818c15

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 ed21a715e2dc83b0b2a52f108501b80d
SHA1 3fd0dbeedf64c04cd6fda7e0d796b6e7189b8d20
SHA256 65056d5dcf2050647c488000f87700d77f4fd59d3b670edd99eeb4c76eb3b257
SHA512 f66b6ad53c74f2beb331816f8c11431a33481881ba0a32faf319273e6ba00c890fb7586237cbef75dcb806589059ccb27e1210f4734d63661c88b17d9b1f5f40

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 0ed5f4a5bfee19ea27d388a50d46de68
SHA1 06b69cf5cb4cb5236fd48ada1f4299b5d5bcd705
SHA256 6e6959f21b879bb2db6b9becfa50b58bc35d31411a93884fdd4d22bf8dee8b2f
SHA512 e5d77c7ba8f1691430ad8779139914e68b37b116285a338002493c9fd2133319aba88d1c21ca9ffbd3e82db3b159335d24cb2d91a8de026b786a77481cb69d2d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 ff903ec4206690e702ac67a2a63c5139
SHA1 cf7282073471cacabb0a11309e43667f10f5df8b
SHA256 3130ae3950088e7d892e4f1343f38c2ea6948879dd5cd476beb5f63bea75ab10
SHA512 15274865c1c51c749d45ff6d506c31457e82d28603fc12dd61834a01ec7a9633ffc73e65acc160dc21346a6efccc817d8b13d99582d04626d260d42c4a098a97

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 8695d1ed33a5f4c9a105af8f93d28da8
SHA1 59e1385038d42fde313320dcd39af96b9b80861a
SHA256 c2115e14d8aa7edb17521d53d69ebffaaec090abe506e07f1ba926055e0c7513
SHA512 4d54e1c7d001522114c0cb2c7566e95d44b6eb130e94898ab8762f153cbaf9b2718231ffa9bb882e768182995b660205222f9b9645f572a1240b17ab3a1c2584

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 1bd8cf281589741fb82f770a6e0423ea
SHA1 dcf64a36f0b9e561bbed1e46c878eef1e0956e08
SHA256 64d5fd6135c34f7601a61d96b1b0e0f5c3267054dba280964c6aacee082cb49f
SHA512 91f2cbd5766ec0b59715d3079e385cc3ad81c756235a76e34cbd8ec4ca2bd9e5914ab037e6d77fe9bdbc24b45707125693dae9ebe0828fac96f4fbac881c8b09

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 ae9272f9b544eb71a8a3259697a32334
SHA1 5f38d1516c60a8bc733586f03145b478104e89b1
SHA256 0e2d875a1662b19376bb230d23b0cc79da8fea17c26e061938c9291bb537b7f3
SHA512 744dd98f39a6ad989f8b852085a8b63b5ba9b89b203b8b788415af2888c32fe9bf688a13a48abba2c0cd0373854e3cc3e55997959074cfee9997f2624bfba830

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 179d8fc2a9bcabbf1cb395c50de53faa
SHA1 a6f0bb3ffe1a8869dd30bc24051a3803cc5811d9
SHA256 9340b37a048ba23c707c87b2959323d7144f5f058592bec60a88e5b7d6fa60bd
SHA512 03c6d71108222b4129cb5413599aa00cc127d1261b1cd9c258e2c1d5952b1f0dfcb44465ded78588fed87950dca9e91e786120a53db96c5c19607ca314afabbe

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 3029e90e19f4f7295e944dfe807e4cf8
SHA1 70355bf16736b35276fec91b420454c9cdf20bf0
SHA256 2ff751b749679efba92c0d351a97a7d3d820148d22ac5c77b4a689129f1f6283
SHA512 e20ada066b45e568f902da3785ae6f40365171b672d2e35d6b31cf659b627ef0290266f06bb735111969a6895d29e33cbf2b87c297f5da66dfbdbb09640569fd

C:\Users\Admin\AppData\Local\Temp\OMwa.exe

MD5 dc590e25410ffa59c90f32cad06ebc98
SHA1 1b53739c86c7b659e8f82697ad8c00898035fca7
SHA256 f0f4dfe934d94060ac592b1995cb7fbfcb50a1b721bc84ef8b28ec3b678d67e0
SHA512 26b37c89635b9081c728336f4b42c8a186cc94b626ef391dc830c57277a1afebdf457db7a1da54380c898a66feb2f01cd4dc89fae003c4664aedc8522e5b6bf1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 e8533028a7b8523f66262c006f8b1298
SHA1 36a653644bcbe1d14f7936234bd13c5e7fd431b7
SHA256 21682fb9cd83286b2314c45c91820062e12d61f1f07d8d24e72735dca5b41d4d
SHA512 1aadda0f7cc648cbd8b660292ef3c6df20d09d20feaf375863c63fc52ff1a27ae661f7e44e2d08eff511675e438398c5bb212c97b78df19aabf76c86f3b9ec84

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 ae7c26e1ba256359d1700a119a8e3c73
SHA1 4b0b62bed93027670faaca464499a29be6317918
SHA256 33b65a8e40cd43dc46485164ac5a9ff961967e7527d3f0f06e4e013dc7b7268d
SHA512 7aff1fdff6b27ef947c051d090647e64814b01585500d2825442c8442a02b24078867d03b5426a8fa420210181c5e8f79f169e3164b5150b07da3ecee6a90997

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 83f73ac84f97a11f1532042447e31582
SHA1 51962632636b525472545a765c95c77be1d18d40
SHA256 0a61fdf4fd3ba39b8a9ba629172709e4d0c888f0c9632a153afdfbc5a31e55fc
SHA512 7fd6527378fe20c8ab95cf6c95f347e24543a6a7d8a234013621c234a19b8a4566df203a5e53838840e235e543f21971de9a110138f0cf5c283ab22644ba6282

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 41fe80b799602d84942dbe7c903bf45e
SHA1 dfc070ef8f0522f935bb6c04e9a3f8b0973c605f
SHA256 e1831041ee4b4d6b7be102cf2925ad32e2e93fb903356610a818a1e2952b1af2
SHA512 5f6aae49881e3e1b8e4e97e8e4abd22cf3c45950623bb76d8a3645697b03bbea0ae646079ee4d8b3f7e77a71c1529f51c207c5d80ef101fc94050ca6e3195699

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 670b2e3ec2f63e3eb9f61489eff7d851
SHA1 b202498e8c006f2a2d442fdbcebb4b0c875d1d96
SHA256 e08a918e361cf1e34a26f9d50662f7978c8b41e49d258e651fe911f85796bbb1
SHA512 96129eb70b6e6924689e70a3983279633763e828bdee190396aab9746ba67fb6f7b8e2f49cc226a3cbcdf25bfeb52fa4e41ba2d6a950676560ba101c1a56f578

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 d7888367a6354e38cc9afd99f0e1385b
SHA1 e56d0f0c1e3c2e28772df854260f11bddc56ea22
SHA256 42918f40f4f1b6ca151272fa130d3e35e6d5d955f63337d3408f31c88260b993
SHA512 fb95735e93700878a5c89ad5152d0822d24c2c4c7b0a46c23487f4938382de00ca313e80243609319fb4ba29e7a8abbceff27d6590915d98021839c29c568ada

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 346241e6e96f58bdaa9769268ad19f46
SHA1 6b7744c8ca3046667ad264ec3ffd5fbee6a1497d
SHA256 c72579e1bcba2c2c22275a46cd0b24d22825a8a337086cd7b7ce5f9f95beadd9
SHA512 e4a636d5ad350908e013263317d20d69a35dd6e1c2e218c9e64d224b887c7582a1ea596062b6361faec487bc13d53f4379ba4cac87c294f90718d19c161af86e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 3358387fc7c608ed242bbd3aba375805
SHA1 0c8677d74b2092f274853365411744f4445d033d
SHA256 70baec8378dd5314a44f17c3a0d597ae65d728291ce49f5e5cb2e0a700b86eec
SHA512 d0848936ebd8501ae9fef38430f98551c43ecb98083609c2b8254da39613ad55647834ff18f6103927f2e50567431aac27a309fc6017db3e03cfb2adf04dabb8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 339a91c0875078e52d304f1f8fbbad40
SHA1 439c6cc50cbc226fa6a40da80932224533d2980f
SHA256 a4382044b1b68c753f18cc2593cdc0a030d9fddc9f13471e4b86322ea5c9faef
SHA512 a0d3ec3cd04ca498fe9c5aa36b95c7f74be2d9d40d61a3645e638e493cb17ce11f7e0b8333be8c50eed09886c46d0ed1d1bce7805c7db8bdf950b2d05be1cc7f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 e1bf1f081d20ea8b8817cb6d971dbe1d
SHA1 5ca1adc68951640b403e365bbebb1efbae757545
SHA256 401efaa65510fb0012acd661031023edc0773544f9d5bef58ba83c9a94cc438a
SHA512 a91b230f12f960dfd7473cd755ca1b5a5ddf4aa9400e2f0ec85ee9f5546445f21774725922bcb65f2fc0984aa7a6d5ee70503aedfb149d0f3b26536564c7353a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 738b688b5824ccc10f30b196f9834a2e
SHA1 e25418d5a80f387fd7d2f8b10d26877dc79d3cfe
SHA256 bcfc7086c0be6310f0f8975ca75534a3b1f3737e01b876ea6332abc18c502a1c
SHA512 ac8297c6abea4d9ba6078227264d0f0b36066e603132897f6a6655acbef07d96ae2882d18cb3d23756c05c36dec5ab19bd4fd3758d5fe0f8f135836b9a572eda

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 8878e68a20a1864132374ace44929028
SHA1 596d632cfff4b1cfb9416af072963b59516eb07f
SHA256 5e80a9a2a0d5a2a6016b023209fa46b3bf86ebd9c96103040c87453813686dd1
SHA512 799356d012f2e27c11fcecee01cb13926d0c38667ebdd5b03bd0232a085acd0c5f7c0426df8d0240dab7719b6b7cf2568ed86bce1fe376f2e32b766536579100

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 bb7530c706ddef38f581793ee9d5f9d3
SHA1 9d9bc0d3aa453f2ee37861386cd42896039fe55b
SHA256 0de472bf04613e38dafb22c9ed2218e3376602c6903a6d75ce0f05c5b5729cdd
SHA512 6a15780468dae56682b3e9a632f5abd11c5b3a996db14ded62f6cb3873770f652d6dc128b8044cd58b9d690b7f6b77e51e8c5ad2f13e8dad2eac26aeea3c5a83

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 40cb8366db0e6122400ac7d1aaa5fc51
SHA1 c8f645830bbe67c47e5a23e2a5c33b918354d056
SHA256 94c35c60f2750e8093988f6d5224ccd18a11b1ef2f408ccadeb2b03445d55186
SHA512 819741ec73328ea65bd710c9726f436bbc23c24823048302ba15ee64ee82b90df273795ac5a0d2a6cd52dd186a79b23630dcc5190a07ac24f99088a534559ede

C:\Users\Admin\AppData\Local\Temp\EgMA.exe

MD5 2e7e8e94b87f93c77556ce2cb581d65e
SHA1 870da8978630507abfc8d74b735f3df9dfc31481
SHA256 bdb2b7c18d0d13e44ec1da5416f0e5cfb16b46f4e50790d946facc8aa04edfcf
SHA512 17d5e3d4b3a1c48105efd864d5da9a2fee79ec224ce9f2960e6554416be3cc8dba55b8fddc51bd017eb1ad64310cd6eed8fcb0d16bddb6def2bf36d33d10a534

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 b319f92fcdc5aa37c8fcca5125c5c8c6
SHA1 2bfce943e3e03d0a2d31a8db61f746e509e7b7aa
SHA256 2e720c8c8848e8267ee6fe2aa143b9be24bb211d26b79ac0a859dd5fe940c04e
SHA512 9a7174d498aff50d35f2e4b82c21fc304cf3f2a6180fef3566e9932a3800d4901a6fc0c8ffbb54bf9a15855741dbfb70144487317b02ee6fb0e458d249ced4b8

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 64bad6e3405b1ce202ae5e28fae5885a
SHA1 a12daf037c27195ab0642b722cbe10512c6de663
SHA256 3d4f02096e5945a8cde821f6476001c9345ec5812d6ef3dd38612f1a5fa09751
SHA512 1433baa743e439af65811af2b28745fec5be6636bd3c63a4634291fbc125b35335d82066062f6744024a5d0103647e3b71d06b42e455b1613ce15a20ee2fd8f6

C:\Users\Admin\AppData\Local\Temp\CcAK.exe

MD5 2753d8d75ca71c86c5bed048eb284e57
SHA1 6c47d10c4faaacedfd11f3db6158a87604208a5a
SHA256 7fdee48145f6b94912de41d960893870a1805ab7fb87d9a9304fe27bd5091dbd
SHA512 722c793a0db79d91691bbb925c8ba275f59cd9cbfbf17e2888a2212505879b0a13e6d19ae240836fcef071f838f12fdce733c6ebdb86efffa153015b6592d50d

C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

MD5 a01fed9939cf1dfc4dd78b031f82ef29
SHA1 3b6a8496ea8de0180297cd0ee721c200b3dc3eb1
SHA256 25909ada930cd067c40d9f3264ac889d658d57ce864678f7594c1a8d0181ca9c
SHA512 180d65b10c485c3484c7e83ad256fcca17210fc1cd4e23132d97dd98e2d2c661962e798c0c51b1931a7651adc1d7654592e7a0de24f5d8958d88022e3823cbac

C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe

MD5 723b0eeb0ddfd646268c2df87751e01c
SHA1 2a62e791b2c7b6d0764999c4e64688c2fdff6eac
SHA256 62efb99ba33bb323fb7299a85b137eb154ec6ccf00a3698250288e4d8f4b6345
SHA512 53c321d08fb632862a63a11e3417a44e4fd23a2ac5bf528bcc4d30d2721861437ace24fb12f2302f5a4d54534de06b36366e1d40bb0cdbcd8e3b4ae50df5912d

C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe

MD5 ad3571efea931d9dd8c0432314857975
SHA1 d242b060a5e7a3634bf5b950c31e436b5565350d
SHA256 6e3b79db2096ff135b6fdb7d3bdc6d5cf904c731929eef4962dab07c8d454a1b
SHA512 b5ab1b9351bf5f694637deb1d4d07396308ba9875407c690dc78b37c5437a26a201506340921213e24bd71edf06ec78acb2f8821a45101af47c7fdee53a8ea40

C:\Users\Admin\AppData\Local\Temp\yIYY.exe

MD5 598ee862cae66e3fefa62076624009e0
SHA1 39f0d8315409d099395591f89ec4267d1c6977db
SHA256 54750cf420020fc3a8538e57cab08f632830fac24c42d38b526a420ab0aecdcb
SHA512 ea9412236b5ec7b1061510a1de5d94308af2340b67e9fb5042687def4bacd459859658b020810d97f3ec3ac8c699dcd47c0a4dc613ce97039a79951ba9737e33

C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.exe

MD5 3ce13448abf020c6b4352ff10ca50717
SHA1 acad35f854f3d064c5961929cf16c9b2f4a8b7ca
SHA256 c0dbc1831c6177e692405dae4b1984d658ca6f7109ebc08617ac768b8b064aac
SHA512 356f13dd088c64210c1b9bb1059c6bec0640165d4d4f404d62311917b71836c38ee7f94ed633976fdd3c679d67a5a29d7dfea4d440f7a4d6ced6eea0f7c6fe72

C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.exe

MD5 f92cd6355703be4061ec4eb567a03757
SHA1 50a9cc07b324684ef13329e6c06b5bb45f41d207
SHA256 e9ef12264ab7557bb65e6e8a6ec8374b3b5abe89dcf3429f52070f13a69dd7cf
SHA512 72d89bb58b3e167fbe6051457b25feb81f5c6842b275d9334b1fc14b2ab4a350b08a9d080358172fa08b9ff254e1661a1d5b95b599a84920c3a175a861519c18

C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.exe

MD5 1facd7dd2cdf0be56eabff283f923f3a
SHA1 3474fa51d02ea715fa33f2e912770acd40ebdae6
SHA256 2156d6d38ab829b6f74bdec5cf9d2f443716d9ee5509aaf2206b0af2db97383b
SHA512 cc97e6c7fed29002e02d4fda8c4c6e8f226d500c800da18d1299f104a0876e0c1e8eea0b02fac76aaf47b463c923449c7ee7311c8f7d4fee450587b5d14818e1

C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.exe

MD5 91f55e2b437b6fdc193d81e76d586a7f
SHA1 2cd13157a6a1b0ddb1abc3c195228e266410a760
SHA256 738e2fc5e31f9efcc484235735d600c8396f13222cc74ff33db92546c1cc3471
SHA512 aa1e0b33d0262c4ca2a306592ffe1ca6700fd980bc04be01aab31502ca95a7cf64f33df7776e59be8a2cde122c8eb3ec56ddaa777e035d5b9d699c162417366a

C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.exe

MD5 926b6d1031aa9ca7f6176829a1d35797
SHA1 666177d9c59f8ad5969797eb64538dca8dc3da66
SHA256 4aeaaf178e8ffe8cf65803440aa503d6e808dce7a314ae84725182cf443d1b7a
SHA512 1168301ced43c1ce3d7e85158b70893c99a06d72239850293c4e8b358bb1ce8324461d3ec4d3f178eb47c57e74db92c89f50850c6727721cc1c97553813fd47b

C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.exe

MD5 ead5158fc53691a597a8264538de302e
SHA1 a3fc095f06c6fd58f34cc6e3dbbdfa77cb5b6adc
SHA256 59c76ca6b8eab9d0fefd46036464a0334ee8006bfa34cbbe8079c4609518d12a
SHA512 418b3ae8c1145ce598061c90dec137adb811b937906439e16c30ffc01f3a95eb6f0f9618337ff718009292149a433c5b006fdc7fa4bb4f305832c567557a66ab

memory/2340-1838-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2104-1839-0x0000000000400000-0x000000000041C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 14:31

Reported

2024-10-27 14:33

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (83) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\ProgramData\OmQUoAIM\ZGQUMAEg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clist.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TygwwwEg.exe = "C:\\Users\\Admin\\mwQAYEsg\\TygwwwEg.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZGQUMAEg.exe = "C:\\ProgramData\\OmQUoAIM\\ZGQUMAEg.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TygwwwEg.exe = "C:\\Users\\Admin\\mwQAYEsg\\TygwwwEg.exe" C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZGQUMAEg.exe = "C:\\ProgramData\\OmQUoAIM\\ZGQUMAEg.exe" C:\ProgramData\OmQUoAIM\ZGQUMAEg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\OmQUoAIM\ZGQUMAEg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A
N/A N/A C:\Users\Admin\mwQAYEsg\TygwwwEg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Users\Admin\mwQAYEsg\TygwwwEg.exe
PID 2892 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Users\Admin\mwQAYEsg\TygwwwEg.exe
PID 2892 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Users\Admin\mwQAYEsg\TygwwwEg.exe
PID 2892 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\ProgramData\OmQUoAIM\ZGQUMAEg.exe
PID 2892 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\ProgramData\OmQUoAIM\ZGQUMAEg.exe
PID 2892 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\ProgramData\OmQUoAIM\ZGQUMAEg.exe
PID 2892 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5008 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\clist.exe
PID 5008 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\clist.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_1299edd2cd067683f92fc0636864fba0_virlock.exe"

C:\Users\Admin\mwQAYEsg\TygwwwEg.exe

"C:\Users\Admin\mwQAYEsg\TygwwwEg.exe"

C:\ProgramData\OmQUoAIM\ZGQUMAEg.exe

"C:\ProgramData\OmQUoAIM\ZGQUMAEg.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\clist.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\clist.exe

C:\Users\Admin\AppData\Local\Temp\clist.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/2892-0-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\mwQAYEsg\TygwwwEg.exe

MD5 18a5f43fdd1a884667561423de6c8347
SHA1 d0c6adbf7b899802734de5e89dc0d24b8dcb9d49
SHA256 991b5aa73fab04d952bd3fba1bfaa6f59fff572cef82c7414fc55cd3e9478ab8
SHA512 2e3128f07de9ad0608e74276d60917d7cf8ad700af491fb0469573da826982bc5e8cc0844081b85484d0c0b87ee7c12e4c0ca993c92b165e45aa91e4e1c551fb

memory/1040-5-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\OmQUoAIM\ZGQUMAEg.exe

MD5 d59026671b2c8409f2cd6f46078c9687
SHA1 b4baffc5c04e3c02c1b2183935dc8d0c06931f88
SHA256 c50d960e4f765bace5e1d1f4afd046ade9c559df039826c1b96e39e7116d14df
SHA512 5a0ff7e678672fcf254c6d096c44a4d2774c00544679e77c14df8ed6c31dbb26aac82650102f0488c29bab04c459a921f42b3151cd6aff1af3bc4f401a8dd672

memory/4344-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2892-17-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\clist.exe

MD5 af6d4428fb42903b1578b31bd333bf16
SHA1 c0d52a608a428397140a772920b9c3ea627c2cf3
SHA256 52090bc03a83c42081d6c6329874bb6a0701adecc07499a86c59a0fa831ff0e4
SHA512 eaae4756d133631aa476363ef8aaed30520088769702264e64c1f1acfc0cd880e3145158940edc4b7930ff5b2fd524bb6663a48c4420c7b8432d9843baa0e71a

memory/1256-21-0x0000000000D10000-0x0000000000D38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gYkm.exe

MD5 e2f494edf3e036aaeb8d9208f7cde6eb
SHA1 2cbd3cd8e0121d6ac182b351d0615fccb2dcadbf
SHA256 76accf37d61ddb725047b839278fb422ed0b2c9eac65f0477e9554b0ddce3953
SHA512 3e2259523fe1fb8eb58d590f84632a40ea11cbf2da6cc4dd7b9a6a3b94b972319c67e903763630714ff4bd1146b331e13efe6cdf483bed91eb629c0d02a538c0

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 a498bc321dc30a5e99d34e7bdc2e737e
SHA1 e1a3244aa776dfe0887c9c54cfbc649551b84afe
SHA256 98dc19524e5f56dc5934fca0d2825a0440bc780917a08f4a4a1acf6444cdeb6d
SHA512 f77b7b5c2c07686f35f38256cea363a813c313e61dd5707ba6f561ed185eb3384a93a9aa18362eaa1c9edc9443a09133f9a53619b846a2117ad0ac98b6495502

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 2ce54c76a1ddd3a7eaddb26a6381cd38
SHA1 d7d806419fca1d4473cf6a11a6b690aeb9a2fad0
SHA256 6506deb58980fde2424afa970470e2dd3604661af1f697d1dea29a07ffd130f2
SHA512 82d304f57a7e5bac09e3a459ac7f0e3f9e8499efd40719d79365c87aad9b8bfdfb427a2136709e13bfef3ed07059f57a7872bea6470ef3d97205f4fb8a121d1b

C:\Users\Admin\AppData\Local\Temp\YwQK.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\GoIO.exe

MD5 f515b807f15e215a8bd77773d60fde6d
SHA1 8a7665a5ef6df45158a046004c95d2cb671883cb
SHA256 953664e274ff16b146b2e36e9f844618270659a60d79276ed18cf98b97d48b87
SHA512 76613c4d8b2545a5fe6684be94b734fc5a14acf2468fdfe7a22028b4b1f9cacaf5e79b3aff4b4a0dbbe3164653799cc82ed5dd719b746952844b9f8b1ccab8ee

C:\Users\Admin\AppData\Local\Temp\WUoe.exe

MD5 0f00500b927f36f157127ed27046a947
SHA1 cd5b3704e1a6246b0bec9b2c6d949d2fcef95cf6
SHA256 41ce97e5ee384dd101afda2857a31e646fae6ab0ba11d0aea6a669ad389103fe
SHA512 b268b22bcc95dfe8b734f8520e1f67f042e8f041f088500f1dd38bf6050a453e4c8e748df9840d2fa759d67455e0423168d008d2500341a9ed784021e2708503

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 3d21d44683003d6bef12da88f75a2e02
SHA1 c97843e1b0c1c5b81a97f13822c146f1df642f0d
SHA256 f22d7ac5828bf39d808164c8da5a451115d2f004c9daa457cc3f2562a8fbf27f
SHA512 82bc6e490b2ae0e5d4ca43d24aed1b007d91bade672ebf5232996787fe450ef21387f26aedc397f663238ca7308a7cf2ef4fd402418809506ea134bf48f1fb24

C:\Users\Admin\AppData\Local\Temp\YYAY.exe

MD5 d846cc41e93d8f41a98a8de000c388f8
SHA1 cdecf6164b59dcc75c371d774a1e4f57d06abcf3
SHA256 88e49cfb046abbafd65b2dd461f3c1c8afbba2722ea855766f921c2f4e5c99cd
SHA512 1f47b3b060a1fb57ceb632f5998da6dc5cbbc9c40818b24d4672bc672b108731da7d281a5968841ca9cfc29ecaf16008e59d10d500f2c7c0d4011b0232141124

C:\Users\Admin\AppData\Local\Temp\mEoG.exe

MD5 3e47047eec45af13e3d939ff5084c5d3
SHA1 785613c6704a39fec86d61d49c1932856ed1ef42
SHA256 490acde040e8c397841492937b393171505c666c4380d7cf7050ea5579d083a8
SHA512 d403c421ead341c5feb66610ac1a0cf907ae1569b74c7e072d43e3bf170a1e7dd211a8a6d4dde76d7584a9a105f395e62e0eac05e86d9b68d3badc5e6a951f42

C:\Users\Admin\AppData\Local\Temp\iUcw.exe

MD5 07c73c2694115369b23d269a175554dd
SHA1 7fbbbdd18d63781ff4be4bb507d5ca4537acbc31
SHA256 37c613d2e645cd3fa4b54438a61eed1c7b66a24f9fb0c7a1a5d215515f3c0666
SHA512 635f071ad7c3dce9292202e9a6f0596cdd5426e2530658a38ebdcac6c6df369c8a77fc673ae0c865ab4b47af42067c1219611c473f6dcb01dc5ce4aa0c05cd46

C:\Users\Admin\AppData\Local\Temp\ucUM.exe

MD5 3d426011e228b69b2544001f19d1e683
SHA1 54e68526d72f1e68c1ed601a10babf7a93dba377
SHA256 bac3139a4bf8c33a955e3322f58bd9bf7496fc0ac853ea48fb59afbd482140e6
SHA512 4e4e595dddc014cf9a6d684a2b5a2cf5c1b9a957e98dba337d3710e68cb0769b5c868898a0f06045ccfd9fbcd816cf1093087a9ea9f2c9c4a978a992aee9fe7b

C:\Users\Admin\AppData\Local\Temp\UUEO.exe

MD5 99f1a6243fc39506448b41f2bdd058ae
SHA1 087c9f7930f664e8a24b64c8dad600fd52847107
SHA256 99a5e07e4a0e2e70d90e7bbb46e92d1152720dc4e391816a88d6027315e1ee78
SHA512 0794e22aa3bba89513ce7ada98da93588e820d10fc4386b99099407a8fc7e9175d6f15cca48b8cfdf0bf4f3bf14d143be456d89f538496b605ed08f4321b88f9

C:\Users\Admin\AppData\Local\Temp\Oska.exe

MD5 83549b413118089b9fcec5b79622a613
SHA1 09b564c39df42dec7a9aa009240efb47d68fd984
SHA256 39ee85a25413ad7697a83f5846fb0cca06a128793abdb5a34ff80c5d55f92a96
SHA512 2a0e93fe947ce6a38307aa1f772681f2911ba43224a21cc3b145d1c58a9d88548b96f7f78154fdc2631c5d639ad7dddee99d772a780f16c310d4915ba6703e15

C:\Users\Admin\AppData\Local\Temp\isMK.exe

MD5 ff5243b1dcbc253385ce8d6aae8f3083
SHA1 d1ae8e4b9b8e5228db358d77c21c718dfe77025a
SHA256 e6349df12fbdaf4889749c8ee3d674b4d5df139467d53cfccf84792387a068b1
SHA512 a9ccd0c136dcff485ba532587a369331c57191dce6b09a9f86e7bb5e0c861b4c9a10c0ac76a3bbb3530b561a10d30c214f5ae1c18c8ad87dfe897ac2193f1084

C:\Users\Admin\AppData\Local\Temp\Qooi.exe

MD5 79e3b728ab1556b59fa7f34d9793ddd5
SHA1 34d98d5793f910bd5f56450c5e9596fb3eee68f1
SHA256 ee43e1a2286db1f0d8c1738daf2b08baba612a556a4f71d85452ba6d6bd0187f
SHA512 221e27e37aa41d2fd0cf9561482a8c00eae781806d97a9e57c4d09e60f28540a9b209157572e2bba65467d03bb54c1680579cfffa2f5af0e03ed58770c46f98c

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

MD5 920ecfab8d16518f97298f4d179162a8
SHA1 36dde7d5f08ce0b063988b3aa5b244e66b0b8af5
SHA256 83ad674e5d75a51e89c85d4f08996986f4c8b84816d4294be531390f2c19f446
SHA512 17eb1ee4d5b98b6baadb8434cb86cede25414b78130718c6b01f1df7685c00e753949a118672e29f25680daf944299c3c0669e874c18cce82dd155082ab4607b

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 f22a315dc1c495a128e0bc838ef38d88
SHA1 863b495a6264c21e6bdceb3f7a23005193963d4f
SHA256 a682ac91568f65fc88c25f8f5c9bc6ad3d0ca0a86497c6b7b820350c1c3622da
SHA512 9030f06c6d6eacdda19fbcb5a2b8730a3dd1ef49240cdf2a4baa9f222d88192764ad9f66292adaa0c7d735b7093ae4b7d10ffe2d3443bdab82ee04ab6c2a6a03

C:\Users\Admin\AppData\Local\Temp\okMq.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\IcUI.exe

MD5 4bcef2d9546d775f2ad140d7ef87714f
SHA1 eb4cf72f02c75fe238645f6b0d880fe5b4da5720
SHA256 aed0361ed7e48eb515ab68d074188b272b1310a7956e2230bfae1cdfe4c39445
SHA512 c8ec2cba3fee0034421f7b3aedd7d4f45012dfd0dbe563e14ac0143083d83b551bc8b46ae33512d6fb80164e4222ce5f7d58320079b14063c89847be4ff80577

C:\Users\Admin\AppData\Local\Temp\AcEi.exe

MD5 38337f10708cb9bf0f45aa9fe7aa462b
SHA1 a7b167e72e6a4ca611b8a58bd7f0fa2664f74745
SHA256 8f7b00ec44b77812d299981bef0607f2c1cd81b650d53d2d44cdb4d50fb8f40a
SHA512 6c9c8aacd1dbd66a3b1b8230877a242714920c33a2a9606b10b028a24f5e58203647264481d19f976be001200725e5e5da42f93fb2df79fb6e07c410e2025e36

C:\Users\Admin\AppData\Local\Temp\aggQ.exe

MD5 78b7bef2cceddda0bf4502134bc04a3d
SHA1 9ab9ceb418a7fa4a7f60eb80345207873f0b15c4
SHA256 537790fc445fbe92cabbe5945940858509b8c0b00525ffbd707f41ecd4df0a3d
SHA512 23648a0c57f68c7e73f445cec43c97ad9b36ea8e878b8b18ce713ad17ad2eb78f15e5ff2b0ceb7d49d6fc207ded276e6fc8191a05832f3d8377040e226bfd72a

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 1a791297b9a0ff7e46d99df5941c2b02
SHA1 14988d0d525f1a73343814d6bde37e985ef2aa6d
SHA256 500d20e0076e8cafbbe61a6cbeb7dcb6a8551b64ebb492c1340153c1c634c8b0
SHA512 c8246e481883d7561fe62698b0fba5fd10acbf32b475af1a7b7cf5fc4a7d7ac6d56997d9ee76c26a19be80737dbfa8c6efdac44bf367e2c003c5ce7a0bcf3cbe

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 284c38d8990cef33c6a11adf7fb7f55d
SHA1 24345382f266094e1ec93dfcc6c1935b08011527
SHA256 cc51bc74beaf923fe54c646b752622173596218b7c1e3c8e5f31bb1bf40efd6c
SHA512 f819c13b5bb48bc0273ea4aadee67ff1685b1495b9434971960b0caecb0375c8b19457b5378a3a616d0d46654ca5ee1c9eddc8454cef3d307a51958fca52c1d7

C:\Users\Admin\AppData\Local\Temp\ecMe.exe

MD5 ebff165268d920076f685ccdd838b66a
SHA1 8b7b2007eaa5f5467c21eb84d7b193619592fe27
SHA256 1d01b9acfda8ddfdfe7d5bdab57171e7a8ee7fb6c01ff3fc1589bbe1964e2b60
SHA512 6682219de5cadf971f304a695863bc64549a6495bbba210564637406409cd5607086ee753b0bcfd78d63d97d3a2e2d4f8acdc92d40b7f1d8efcb144984b80bcd

C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

MD5 946183a3f81d73653eb1cb1ab5e498af
SHA1 01d0200a767d3345deadb645fe2e9d01d6166b03
SHA256 6f4b76d3f40afbca8e1de380318fe46c953f50d545518d631f9f42df03a5674a
SHA512 3eafba7c76f1ce073215d57a9de819c632afb8fb2c9e6b3d18cd52b2a01c134da0ad2d87d392eabf09fda4c4743f516669f3c319998589feaf8bccdc68a62927

C:\Users\Admin\AppData\Local\Temp\ucQQ.exe

MD5 33715a6e0152c31bbb7cdb17eacb471e
SHA1 fc8b304c5267aa1836afd5f36abbbe46f2d1366c
SHA256 813b5072de8b79a24dda9b8ee9359e74e57a86f64011bf6154b0da3d4421b941
SHA512 a6b5959e091e2ae53f27acc4c69a2d2236dfbb8427e691a8a732493d98b0d2d682e985f63e7752fbe86963e9b2c1d4bb8ceaaed83fe8579374a697d48d89b968

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\128.png.exe

MD5 57492d06f5aa8b32da8a63246d40b7db
SHA1 77ff3f70f0f8f4bb59ba06e7f5c568c21ef8b72b
SHA256 8586a1e99c37fe94a2254460bac731380f4c1a03eb21720b6522352960a15e5c
SHA512 c2fa907445c35b238a7275c8f3f6cc5b0eeeffd967cfa258bbb354a578e48735ae381f840622ce483fe999b3881c440481d2c10975c1c33e088a3f9ba7841e73

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png.exe

MD5 df6378c2a88d1b068e60efc6b3949395
SHA1 02ee09a1bdbffd81b00a091ee22e32b9ada2b329
SHA256 79ba7bf45b237fac06c5ae595239793aecb33c0cf7a367251e264d770a0a02c2
SHA512 dfa410275f53e9fabb4a8527010125d8591e9def678fcb685cfe0d8a8463f6b4d8f39ad2ddb96eeac69d2c3a4de0f026188f7d111f351218e888504648373d2d

C:\Users\Admin\AppData\Local\Temp\qggK.exe

MD5 55b0a9c327633418cddeb665911e45aa
SHA1 8566b389840cfeaed04948b0d81345cb24343906
SHA256 791de1c13636d5c1863de492fadd938b61cdb1df9e548e70b030a5a6fe94f5c4
SHA512 52507345ff3dfbe1adbc79f181938b0d0fa1918cddbdb29a6291399086e7dde2c2c0a45518cb6c696342175af3db722253c3ff3d136bd5d0d90e8568fc935b45

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

MD5 572058d1c95f205a97af46467385f2cc
SHA1 5ccd64bf5e9557b93d9202ae29e6c4ac3362773e
SHA256 bfcc5c26291f705602ba574a1376fa26f786f95ea50ae6a7b1099b0442ebcb61
SHA512 1de595795aa4c95f9a6b554a19fb1b9cf80196b31227d384dda04bec69973eba2f76ca2013029ec9f204443b1c9b92bb60b0a860e01bd213207aa48d30a495eb

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

MD5 15973ac8978c17aef6432fb84cfdcd20
SHA1 8d9513ca49f479d45bed23863b4617db997ca329
SHA256 134e7b7e925d666b0679be81ae0ae380f70e948d18414e06a9b23afc0b014769
SHA512 84555736e72f448575a5aa28940a0053737a9981d7e4347ba29d94203cdba7be754947c0771c95328c3d2b3108f7f5e364801b97662e05b3470b08e844298dec

C:\Users\Admin\AppData\Local\Temp\WkkU.exe

MD5 b52e29669519a6cafa4240496cd8b122
SHA1 cc8028eaf0c87c28c029a20f885693a3e11b08a1
SHA256 ddc9b4195f27f9c2a3970a501c2847a0136ddf5778f599ad3d21d57969d5f4aa
SHA512 306a306705af621890e897444df17fd812e80591fa37950f65923a89b089f4ef08371d5d9076d6a85b048f573491fec6d4f369c2f45e2d255105770b739250bb

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

MD5 5e8b762217a4fdae28b5b77921905968
SHA1 0517da6bd609415e7d3e11fd9e2fec4946a66864
SHA256 753e94ef1e7d147728dd41e67d1ef3b7d674ca0720c1c6f42e0060839d5bfefa
SHA512 c3e988dac3d0a7cbe0fc2c2fc1be30600579414fa0e7c197818524dec0d137b0864f38e1f83318af919036205c8e721e56ce757fb21e60771878d5680ab29b21

C:\Users\Admin\AppData\Local\Temp\ggks.exe

MD5 34c6f09b022335b9bcfa18c7ed2de3fc
SHA1 e35a7cb3e7feb810932ba59185cec4bcb301c67e
SHA256 098bea4959020496e776b3a3537fc615f2de9e4dab7c787be5b47501fd4b360d
SHA512 8ded2f2f80e3969a45a5fa1c305e11f49230216c0d8416974b47bd4d1d658a8a40499f88122d9ac29e30238f4e7b97fc4ce0aa3505ce9760df04f00cb7908889

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

MD5 c505aec49d82f31b114d33c88dfee367
SHA1 fb26ee66bbec9c55c2ecb7834eec45db5e3f9b98
SHA256 804c2bf4af34ed5c06d76fffb400685358ecffd1018c45555f3bac68c1d580a6
SHA512 e28bb31efd8d34273f480a4cfd7fc9c1e93c4ff873620597a25415a302a957fa765713ff03d636ba386791a1e9ba1c06fa9d252d878b744fb5e43369a564223a

C:\Users\Admin\AppData\Local\Temp\UYoy.exe

MD5 3eee104ef07c01419f8e8b9079fa11b8
SHA1 7f5737e1f8e37656065fee55fcae1f2fe4e83a6f
SHA256 70108b719a9906aa5744194777b865e22403461e2eda92f0f12edd35424e0051
SHA512 e1365d4d9372df3e134b0b7ccf509c00398fe5e13d635eef90b9fc14afb29b43a28ec73ae75faaf8bce8c99845941bb391acc873e6cd08b2cabe6d6e36be16df

C:\Users\Admin\AppData\Local\Temp\oUom.exe

MD5 292b11f89c949b54c489873e637d1643
SHA1 73be6fbd0bfe738098dafe120ef64fc5231066c6
SHA256 168281e462db986c82fb9a558e1ab757d5ae14a7b8de3c5a712b38819fc44e47
SHA512 0a79f073e990e39875aa7f08b98bf20aa085e595282cc8122265abfb02cfc5eaf5490420d4fec0249a07c026ae95d903bc2c5e1210afade91ebba30a8d0037d5

C:\Users\Admin\AppData\Local\Temp\Qsgm.exe

MD5 f575ff4fc7d62869858a6c21671e069d
SHA1 1bea84d9580e36019c5c316683a624b186a2b83a
SHA256 a66aa579d77450850dacec47b81f95b1848b0ea3fd1b556d76682f9cb6ac5394
SHA512 851f1f494da342ea52d75d95b0831d0f371381b644cd504b09af9590e6246a037dd0bd6b26b0481e686ffe10e4ea4b0bb9dd904f4e22b26c5d3f66832da9d535

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

MD5 32764b208b2c3c128e37a716ecd9287a
SHA1 6c847afd18f632526b8ed5e3e25172f20e6f0335
SHA256 4206fff17ad81f200f4b6835a76ede39a11ec4e52744ced1966ed58aa2f612f8
SHA512 ce7ab70388d5760499cefcaf913ba677f68f5649ae5326f9813cb5c48755e042abf375aafc0fd02c2865aa8ed58f85e0bfbb1436ddb3ab358e0727e142b5aeec

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 1edd2df2bbcdeb33457030d79ef4ed89
SHA1 8994679e3dd2302188644aff5938ea2eebf1aff1
SHA256 5e85f296100444c9a0b371b7f4731bc0b7d7279cc6ae256b087c1b179c393e06
SHA512 82ddbb840693c9661c780e30986ad7fac6cfae937d54d80189a0891ff371678ca80570414370a29eb0bf183cabc1c3aeffd9f568d7534b6b59f14f4ce9159d07

C:\Users\Admin\AppData\Local\Temp\ugoC.exe

MD5 ae8a7d5727e57333f1205506c54a4ad5
SHA1 f476eec181e76ff0db18ccae863ac277c6d3dbae
SHA256 93ee6fcf335292d267e3ca901678af94bc23b63822c475c027220a3897ff608f
SHA512 125b176b3860dfdb785f1c13ef7de204dc08ec17ac7b9fda0dd1034cd23d30d3865b855612d97e181f176ebe9f7076b981cf27f05c98e022a3df70e70564f7ee

C:\Users\Admin\AppData\Local\Temp\qEII.exe

MD5 4695725df2a209ac642772f9777ac891
SHA1 634429eafb435559b65973bef5d3c4f238eabd12
SHA256 4b009be6256f6c730af3649e68fcd84f30d05c8a0083f5d8c6a7e89810f8cedb
SHA512 a2b2f47bcd615a69b30b9d0968f9bb25b2b5812f66862b272600e0ae2135567b33ff5b0be56f98b2bf2cca1ab1e2e73412f78033e9999813838e97c9618c4b14

C:\Users\Admin\AppData\Local\Temp\kwkm.exe

MD5 d68bb93d16e9f3351d45f97d1fdcd1b1
SHA1 b1ddccf52e504436168569b9c68161928fcdd526
SHA256 b9c15a4ec44f08c9dec87290f62176b38f26b23b0ab838163503ba14492fae89
SHA512 a92ae515e9908219768f2beb20115897c71378d7d1c51e2730067b48e5e9ff9844cc636d8b715af5e99f425d415492e3b1f749cd9fab940b33f0efc526cb9701

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

MD5 298c0fc8d9e2743eb4cea215c09675ed
SHA1 aa4f78ca311b3b15db3877afcb11cca81a06c808
SHA256 621a3c7dfe060ac58de0a88dd5d0b2316103c7fbcf64a33739b48181e1bdf4d5
SHA512 1dc4e8da069af8c04e04b00843a380d28e40166d5390c488a4d63e2165a018c37518e5b4a566390af2caf85a8bd08f9add6a86a215f7a916575a4d66068abe1f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

MD5 1a730bd19f3aaec92a18002d2321a2b8
SHA1 91009a05fae733b53b196b604214411c7059c101
SHA256 bddd3d611fdd6ded69be5848502169223395776cc06f689a6d763bba0d3f5d68
SHA512 746780171b328f0ef6b0ddd8bdafafee5b02f871afc1890d91326424a0d76f25d8c753cb0e5eff024f24b0c4ff5abcf82be2030b170e5163b48b7d0ab5070d9e

C:\Users\Admin\AppData\Local\Temp\SwAk.exe

MD5 34aac01bba835a866aa243ccae7fbc96
SHA1 2c819752db182bfd1476c7e1ab7edf0118f8ef26
SHA256 dda423c8ea0633b2c7f8bd3106fabc7e7e5c03b1b82dd064d61eabb3bd311151
SHA512 52455d1fe02d2dfe6fac7207e1b267f5c6e47b1a026307dae8c03906405d28377e7a097b00114f36f677f9c7be17fc5b481e2e0e00c13e8ed911a81101b1b677

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

MD5 6bc33dfb510280fdc55a832f726aaaf9
SHA1 1b232033849adff85f0769bd2a68d9c0a0cb3ece
SHA256 6f0f60de3af110cbd37ed01a5ce86089a165763e3697acbac22e7af3c83fe291
SHA512 3338beb894f436ad7b3c9718dfda3d37b685ac861111e1f2388fe4d3786c83294dadf21e5065f618c61ebee8913e50356fa3e7f86bf49ff2535a2169401ae012

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png.exe

MD5 d4e0270c9d3f8a475505619b44999bba
SHA1 eaa543f62d25468a075a421e2226bfd978b1fe48
SHA256 77ecab22d1cd8731aa895112e1719029e827c9dc49097ee69fac44d194a94d4f
SHA512 4acf96fe80ee01df6b19845079e822bf97ddc7a6d62b21a888fef2f5a23a76e6a89da1b3e91dc1be5f3ae5785d03451922c7cbe072e1640551f44547492af03a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png.exe

MD5 d222fed4e5d10d2323e008fc08f065c7
SHA1 62fe34b42e3d33a24c9ab714bea5d490275b69b6
SHA256 06443cec042413b810dc16669a04f1edb368cc76de6b6d7bd5f62f9aa913011b
SHA512 ff6a7da7e192abe50d2e1d9cee0fa2e15571a3f15481552dbf2943def3c84b552049c7d2db97722fb07d83b2d96df8e41b72c9362261e0cf843201fea64233a2

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe

MD5 7e3316d648c119b9d4980da79e5afeb8
SHA1 6faf0022a5dd4cfb91792b172e8ceab115dfb4cb
SHA256 2c2c2a2400a0239f9a8d20370b1d8556f54439b9110687aae5027cbeffa497a1
SHA512 47196fbaa419feef27548abdac85628561c7e167a482f3bdcd9dee497909161701b49a02d82574c6f121d25ba8a6066c02850f6feea8660e5a658d1882f368dc

C:\Users\Admin\AppData\Local\Temp\OYEm.exe

MD5 f6f8b256cb0862fa2a48acdbad109e47
SHA1 6930c85efebc8f5a710ff6ea35ffc682e353d525
SHA256 9af6d52ff5c8c87d999eae74fe6efb53c7ca1a8be2bf2724736641953dc230f4
SHA512 87b1aca27b24ec171e1780f6c6af5e29e72df6a2a1afb9e89b0486fb9bc6ff81cc1e9bf401e567ef5d76f7ce2c52e6c779e57873b2bb397846cd79aecec44554

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

MD5 f7c01f17cc484858d1eee7bd9abb1c39
SHA1 703119c630fd440c6817627ee792811c76fecdcb
SHA256 9a509576eecee222aef255575034b4bc155cf7ea122905d4e8d6aa32e0f919a1
SHA512 4bc4668e2202a93a9abba565c6b4b51c487f05e7c69c5ec8d5f0d386aea18a55570ef0f12486b83379b0105dab5413f19e96b534d4e51faeb664daa53324f2ab

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png.exe

MD5 f116c8b01d37d5690edd5a01299c93d6
SHA1 f30cb8b3d8b329157a30242fba245531a18d4770
SHA256 2c1e6367d17bf4d640d229c82ff3748edec25a440e4577f35212441907f8cf7b
SHA512 65736996f75860318ba88dc0117b9110699d000b391ed85d78cc12d5d81f70c69177a865aee834f0c64a4e7ec960528c2214ac433a1cf93144f8e9d375d9ac55

C:\Users\Admin\AppData\Local\Temp\YoME.exe

MD5 d3bb7b0d97931c2c0a6b2bc5ff30606f
SHA1 d88a38609ce4581bbc3a1038e6d74907e51c2047
SHA256 1a2e921106bb1179f9980dcbcfa1a86c3dd5a083f581ceb035c7843a171094e6
SHA512 0f515635a83ba130ec95c36f806658c19eb44b554921596ed450a814e6be66ff2bc0ca108bf3130ede95020a6e1b50df45f825d64024abd029b6a73c8fff0cd1

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png.exe

MD5 dfc0b328ff26c05ea3b9b94deba73dd7
SHA1 841c1304702f59517326cb8e0f4d93ae4fedf0f9
SHA256 d7e1f6b03cbc22f621662a544c252a11248c24981e9eaedfd39dc3ea5a0c31b7
SHA512 6c3d61ec0f85d8bfb81daa7b544199cc2118d232b0ad5939edc7b2b0bf1f104aa3bb2cd5eed219b582715fd38a38288c422a43a2f9fc2d19dd17139022743aa6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe

MD5 8de2153acdf5ba4d0bc746e40c108646
SHA1 71b7c2cfa1544930f6d19bcfd27290e2875c2c4a
SHA256 8511defac7f18a86a55fb838e7e6f4c525ff77b2d4e9dc72320af0bd94c00879
SHA512 c02dd74738e3d4397bb9bef3c8775b860c7f9964a793926df735f75b6bc3a618cdda97ba1f13142dc10dd861c5d187dc8ecae6a21a28ec341456c6f64a475536

C:\Users\Admin\AppData\Local\Temp\OocO.exe

MD5 078193ba3c5e688e27f9ff05af8cf6fd
SHA1 8aaf8177824e7b04d82bae87ab74d52585707ad2
SHA256 132a9fd974399340e2c77ad155ba173bbae362d7cc0e080d09dc08ac2d1f7037
SHA512 718a2cb96319b0a4e77d11ecf197fc409a2908ef7a2723ab2203be926fcf535fdd3ac241199e5ee8bf512e02a5d32809f9ae62528c413bc369799ecfe07b38c5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png.exe

MD5 c28c69190c9fbc9a80a196be9fcc32ec
SHA1 bbbf4f0cda2ae4ecc7cedfef13d1cd1655c9a96c
SHA256 3e7dfbf29b786118acfdafc8592eabec26d6ff90d6414c43bcb0ef08161e6225
SHA512 b4a8a942e2e6a66223d5cde92680e11fe9d539eb81b5967c4a9e62f8fc7a20045e4c50f72e37a814a35f6fb45e931fe0c3be14ff49c2f687ce57c950b5b1e6fa

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png.exe

MD5 2b84472871efd57cb5ff0ca9e15dc6e4
SHA1 a1d916ab427193a14239dfadfd46d5b9de2bb363
SHA256 4f2d53f9a3ec1426fac549d572a99a4754d8082cdb4222fb2f1aad313b34405d
SHA512 b1f80f9cfe12ff50a780475993081aaede92dbc772659c8754acdab5c18ddabc57adae7c55d21fd6b236d4f91dfc96cad8861e2b8293161e56376648e7d6ac9a

C:\Users\Admin\AppData\Local\Temp\WEcW.exe

MD5 874ad7c84362cec65ce7432f35fe3b87
SHA1 c4f3753ffd748d0c03bc8abc55bbaffc63968434
SHA256 03b5dfa1b77d314d2facc1a621c3a1f44d0d5452fa0551bcb255bff440f1a3ec
SHA512 f986b52ad6290b31f287261f08dc539e6100496a5fa57dd4af40ede3749724dd584cf2b0426ff49e523faed64b05a9d6b3c6cc1e5146791cb3b1d1d6e83e78af

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png.exe

MD5 e0578183ed4b068205bb14a40af6dd26
SHA1 a520f0c635e3facca73d917b7529dbed6a50c781
SHA256 5f7d8c32f00b219dd3cda0e53685369a41b26bc5d2ee615fabfcba5bbee47d60
SHA512 134e0ecece882ed837bef4fcf945d3e22cfcdf41de6dbe818ee287c2756795a9b30be7365ef0197e446ed9e87cf4fa052d12405cdbdbe02c1728b121df52c3f5

C:\Users\Admin\AppData\Local\Temp\occe.exe

MD5 669073cc0274317ea697e9046f7a33e5
SHA1 81f48f6663063fcbd17636434a02123d88efd289
SHA256 97f1d102b6f64b6531309fa5db5b3d4e946f9ba868d13cd15fd7e8c78191f36e
SHA512 c29c3cf73d6ef6fe9a5db84bfdd1dce52967145b7c63e618f4fa0fae791392b69e8074a6544ecee97de717f80ce2007a22d342e4b815510d9cd0bb5a943a27fe

C:\Users\Admin\AppData\Local\Temp\qIoE.exe

MD5 e36ffdcff9c5adcd807432c07953ddd9
SHA1 56e9ed92ba2538731b390c67fe3cc2f51de56c7b
SHA256 a2c1401f41ae167a087bb4b4e6bcec6160fa1861d39f7c45c67a1d97dc045173
SHA512 5546e7abbb6ffb7e4973167121cf2bacb33fb859acf311762ed4a6828cc188e1061ebecb2da39e4f368c1dc66e6c1ae01b569d9a912ae878eac7bb5ad7827be5

C:\Users\Admin\AppData\Local\Temp\KEYQ.exe

MD5 7f00f28e49ee71e93c0ab61c71aaebc7
SHA1 4830972f92d2e0d5e6e421dbb3ea3f6081575ad3
SHA256 9c9fb6809ab16473cd202fa24634ad48dcbbfeaa519d24bec9fc4d4b5ca5b035
SHA512 e89ae462a4672e8dc92e19cf292edfc8970d6b9e5ad5bb2709c280e3c823811f662cbad3642eddfe0a9bead488ef7e0a1cc0fa149f01ce84f8cf5d30baa1eae9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png.exe

MD5 ef9c56bd9b83f0949f8984bab3467654
SHA1 40332a7babf302bcd8a6d07f317e5ca068896339
SHA256 9c1fa17486b7170886f88bcda9616fef8c58619d163010760a633beada59f997
SHA512 b702fc01b612a6b7e7a4d58ed050d3bac3aa352ed3fe39e2b2254e5ee3c08dc799fae7f168ebfc839d65581038ead61c5d24bd9cf31a12cace32d8ea2a3654d9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe

MD5 efe506e92a449875e2d813bdecb31448
SHA1 6451684bac4cb04f61723da65dea5d126d87ba83
SHA256 b0a3ae221beea7cc98ea1040e00691695d80fc90c046ce95728104fd9a882dcf
SHA512 82d20d4a9217c69e1d63d8da701bb7beec470bbb7fff2dbe1f29b5386afa955247235899ea26b5ce0888d163fcaa9c09f1e7f8557033e0baf6707995af1203a3

C:\Users\Admin\AppData\Local\Temp\cMYY.exe

MD5 c47cd261bb25f8ac68a1275e49bab37b
SHA1 050b5e9ef8615a1b21753bcc216c269f4588a0c9
SHA256 fcd927bef3c8f1c728a060d29babb46d14c8cf005834d70c2b643c2cc56daaa2
SHA512 885a94b3bb80cf20c785f77905b6432fefb68cc4bf3c00a3c6b0de741f55362aba6e07b4af9e517b1ca68c6fb9248623e1221e8fe655ca5bae646f4d904943ee

C:\Users\Admin\AppData\Local\Temp\qYkE.exe

MD5 331b572d8f75dc583c697f90dd47b3bb
SHA1 daf21463a3fd113b802fcc3c9c9f5e97d44ce19c
SHA256 e5432b02025f77aa679c1119c5af3a773dd332f86b5a09ffa62a42279d80643e
SHA512 f27a1cc7d45453aa8f593552c5183eb58169103e97195950855cb04eb58f9bb79c7c937280819df1db753b8a3b8d3fc232480dd41d32f731bc55f28f2e316b9d

C:\Users\Admin\AppData\Local\Temp\QYAe.exe

MD5 f546f78eae7ceae9adb1ae842ff6ed37
SHA1 a96915e82af69ca8d47c1cf3e96ed3946a17ad67
SHA256 be70716c5d5cf572eb64b56daad8931c3c8cf97e152112d0f451347ad8175fa0
SHA512 fb4e30a5edc721eb3374235f94180f06c084e3f948c2b5b445389cf5cf207370f36b54f747fb4ecf3197d03693449d5a9772e8577c6e25e4c394eb9b5e9b8300

C:\Users\Admin\AppData\Local\Temp\egca.exe

MD5 08343ea0732327f7aa592ea207a15b28
SHA1 cfcc091600ac2c61b027bf6451582e220cba1407
SHA256 ce2e8b958d34da2aab6d43667e5b25366773da8ef04ee4660ffb9a9c1ef1eab7
SHA512 e61b59a847f7c9154e3789d942f018568334950e69c3d910ae6e6b52dbde6f1759c93c1dc8e3b28360a837a0d90447beeba8c27efac1644ad3a46782fa5da266

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png.exe

MD5 a3b680dea43be8ee6dcf9a0bfae8e21f
SHA1 6775948380598f38d2a225c6b5de43a4172a26b8
SHA256 e1c32bfb6c372b8396a53cd70e495be7ff43ccac8ede08669c833e4059035b02
SHA512 f0c8db3deb4f83a6802ad138949b6385ca32496615af9bead642f2420c6490abdc96a3fa906efac313adc4211d6bbf58abd05cb736d964ae049223139fdc144c

C:\Users\Admin\AppData\Local\Temp\uAEY.exe

MD5 19dfdda2da7056799a74db819ff90bd7
SHA1 c1b4279a64b91a3429a96888edba4d526b43f83d
SHA256 1600f967414303458ede1813a9338e5c64325f9000bd791f075148d525165319
SHA512 b5e73ff8f455481cd54af57be350a07984fe584f8d0581a53a8e31d5374eadeb805a04ae469363b2f3ceda72fa101ca372ea4dcb5f6fc84f4994e55c9896a049

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png.exe

MD5 666383da0dbf41956c6a1bb19e6a2972
SHA1 dcfc6fdad8a9b6c9bd4d134467f6dc69719b8a00
SHA256 4167aa05775d345586144363e323f0c898f36dbaf6a4f7d2965325326d073c20
SHA512 7b0359ea6f268be3d0f020c0e81063cbc2c86c6ac4df7413817929600458c29bf42243329800f1e62abf1488d5aaeda5203d08fb87052a2674f4a52ae65ad73b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe

MD5 f0b593928542206774488a2bbd4c366e
SHA1 ed966ea795b8e0af826b5cb4d82591183160e9af
SHA256 a46f674155a67423427c3f4955520c3e702b06936793ed0aaaa3493238362cc7
SHA512 8e410f3ec9dd7552283a53617cc089393da3f9f71d329b6d0bb0bddae356ad2ded736aae0ce77b85eebfda6d8802e7d2e7556d94e577f46efbf451865b3330f7

C:\Users\Admin\AppData\Local\Temp\woww.exe

MD5 eb71fcf3e0c588b0a68478d9d11b72ce
SHA1 7c6df99f1335fb8f70f1edf12cd11ea0e7f8074a
SHA256 5cb1f862790d2c67b8145be74c77a3ce599f3f62f640b35c015d56b073a9aa54
SHA512 7457df534ab312407502ce5c36753b2499600e8258df2e009bb4f8f47d00a1fc4ed02f19dd3f9b6b28fabc4a41d2b7e5cad05d69efa514e2fe7fb3c9b39c14da

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png.exe

MD5 c87a958a0743e052b1f17e953c368ca1
SHA1 fefed874a199576a80100282353ad18400c319c1
SHA256 27c43805060a0cf116c42261f7954a031cb67a61810a22c1193ca03165b1c939
SHA512 5ef6e2e5c610c0a4b4511000419c4a6541ef1a9ff80124ff5db578c956f85f61682b727a7f4464bcedc86c9752630e2e347b293295176daed8cadf3357ae16c4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

MD5 353ebe975e8d0060e928a275a8f476cc
SHA1 0be4bcfb51f12e71e0e8080e8f4b8b1139c2fb20
SHA256 1a9d6fa47c46d7a6327cd89da60ba57097621df0f5596395e6a564e3cd244007
SHA512 66d25178f86458d1cd0b2e75502a14adbdfe12e8a7c3d11b58e8c9432fd8124f633f67c14cdc723b7e411248720ea82d9ab0205a2ec901e739280ecb662c3778

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 26866868588d5c3c6d26e9faac0a9c0b
SHA1 16e7231a84822a45eb0d7255649550f8f032ef34
SHA256 2c64c9df709af1a3cdf5635595252b54a807ffe65747968f4daaeb3131758026
SHA512 89a3e8973400df4d1cf377f8a66e91128be53dcd2d6fddaf25a468e809727ae42e12a87bb203bc48a88bafeac20e66c3fb4046d6264ce1f1721f9e15891a30aa

C:\Users\Admin\AppData\Local\Temp\woQu.exe

MD5 6260c216a2197ea234b996d6d769552d
SHA1 efea6542e5fa3867f0e0dc318123af19b81ecb50
SHA256 8d5dc465429b3ee3f88424be97a0baaf6d68448dbd3b25cfa66d09a2a7a3e6fc
SHA512 a621bba3c82958aa33759ad3d5c6758d91e015352cc8453dec18fed1f7999eea3e5b554abe3949843adb858391cac39235651bb5c987cd884e4edef347fae3fd

C:\Users\Admin\AppData\Local\Temp\KEUa.exe

MD5 f46b2bda1bf2eb761c956bc8ac676ab0
SHA1 5945a82db6ebff1b55b2a2dbf3fef3d871d9c949
SHA256 3f4a3f6ff1b13b7c111a9ef1ea973835920a9cac0da2403d8924ec632ea9e83f
SHA512 e7eb064483c84b3933c2dcd12531910785dbce982e4bb68f074299b977452056d1212f87021c2d2190603178d8f2cbca499368200f1b694fc6d064e3924d700a

C:\Users\Admin\AppData\Local\Temp\Kgwu.exe

MD5 028b8a44065a74f0ec514509b455e8e3
SHA1 5feb3fd849954d08bbfa07d2940e28b4a4d8ba47
SHA256 01eaa233b939cb3a720c43aaefa5a7cf3358a5b99d1cd808721e944883b8b36b
SHA512 4a681b2f5b4504bb20180c69fb58c6a13fb8e40f6fadd0baec80f777073694b5e0ca9e745f8b283955e1854200f2e0833204aee30bd07d36b9c9fae0aea60ecb

C:\Users\Admin\AppData\Local\Temp\Wcge.exe

MD5 b12b0595a24d5ef288130e90f11cb61a
SHA1 5fc9708070ff18af6146d1dbc8e9d572ce14686c
SHA256 795b5acd7f864a30cf120c50d9685f302fd07e73bf9074aa2827dfe66b56a6a4
SHA512 0b34dd47cb59a96cef9a9aa2e37eaf689c955f3bb57fa848c4c67525ae00c3aaa5f48ac8580e88952161b6bf29667589486f2fb5caf0f84c4b0b81528e808b40

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 e843c71e0fff3601f7f1f8d5b9a84af3
SHA1 d748af721baf589c3c379f642cc7bc201c92531e
SHA256 a84faebcca10c6dc94943747113aa50d8859b8737753d6acc7195242f574f113
SHA512 9a93c248763ac75b097d69096f45da2f2fbb59332793338f9cb7a13deb14fea831ffe3dca3be3c876c20782abe4ce446a9c63514d9ebe4ec0927d37dbb4118d5

C:\Users\Admin\AppData\Local\Temp\mEIe.exe

MD5 a3a7245631356d28187c47bb8ea691bb
SHA1 8813712749ca20a3a928892e0b4ba457c0ef4920
SHA256 f7d169f868cdb5579585f7235a9c51ba94cfc5933d3a9dd3720e22266e79bbf2
SHA512 3b2cfd8335643fc5db70fcc413288d8fb53ecec33447bb9938ce594d956fcbcb4f0bcbab1891e264fbefa050193be49776e7295c151ee52bc3b3d1910cb6db80

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe

MD5 ac1fd5a6d20f3c992245548eaa53bf28
SHA1 270f90f396b99669ccedef3a00d1b9a8ea5e4ab4
SHA256 515d3d30b2c37c72c5cbf157791fb562f7db98b9427f03d75710528832c2a3ab
SHA512 6b7575db617adcd4bc1072d91ae947b9440479d11dbda40d40f7c61bf6ed5cbc8c6ff4f47c6a401f9c5de8845fe6c9c0801c4369555165195feccecba3fd88fc

C:\Users\Admin\AppData\Local\Temp\Sgkm.exe

MD5 d424673b6e0a1ffaa39b8739e907a1b7
SHA1 74df04dd4004aaf9f1d80f9ebdcff1dc0940323b
SHA256 665c0f7e86f6319e87aabb54a75a9ac23dd94bea4a194af34463b9f199e53b71
SHA512 768dfec7750ad02728b27ab48287a5d5e193c4394883a2a56499af6a1b034265dac980188fe63ef776bef04db4f0388f1375bd9fcd2772440f1e3ccae871976a

C:\Users\Admin\AppData\Roaming\NewOptimize.doc.exe

MD5 05df19341bd9ab8dfbe6bd83a09940ef
SHA1 586cd5fcce97b6eebf625aefbf3e4f8f84bbf939
SHA256 3906527eae98982d4618b5b1c56c44158e071e4d84bfb9730802a7ff8b11fa7f
SHA512 83bb7012799a8bfbbb9c62cec4a92b5137d34aa4d545f31b1ae9bf09bc5b126c948a8c9d2629c1bbc2b1ce2a65dcabc850914377c8c66ba36e2256dcafae1daf

C:\Users\Admin\AppData\Local\Temp\oQEe.exe

MD5 c959de22a0b704d5b749e6540ba04c3d
SHA1 cc5f275cf05d3a02cb92f5c8bcc68fdcd55c47e6
SHA256 45995c34539c23bce74d2e0ea694c630cfd035babeb5e97830d6c21840ce58f2
SHA512 b507010a1ab2134d679fad201ea324f6bed3aa99abc7ddf9348c9f445d3461c069363e68f89f195fd836ef9fa516a848e02ec8753f543236f31ad7c47dbe5d22

C:\Users\Admin\AppData\Roaming\TestClose.xls.exe

MD5 f910b8557432579e752d0ce9a36665af
SHA1 b706cacba97e4bfa710878b91a1579abec5ea689
SHA256 2e182592f82822268a7fc330ae15ce2e6c8d6d2ddf5349b1b3014c15cfbf9b4e
SHA512 9a7a26948dd2712a05bf1c67c1ddb4c9d57b3bb74d97b2225f9fd312800c24d14b78fdae2c177a8d4dac4b6a7e6b91dd96f2932de4181df6a036e55443329133

C:\Users\Admin\AppData\Roaming\WatchRemove.exe

MD5 9e9b13682a253ef060d3c1c8da834824
SHA1 a4f99ee74b97d08a5ccfb001f5bfe51f3eaf077b
SHA256 d41ff4119f65d2a3fe65110ad38588304a18ae95f52e1b37826a1cb1228fa2b0
SHA512 77aadbeaf789d376ea94f3110a476d68faa623ea27b6fcd4cac598e7e470d8808f2cedf25b569fe1db0606011bb4290a5c0ad274ce5ba6561e344a9f5ce85240

C:\Windows\SysWOW64\shell32.dll.exe

MD5 9ddd7476a40e0b159ab89488f8e13915
SHA1 db7c9417ef52b7cdca7a475c3dac04f19076fa3c
SHA256 9baeeb64fb1b0cbdf46b823855fb466f405a07b08bcb67f4681ae968f2d3a92c
SHA512 a1830e8ba76de842d6610a018f60f8398480259fda6533710e004cb17a8760a5f3e294a90a50439acdc75f3c659bc800424151f3b36378143f0206766f8ada4c

C:\Users\Admin\AppData\Local\Temp\mkgQ.exe

MD5 f69720367e7785ba72d52cbf91c39a73
SHA1 93fdf3d873d5045aec4cc6de7cdd4eb06aaef9e9
SHA256 600637e16065c764a55addd8d70d2eb8b9217d472335c9dcdd11495537962bd0
SHA512 df89f1e6e7ab3c92d631178b6eb6acab4dca3229d48bed60f56ef4a3efbd4e51112c281369e9142c239398a68b16b0a30a94b21ca570a585d71ab08f8ef24b0c

C:\Users\Admin\AppData\Local\Temp\cssU.ico

MD5 c7fffc3e71c7197b5f9daaea510aac10
SHA1 23262fb8038c093ac32d6a34effbede5de5e880d
SHA256 71254090503179540435a1283d04301f3d5ba48855ae8c361d4ac86e3abd2865
SHA512 c3cefdb76a9fc74299a7042096a549e019db3f2cf79e81deeabab2f3ebf2bbc9f2924a84cbbbc4848a4bf84cc3a0886c6c738c6bb37c9140dfc57f1f797e9c1c

C:\Users\Admin\AppData\Local\Temp\egwE.exe

MD5 78586b1e059a0d99fa513ff202c9fdb9
SHA1 0bf05293c42190b2f68109257b16616506172891
SHA256 6feb4163802e7e2791857cc53fe6895a6873700c75561d4aa8e01b426d82203e
SHA512 ffad269710ea10c72e0b6d5409167df2788ffd1c1a4802eb406ee36f8e52d2df6cc33f6504d1703aac4a5a19846bafb70741301b00ec68b0ce55436c44846211

C:\Users\Admin\Music\FindWatch.zip.exe

MD5 72a28a693666a149bb6f6db0e1064fbc
SHA1 2a6ba8236f402d700a844aaef03731927bcc3870
SHA256 022ec47b0a11429f5194ac38f988aff8ab9db1c858b5dc2cafcebf9302473bda
SHA512 5148bc16fbc24644f4ced22ce483e9bdfb8b48cf54e68341bb0340f654dbb944a4aa745278490a8fe80fbd49d05e0b738caf7b02a0dddcd4f1d06a285c5717fc

C:\Users\Admin\AppData\Local\Temp\SMUy.exe

MD5 9f314e371658c7c62e02a34f14f896e1
SHA1 d6edf0683c1db3df279776cd174a6cbc22f4541b
SHA256 468ecb43f0011a9628423ecedb80ffb75e7707b4d23817d2aac3a303b14b4ac6
SHA512 17a1b04875fbed4914d3a35812832adedd8f0b131dc84ade9b289183ab298902cf0c0214ae30209b9ed00631263721a9d4cf736d961c3a70327965b6e6c55687

C:\Users\Admin\AppData\Local\Temp\CIEE.exe

MD5 3254d04f90de99e8df8333d3a445128d
SHA1 f2b7734a1b24f934fa5be34097a6a1996086e3cd
SHA256 72e47a1198108e266daf0f1a24062a51994acaa991c16c47e93bc6b52542d1cb
SHA512 691b3d67ece7a57650f551a7fc48315694d652680176176d09b3c1adfa5fadea2e5d8cac8c31ea5455d1344326256f13480bd405b31f6a5a389fefc4929ff881

C:\Users\Admin\Pictures\DisconnectCompress.jpg.exe

MD5 d77e4bcb564491c015dca2db56e34b3f
SHA1 bd54ef283d887dbfcda77d53e056457bd998676f
SHA256 99111748426ed9f880c0fd79c24c76048d31c073262596211d604bb151709a00
SHA512 1f1b1d20f6a39b8073158279b8d0e2e4687d250bbbaf28ea43cdac90a712cc118ffb05df7d12edeafc42ae221e20188d142356ac802cbc435cb238cd18f8c51b

C:\Users\Admin\Pictures\ImportOptimize.png.exe

MD5 c635d9b85a085b40b36631ecd90ce9f4
SHA1 ac8dd6e4b06756432503dcc27fef7ecf07e3c7e2
SHA256 075c29a6030d01c95beb952874c6b2ede7f92c0fd324c538415034a0f83f6799
SHA512 254120f2e1b1a471a08d47110e9040ade2aaaeeec823068d32726602049acf6b2e69ca44a78f2076ac6fafcf611c1e06457b7c580c1dd0070e98d5ebe32296c5

C:\Users\Admin\AppData\Local\Temp\kAoE.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\Pictures\MergeMeasure.gif.exe

MD5 a1b7c2ecaf55ff7843f974d342fd2ade
SHA1 ca71eeec487cc6a25459d52c8240753a77fa1a01
SHA256 03a012f3bb102002eb0ff74071011a8a8d43646b100d7eb0553bccae98076beb
SHA512 0267d4b727a187968d4798b4821c193a28a98a89b080ecb9ba51cf1b1408634f7ce7f53f9bcdef25ea583594108ae86cadea709d36937349fbc8756271050bbd

C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

MD5 2787cc7c2f9981c0501d9395daba57a3
SHA1 91770c68f5a13bfbdcd7e350d858d8eb6e5db5c0
SHA256 a7ac1c3909bec584ce4a35aa193df49d5c7db4b3890ae91f3dbbde33f98ba7e9
SHA512 949b32ef6233fdcb74e3711d9f8509fc967490c3e4f7844a1e9ac08154158e00d752b05c9306e7054385425c16142869176fe398698ef93b84afcbc88bcdd41b

C:\Users\Admin\AppData\Local\Temp\KQUC.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\Pictures\RepairUndo.jpg.exe

MD5 56c4505fc39f19d4c5c0d9c20c9ed451
SHA1 f4654e2d9319a77bd8535cdec7c22e59a00c7c3a
SHA256 da351676e187bf4db6ac7102ecaa87dcb27ac5d820e71bf3aa28677e80bdc058
SHA512 fc81e256cb874d6c63b9d3363f32c413766cc406d62d9d44d162ee0a31d160a9f9daddac1f980f1d57369ecbc133c9566d7ff70a14701a8d9c09a96636d20955

C:\Users\Admin\Pictures\UnlockClear.gif.exe

MD5 ed26a5545ac678738e1f9afac92b4287
SHA1 782053908202c1d8a54e30265ff3afe8321dfc19
SHA256 bf31671547860715d6a4e623545a656ae2caff2c271a534317afbe867cd49ec1
SHA512 f65a15b75e516ff8d3e8629c72e45327444247ebed821e5160b79087c972c9a5255374819abc9e94101a5d4af4341e7a1ddac9f470e7a6d61bb25e57a0c67b30

C:\Users\Admin\Pictures\UpdateConvertTo.bmp.exe

MD5 12ca0219e3a42fa5ba687b6d041febaf
SHA1 f299267ca4cc398a5647c3fb8f12c978c744ecd0
SHA256 aff2d7dfb7645186c9856180ded543fa22b4467d12ee02f3241391625dca0ef0
SHA512 55774e415d88f20c0a2a7ae7f9c633a6eaeb147d3116ff080d31a7b2cd4a33815c5acc2d931f63451309f8b645317114ebcfd11493ed5ecdafb8c1388ac5bad4

C:\Users\Admin\Pictures\WatchStep.bmp.exe

MD5 95a4be81ea630732819cc82c1df5cc0b
SHA1 8605ffe55bd38e45cad9ef87bb7da99d093cc428
SHA256 408999501f3e6572434bc4460226e415a820efce125f825f1341f1b3033dd0b8
SHA512 cf6f1094f38ee25545810e1db772947df89ed045c92e806c8bf13e31de22620dd2c827eac19962a472b36fab740e6f16f0ad78f0770a7fdf8c12184331dc4b01

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 d33d688ace2c36203c7ba2722e557751
SHA1 6c0dc34837ca1f8d3f01f796fd84fd3419de6b25
SHA256 918a2aea7e6ee022eabd7e62abaea1666236acc6a603b8fc65c0388346d7f25e
SHA512 3c8646b4696ad7dcce9d1c445b436c5c0c0b973f58b0a03178edec5a00e4f9b7f5735b0042d5c6c5dcfe7cdd0ed69d9858c26eaec5362a6847cd36a6d949f928

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 be490974f9b153e1ad9d0b94b677076b
SHA1 f0265372dc668619c935b34b8c20562dcdebd312
SHA256 94c26d4934d4f1ca21ad2df170f01c5d2daab7bb0c5008be64802d54de3ad88f
SHA512 aa1aad0ad565e66bec9a3a532abace5946240d6e0b6e2ced13a72583cb5891eaff91999362d16ae20cb4553e3f67e078febdd79d5ac83c0b3798b3e6ce662007

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 ce6a1adfae1f9a4a4e50f07549c23610
SHA1 4bac939f1d2ee8bf1cf05402238df52dec089d32
SHA256 8fcc8138dee052ba6445de44cbc06614f7351d940c9e77f4306c9c92152bff8e
SHA512 1129f50a019611545fa0a67151f506ff2fe9070e7d07ef02765226a46decb8d5299d733556c4b394bc3230a729947b8e9a3c1b0abf04881a6951d274c19f7bdc

C:\Users\Admin\AppData\Local\Temp\QMsK.exe

MD5 f385f6ff8c9c58bbb19c8604b5540a89
SHA1 ee749dbca40ff89299dd76568359fbd7d8343f81
SHA256 8ddca747149716a91a8599ec67ed23e18cc19dde8102513715ff643215ae5086
SHA512 47c0a30ae863fd21825dce59124f3af9d0d7602f16bb255e78cef408c8d997e12e0f05ec28e66926403f1d8acbae0b88b024419e54277d324315517cc9d18f23

C:\Users\Admin\AppData\Local\Temp\kkYY.exe

MD5 3b72be0ed8396d61295e75d2b8d427ec
SHA1 be180d3ed08ee61c0f98fedf7ec62c0d6a2c3879
SHA256 0b4d68aebb6473cdf6816aabd9ea50d61746ff22bc5bc51cf2b34f3a4607857f
SHA512 7acc8acce685179a0d5f9c67c5394d3b5caea51557737ae0bd7eaa64e81906e3e4ef1c6632a065239c9c092263660713cd9a34a033610ed58f4505d87cb5369c

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 19dcbb877e693b4b7024031343529cd2
SHA1 1ffef870381133ebec90a71d9e362246d4efb2a2
SHA256 01e6eab60cfe71254edc150ed6c829babbdc0e24e7e2846dccd87f754bb3ab51
SHA512 ea9209e6b7e321ddd0e3d2cbcf47a8bfb035557c5fecf326192c2e966b5168203e34372c17f8fd5b7023d611b2527ffa07f2573014dd3af5d4e3dfed10445043

memory/1040-1566-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4344-1567-0x0000000000400000-0x000000000041D000-memory.dmp