Malware Analysis Report

2025-01-22 08:47

Sample ID 241027-tmlnmazflq
Target ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN
SHA256 ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9ca
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9ca

Threat Level: Known bad

The file ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (82) files with added filename extension

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 16:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 16:10

Reported

2024-10-27 16:13

Platform

win7-20240903-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\ProgramData\xewYAYIc\mGsMkAUQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7z.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\WiUgcwwQ.exe = "C:\\Users\\Admin\\tcUgkkYY\\WiUgcwwQ.exe" C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mGsMkAUQ.exe = "C:\\ProgramData\\xewYAYIc\\mGsMkAUQ.exe" C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\WiUgcwwQ.exe = "C:\\Users\\Admin\\tcUgkkYY\\WiUgcwwQ.exe" C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mGsMkAUQ.exe = "C:\\ProgramData\\xewYAYIc\\mGsMkAUQ.exe" C:\ProgramData\xewYAYIc\mGsMkAUQ.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\xewYAYIc\mGsMkAUQ.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A
N/A N/A C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe
PID 1448 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe
PID 1448 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe
PID 1448 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe
PID 1448 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\ProgramData\xewYAYIc\mGsMkAUQ.exe
PID 1448 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\ProgramData\xewYAYIc\mGsMkAUQ.exe
PID 1448 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\ProgramData\xewYAYIc\mGsMkAUQ.exe
PID 1448 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\ProgramData\xewYAYIc\mGsMkAUQ.exe
PID 1448 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 1448 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 1448 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 1448 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 1448 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 1448 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 1448 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 1448 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7z.exe
PID 2872 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7z.exe
PID 2872 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7z.exe
PID 2872 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7z.exe
PID 1448 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 1448 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 1448 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 1448 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\7z.exe \??\c:\program files\7-zip\7z.exe
PID 2612 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\7z.exe \??\c:\program files\7-zip\7z.exe
PID 2612 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\7z.exe \??\c:\program files\7-zip\7z.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe

"C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe"

C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe

"C:\Users\Admin\tcUgkkYY\WiUgcwwQ.exe"

C:\ProgramData\xewYAYIc\mGsMkAUQ.exe

"C:\ProgramData\xewYAYIc\mGsMkAUQ.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\7z.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\7z.exe

C:\Users\Admin\AppData\Local\Temp\7z.exe

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

\??\c:\program files\7-zip\7z.exe

"c:\program files\7-zip\7z.exe"

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/1448-0-0x0000000000400000-0x0000000000425000-memory.dmp

\Users\Admin\tcUgkkYY\WiUgcwwQ.exe

MD5 e07bae4a6bf1e3ce5fd935d0b2379b6c
SHA1 92f36274d3afac92a651e620db42456321351a72
SHA256 7a2fceef9dc1efaa3a992c535ce1d85aa3966b0c93a8aff262e8a8ba5cfe2dfd
SHA512 5890e8a26358a0b20a9724c3f293e9613bcbe7e04db498bd25fc55e5e11c63a912d4a82e1e75804fabc8fd08ba7bcc95ac9c208886b2f09cc4791baeada5d1f6

memory/1448-5-0x00000000003A0000-0x00000000003BD000-memory.dmp

memory/2668-13-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\xewYAYIc\mGsMkAUQ.exe

MD5 a562f963edad46f5dc72a5658e204ca1
SHA1 ecc71ebe30e746cdf9bfac051479789afed4715c
SHA256 82142b786bb20c605b622a5320d4c080dc87c71f2588ee7429aa601210b4ead6
SHA512 c8328570b14d5d65601c45ef6f07c2a6452185948e12267390aa7d88e451b4be8231dbd14adaf394e6edcdff962d6e79c2598caaad5811667abfab8fbe8c0b23

C:\Users\Admin\AppData\Local\Temp\QSogkEsM.bat

MD5 d0c8a5c0a6e1b7c2354c850ea8b0b41c
SHA1 5b9ecac5847c03a5022247ae92714f8f69f9ce26
SHA256 850ee2db597d683c659b739a098b36acbafd5b8f144d60094a4166ea15c369bd
SHA512 b35acb0e2ccdbe7283bdbc403fe0cb772a0121bd97675f1b0dffb3a4b274f5778dc8fcdcbb02ca904642fe96f7ae0c0a57e50b46230f27d54dbe988466753c4f

memory/2720-30-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1448-29-0x00000000003A0000-0x00000000003BD000-memory.dmp

\Users\Admin\AppData\Local\Temp\7z.exe

MD5 b0879906c12211847bd47d82af78cbd0
SHA1 93886552595c9c0d030100509e9e4d0d874966a9
SHA256 c8cffff93071bfa75a90a029518f67b2d3f454c7e367383681738eb43c11dfb1
SHA512 dbe2fc5d47b7f3ede51e8e5112d99d1e98759677f652e688cb3bc812db37548a804582cfcf06e6020f1c3767af0a3a196d5a865398c5462a65de3a8c278ccf26

memory/1448-34-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2612-37-0x00000000000E0000-0x00000000000EC000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\gQMY.exe

MD5 a287aef2ac4e2eff6edec3b3f70d3258
SHA1 b37b22cc329f6610bf58ab3d3b028d5b7ef3ee3a
SHA256 a3f5539f8f2a0b022214cbf5fefc91642b64e5ac12d05e9ee43876a800eb37e6
SHA512 89d99ac6483818cba46188435c95eaf96562a5f6e942a227c0681a4c1bb6bede8f9f16c6e805f43c6e7e2cbb3491da81e46e6f5bdd5f953f4de1223d6d1a0071

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\mUAc.exe

MD5 e7217b1b06879be67534bac5732e377b
SHA1 350e510e02ca9c1dfa41af53c956853665cb4290
SHA256 91bd89edd3dd4944c8b189f7d7df4fc579867f45c71f76dd319eec35ea3f4dec
SHA512 9d7aa397519600a6ee7b3d47dae95fbcf941167d6c1a0eb3c1ac6e76fbff6e483fe3acc99f9d262ebb6f32ed5779eef166004e2a1b89b1999e2e0b87306b1118

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 57bf62dfec416656e39685a2657dcc20
SHA1 1665fd38b28b933d6ccbf45129e22f55b6f5a451
SHA256 a6d8a922f80067d15fc2972ad5e595836548061c26966f3b193d341ac3007a19
SHA512 519c4000d3f2b912225b25a89e4ed53378e33cc49a854c403884aabd300af5bfd210c719fcbbd68d05bd66a321643e17e98ac773ff7cc03647ed22fbb876ed0c

C:\Users\Admin\AppData\Local\Temp\KwgM.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 5c0e6fe444539e5229ac3ed8cacfbf7e
SHA1 614ec17c339623e386bf2c68d39f2b32cbbce387
SHA256 72fe50355d37eb4d83c7e14c0af0203642987a0c85fc6f73434adc603e6116a6
SHA512 86df54fab30bbd65f7a4e673054b1295fe6aa1b5ec32559629bf516894a7298604a15e64909572ebe8edbd118b08e9b68e5ff8ba1e48bc40306eabd29345e707

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 fb2b8542b80c8664d26ed6a07166dad9
SHA1 a19d3bd5d8b80fae3dfcd92dde05aa42e37cec52
SHA256 f3d9e57c0dcf010559db566c8712a7ff457755b9b9dbc88e08e931186767f6db
SHA512 b3a9580fac45a15236a405fdf4c2321f91808241cb1458f29f1cbca2e0d701f125117c1c7eb2f13bc94c2962555bf6f0b79cf595c162a2109f9798d0fdfa2630

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 ec2f03317efac997abce3995150b885f
SHA1 2e26a8c14ab62870a018920e3a9d11293583c3ee
SHA256 969e5c9e231f54bb6529e3aa7628898e363884a459c87a3d5ff6adb81751b29e
SHA512 6faa4e4aa6e6fe77642c4565eb1dd90eb175ebc2ddf97f72d94b9e15a32c45c621a481d1bce0964d58c1b42b58158e4bdeb6721e8f4d2f4ca7d22a8357c86a4f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 a7fa06d94818025920d2f62944897189
SHA1 fc61c34bc5d4733defc4d967b2de88707c0a75e6
SHA256 b36a1d575cc85d55bd36cf50c803209287bf7fbfd9062fbf2a97acb9272a2aab
SHA512 98a7f727dd6d378e4fd0563e466ff6211dab4238bc8c1f94ec17761e6b9bbb60e49c21d3db6a27d22ac6fd1193b79819465699fce82aba3dbe9c078d46deb8e1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 f242941d14d7f4d8529cb050f6b5b3c1
SHA1 75d935d1b403530ea5a4188bb40e8ff364e1cdf0
SHA256 2de2e07666d061964b023f677524b386bfcd9f5c5d55c8d8f2785dc1f6478087
SHA512 2ca04d85bde651fd4e2ee07e82855ddf9e3bcef69878c0fc24f86f65769ec58af939210e7387f866c965de061e0c07b6e83b3955b2c2f5ce5000272c360c1816

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 2a1d38aa511d2cf9459f4f39ca38e8a9
SHA1 133468fe21070d64da0445d62596ec635d71dedd
SHA256 6ddaa6f701b34bfa2b07cb65b47a3de1ae7e8ad8e079998932dd00b134af5a83
SHA512 01822328245216e29c9e5a7daddd4fedf960f852a705ee716c9abb71b3db2e4dc4e5b5c8d4d6901d947d68e3b659df344b49c32563f13175d073b100fcbeae56

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 47e9e600313648aa50cd8305d5abeb7f
SHA1 60481dab88202c75f2bc6118f51eed92c8fc387b
SHA256 7de744690f1c0a58e86281e8f29498267e3f15fcf17e33265f1d95eb02a7d189
SHA512 5a453f3ccacdbef3851267f7cd8b3795edd2ba5837de2265dbf9156f826a896a2cc12a68bb8ed63849ea46e2e99f70ccb5e23f7f90817d871603367a3f775057

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 600ecbe01bd0de43b58a9f9bb70adda0
SHA1 811c5e1dc3b90864afba792621f75d2661c05f1b
SHA256 5cb98ab7306a0edc268c4ea961f341d9ff68defbb23dfb858d7f705ba6c22a8a
SHA512 65088617520b4ced1a472d871832fa37b373e2c5be8571f12ed7d99409e868d1f4b1ed01e33c5efe694817479d9e1e768663bf8d26b4a5ee194b56979ebfd845

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 14c155c3a12ab489b0177c9f827f8221
SHA1 b9c7f2313e5da50d40367e29ea3acf6ac93dbf51
SHA256 738eee8b976a6b04c79ae3c4ca0ff1794a931b7d15e69b298997b0272d07b49e
SHA512 91d0e40a034dd6707f2f4b63ebdfa2448a3a557072f2ebd5d2168195480ef4062461ba3cbb68097b71a69c15fd57b649ab613cbc5883395f80eba05326144826

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 8f4777d80f31c40d861eec0666c08721
SHA1 e4e78d95694ae884395cb7a9267f57222529e9c6
SHA256 a39ea06d88fd80a9768c6dd953fe1ef50867c838bcfb904ead5075c193c90910
SHA512 8462bf2c1005dfa57b4601e74e323c899db8db4acf2d0130b889d91b22188aa27d53c9f45cdd54b73d901eb9592b371292fc3542180688c9cb5732ede06584bf

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 73627a352e249aa3fea4d970801df7fd
SHA1 7656647726a863703c29372618559b163b1a6cdc
SHA256 1183dbae04cff096ddb669f608776d0d132e6393bbbaf7a00a3bae15a428fdeb
SHA512 700bac0b48351cfa58cdb044a49e2bb390c5861f1509ab5688510c7ae2ea02433dfc982978df9f0108d003c1c45f9ce709254cd02952d3d30df3f1e34962765d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 388004980d19e68e3abe83fda54cd262
SHA1 be0f1a4e30610121b303100497270888b7f292ec
SHA256 cf9f3fb297de615cecccbffb1e9267a5c5c3b8e53475516d899932ea9c12ddfa
SHA512 f1e218ff11d9ccfd295f520b1becd20bdf5cea0499139455dd9e031bee4180cebf270fd68cd751de7a21f28a0aed7a0efeaff03edb97589f0501a38a51fb9f0f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 a14ced70934200aca035d5e9d498897e
SHA1 d399c6bc6b147b8e1b50d84495fef3d7930e6d18
SHA256 f1c07e7700551b0c4803ca3d3e7d5611f8a008068ff25466d2a08413083b64f1
SHA512 d4994348d73612a2ee6f119e05400ef4ceff35b6ec58e975b38553f96673a1145f5065d266c4a6e62e561c1efa0e59accba19737c6d7821d898acdc7cb2dd5f1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 b8cb33efbd8a34c1e453e88c86282309
SHA1 3b64d7669c8a05a40d9fc5e55c9b5ac8eacd3201
SHA256 82df2f8574194953f30f9b8148810851a5252507fb28adafd211e16ceedd3564
SHA512 2526c8713256a1030594050b51bf1db543d2dbb486770eb6571b8ff47556188629c99ca3613a283131c302355ba2d3c2aa915257341eed04a6dd8c833c957145

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 a4f313daefd50c8246b336363f10b30f
SHA1 54efc97d1b28f48e29586b3dad4dd3cf5a8448ee
SHA256 45f0969ec828f9e83e67bb450ffc33513c0f62a489b8ade154bd454ac650035a
SHA512 f58f392a29e67eaefcfc747b99bc068d38749c444545bcb65772077fc25ae5afe4ced89b7261b346d8bf5bb3cd07ae12b9b4d2b8949ce4c659cf6a7f503b3363

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 5bee61bb168cac5227d1800520e61917
SHA1 3b4fc71b68c5a257e6b1fceece056df9dba0cd0a
SHA256 3b959050100484a9cb5c6363d3d6874e6995c1f7185b90f68125ba6a444952f2
SHA512 ec7576ee999b85ac12bd8380a5b573532c04d0e0f8183c7bb73c5e2afa520091a0d3cf2a1d738925bedb57f029242f16d586d05ff898ba6d3dfda5afa2fc3c67

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 caaead67a8790f0ee0ef664d7f749a2b
SHA1 cedd5985d28383201f2de6aa461dd7beba0867dd
SHA256 ca0625cdeb28645254951aa7c6bc085492fe6ad11b17c33e1cebbd9b1a1e177a
SHA512 856c47d47a1540c738faa3b98b80cf95257d01c4d51450d772e487d859f20e447af15471e9d96fc1aad9fb9b352ed7abd27f4950b81a5d9860792a585ef2e3ed

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 abfaf022a7f635b326f05e76dac26677
SHA1 c988cb7c9a603e89ca68b630b139edec9971d3c4
SHA256 6204eadd9bf781ebe6583cfc6c36f1bc9d3dbea387459b322ba73452ddd96065
SHA512 583717ff8b6b32b037fd8394afe403cec2a1a633336648bd3b9e63916f0d899f699981ebfe59f68a66caea4e04e7bc9a0d1cd999c657228fe143ca737bd611c6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 01a56e4008241cea4c21c605ac0a54e5
SHA1 34fdd43968468dfac1a494c7677d19fc700a2896
SHA256 b07cdeadbfefb8fe755f558dbdbec8df829eb92830610ccfa081b4166e271b3f
SHA512 2eb648ec13c543f3400d5ac268836f2b2e5d68b015bc68b9e19502d05e8ea45b4d94aa0d6b5dc543bce6c25c9a849e3bd919c2c5b400b87cc99657d5fdf93051

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 7839f0ff3e5ad404b1af4ce35c494d2f
SHA1 e920ebb8a22e38a26e7855df9dcebc6051fbfc0d
SHA256 f7e892a601f86270d049375245bb5c35a33c622d1a46f6969e5b55c942bc9c47
SHA512 ab939501d504fd1ce1d069750669a399eab5cf1b6dc8adf610e0b7a6a2947f1c90f6161322a2f63262b9538027c9b2caf50390e08add77ff0b7ccf8f6c103b8e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 a5443fd8f693e951e8a220a7d6e6be02
SHA1 238e15d44b5019b87cd48a4a98d528e09fe77807
SHA256 56bb5562de399c96580a879a1d1bc34c0f5bbaa0c00939fe2c4f1b0a2b836f8b
SHA512 538eca0a71d0af8d5ffba8ab9246fd3c80e4d6b76ade1267268578404baf1da8362a407632dd9576b06f6ca0b972eaf85f70f4fbf2860d49c7eb1c8f4244509a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 04c416856a26eac4abffd51a1f5c6511
SHA1 8c7ecbaf51db95f66a96cc65adcf9e859e9443be
SHA256 6f49f44c387bc3dc02910a7dd3f2b20e8c001449c6e719eaed0f5598d1993bcd
SHA512 dd6b81f831da3abc2229bed37ed864c64049f00aab05936425493750a31f5a27b4557aa63fbff3074eada3bc9c537c1b24a276475c142d5534c8918714a11d34

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 d6d60d079ddcaccd2017d35a0b6d91fd
SHA1 0f142fa268b8a8f3e35677dca0eaa314b09becd8
SHA256 c8717f6b8c443d01660d8c026ec5712ae1de16f07fc0b99162632d0a9ee6de9c
SHA512 32b34b12955f7630c1efdf3335c52d9dc6af1dd2d4b41ab77d39f29be9bbc3480b03af224390392ef3dc2bb298e80ba77f277e8af94ca2ebf9c4bdcaef189716

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 f2b6126db681cfee347544ff21f8bdab
SHA1 386cb7cde6ee266fba045920d3fc613f9e035ac3
SHA256 79ff0e3320a86b9f0646f9918e2c4ffab07af6b5c02577ea2f1f48843cae4ab7
SHA512 27e1b3d24f5b5cdecebfa1907dc70463053ec1928c802b55962c7b4b37585890747c0169ea443071bf4c6673433e42b14a59987f750157bb2ca941cd54bf45c9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 4d3a65c3e92c18bec46fde6705f745d2
SHA1 72219ddbb6660d4391010cf02c468d5753c7f7ac
SHA256 d42adbe1a7cdac9e5fa543cd221e5b015456f7b6c3c4c8218dc0dba6ff22d31a
SHA512 3b5b987470902f774d15951080b09b31e849c5edff87ae72b87bbe471135f99425442af9de5739678d4fb1edf30c118199284864102e67a8e2a3572f851f17be

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 0cae2663cc95d6c5887e752962031c5a
SHA1 94dc3d3fa6ad0d321361e1943516ee1b45c42abe
SHA256 4bf4b7e89c6e5a09cf21e7610d4f8403035366ae5fa59ae19425f50f6a203cf1
SHA512 8fdd4c34d6896b441f19e8ed645390e70cd2a7d265d42602ae91e808f0121ca940d90bbc3900a58ee1cc781c029e0c77f88bb40c6971608e968795dcc95ab567

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 99f1100f13f851a42b1384de8216bbf8
SHA1 f4e9f99d92c6c946d51ce63c6cfb09397736ee1d
SHA256 8f7618f3bda294b9431ea713f04f374f247abe180a2f1490c452ee0d716295ee
SHA512 120501c89aeb31f25b4e429e4ee6197663eb49a13ee33a6d96721e644573dfe7d55a598f023fdeac327374f04212ca55926d7c328d2ee4cc9ecc54b668ed1f55

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 652180aec5530c15f639024ee17ee0b9
SHA1 a3f7b20ff0d9968f4b04808b142a147efb40f494
SHA256 89e873a02d09a8ee77ee01d8d6a43b5e6c31e495da551e982efcff55c8c77dfc
SHA512 30b30307f7a3ecfbfd3eb805faa5479f9d6949ce57dddfa4141fe2086a5ff73d9248772effe11e297882ed2e9506fb1283718d87ed003c4644434be6805a2c46

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 a6b20d6af51269f78069d7ba6f7beb10
SHA1 b257a00c8ad2334f60f4dae49c0d9cc6652074af
SHA256 499a7b3cfe85e626431ab3271388e31f30f91042a36a0c294918d353d7d43223
SHA512 477b38bcde641d80747938f6589fa249f1c60c917f0f22a9ed027547feb318ef95dbfdc9e60c85b72df6e706cf15b3e19fc9f17976ed67857196d81966a3831d

\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 1191ba2a9908ee79c0220221233e850a
SHA1 f2acd26b864b38821ba3637f8f701b8ba19c434f
SHA256 4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d
SHA512 da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a9993e4a107abf84e456b796c65a9899
SHA1 5852b1acacd33118bce4c46348ee6c5aa7ad12eb
SHA256 dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc
SHA512 d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

C:\Users\Admin\AppData\Local\Temp\CsgS.exe

MD5 b5b5f658c6cc0d751f9cf3e0ab245bc8
SHA1 71560856596d0f6183577a6d93be75c6662326ac
SHA256 6959874948639c8cde4f8996f25e6fa7fcc3db0b0a35a16fb82f363bef79a7d1
SHA512 e56cd7469a271918b9916a8e6e64a60b0d853a0dc9cae35bb4bdd945bc8c00363faa4b4072466ce52a8856a694bdc2fbc6680360f7422cb673042de213bfd14b

\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3cfb3ae4a227ece66ce051e42cc2df00
SHA1 0a2bb202c5ce2aa8f5cda30676aece9a489fd725
SHA256 54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf
SHA512 60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

C:\Users\Admin\AppData\Local\Temp\ogIm.exe

MD5 aea0b73a445d4353d004f4ab0040b913
SHA1 a6518d7afbfe3476f0d5a2deea485d3686d075b6
SHA256 e53f4ca6d48c745986d0eaf0be4a8bcf84c786a8b4b4c596af43fd3c1c061b0e
SHA512 9530622a211fc902185c5aebf842455edf0f22748393a1e71ae28257c2b2a590f75038034f2d7d54351059fee83445ee9aa2a35294a32ef6bdbeab1431dfed3e

C:\Users\Admin\AppData\Local\Temp\KMky.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 6503c081f51457300e9bdef49253b867
SHA1 9313190893fdb4b732a5890845bd2337ea05366e
SHA256 5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA512 4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 f38b316b43fe05311f0650ec7ca12873
SHA1 800f4b70dfa624961a8f9473952f8dcefd456d50
SHA256 2e468a3ca8cf38636feaeac2d50184e9aaebdb8bf4f46d10612a48802f9f9e61
SHA512 ce993604b170f256e8d51302806410e1f59d4585aef8bdeec2dfa2dd0dafcbd0c3c95d5656e0832e32e340547b73489eca6bbaed22af55046f46d8a09e0ad27c

\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 2b48f69517044d82e1ee675b1690c08b
SHA1 83ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256 507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA512 97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

C:\Users\Admin\AppData\Local\Temp\CAIm.exe

MD5 c46e633d8d6a0951e76ed8eb11991762
SHA1 34fbe578e2a9269d08d20143e54876bcc3b04967
SHA256 d9bc212d9d63e802ab2e2e9c3ba7ceab7760a883b0cdbbf1d74d53a2771574a9
SHA512 4d58fe7019b938b72adf7f5323be40469c5ce7371be001a656ca81c43cb1d5ca6b936735dd348a96f666b6d21b60aec42fbe81257b82cb6fb14c451a68243952

\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 e9e67cfb6c0c74912d3743176879fc44
SHA1 c6b6791a900020abf046e0950b12939d5854c988
SHA256 bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c
SHA512 9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

C:\Users\Admin\AppData\Local\Temp\qsAC.exe

MD5 96d7242cc2beaf1ad4f4709dbbab3ddb
SHA1 1498f4074bea1c3714cc92a48eb9ac9eb537c5d4
SHA256 37d75d62f23cb172c35bb202f7345bd2aa9c6d2377796192bff4f6189a012657
SHA512 25c659432a465c2614a26d5b6a1b45ea3149f2293dfb63699cd7abd5fe011a555eb5c557570955f0e2306e7121b0cc64ac128571f7db9117b25e62b7729daafa

C:\Users\Admin\AppData\Local\Temp\iogi.exe

MD5 3f0a7cf2fd3eb8363786308a2e0d2845
SHA1 eef0a5e6c5d9488a9e351fb5f2754641b2e37943
SHA256 5d80182c43d7f8c0016ebd6c2b5f1ed82a919217061a8dfc6a62129d39ecf05a
SHA512 8e24e0ba2bbb80070a19cdaad175c951b994d89f097091aa91ee9c7d3ad69e00214135e1fe9bfc3facf3a134f3b83fdc8ef2959c56c79546bc36706da364b9ca

C:\Users\Admin\AppData\Local\Temp\oYcM.exe

MD5 42b288e60466384d4a7bd9404c8a5334
SHA1 b0417cda300cceacbc579512626d68d664085d7b
SHA256 1fe1516222740f3ea56ae740a39f0f7aa5b5a12a6cea1208bc978a2afbaac08d
SHA512 e4b85af51a44a02457f16d0597628f2456ba4f1b37efb245595ff0431f72fa61b46f314f5344ac8f43d619279d6413da12100e502c11403fef9fd74706a05eae

C:\Users\Admin\AppData\Local\Temp\yIME.exe

MD5 70dcf935cc898b6e04a65ae052f3b6c5
SHA1 9fc18701ac8aa191a67475bd2a742e7c50a7f821
SHA256 a29245c13e8f45250ce6386f24ac44a7645780f277aa70a00e36c4170a8d5334
SHA512 363943dbc5138e7610786417f7a789f8eee11c7e8ba6f7b088d81658c24c727d08e7886f2f16dd14fa0e558756349a0d5faf1237ae86d3692c327bf4584f024a

C:\Users\Admin\AppData\Local\Temp\UUgQ.exe

MD5 890db2ef8207db93f46460b541c230cd
SHA1 f61e6bdc0c35094fda3bd980977f79b418ca38d8
SHA256 85fdf78cf2feacf59f7b3c86a8d568ed22ac84cd2def28dbbad382778605c900
SHA512 a7c1c7b1ae5d2916ec39f83e912d63e53bf1f1fedccf2d9b185ab3c3c10bc3ced47980643a99c9f7a8b56cd7120885aa62dbfbac161b239e6ad0d3fddd27f4fa

C:\Users\Admin\AppData\Local\Temp\ikIW.ico

MD5 97ff638c39767356fc81ae9ba75057e8
SHA1 92e201c9a4dc807643402f646cbb7e4433b7d713
SHA256 9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093
SHA512 167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

C:\Users\Admin\AppData\Local\Temp\ewUE.exe

MD5 01afda07ced96175f294e5ba34e6dbca
SHA1 8fcb725ad9a7645a5b61de690504be30b6a3b9ff
SHA256 2e3139bac913f996c95db3d7dc4fa424a0c52494183b53a193d5a182f95423ea
SHA512 16b23bc83c65d35aaa082f84fcb0573c41b12290af04698714f3de5dfdf2631454b41727ec85f4efd000a558feed1b0517cc0057153cbc660a3ab7bfcc693d0a

C:\Users\Admin\AppData\Local\Temp\aAEC.exe

MD5 b35723becd96b809ca7cca3ec03eb1c7
SHA1 e1c2e20fd4d246b3a50a9e0aa8d18090c1b384f5
SHA256 23f5e4647cabb7d680c4875b6db28e2c9e4bd7057387e297b75032d51917c783
SHA512 4bbfb5363d34475b99338db32f57b69f4be55282c80111694f15d9371efb24c5688b2a0d3a13ee341a5fe77808bd29760efdc76f0cb8e5102e3a5c5fd707a5a9

C:\Users\Admin\AppData\Local\Temp\mskK.exe

MD5 369180742a4e09193d14f99d7e4ba2a4
SHA1 5d674af5314c816f5910b95d5914b00303c801a1
SHA256 ae224b72b35e38c45dab2efc47d53ce237bdd6aa79330cfe862cd137ed432055
SHA512 08f6c093be702c8a41e318a836e7c334b43ccf9da077317a603c439d5dd573fd1687729e900ef2a02be15e4c3de5cd7197cdeba4844a8a3f13946cb984a73a57

C:\Users\Admin\AppData\Local\Temp\CUci.exe

MD5 fd81d025ae5b2f711fabdcf1ed7f1603
SHA1 733c2322896019df09f5404093cb5d4bfc2034cd
SHA256 6af2710b66c75c9ff07cc490f50ce6c129bc06ad53c553415351fec5123c91c2
SHA512 000cef62750c01bf2a67f34cf4972842c4b47f69d67ad2215471ce49aae195ec178bd8af09fd612ed9a2f077550739941c2a5d8946bc163c8e7e2e1ed2949e88

C:\Users\Admin\AppData\Local\Temp\qEkI.exe

MD5 4f7afcc5ab8eff46842efcbf3b97f0d3
SHA1 8ab719b7f00bd4075da1b63f115604d034c69df1
SHA256 387a1a5cd42c51895e246d5f16f3d6cc2f104558d5d4d63c2c56a555d03a85d1
SHA512 8cb31d35c9aa49c66f22b6e7e3b859ffe5ca0d2b4c57ad42ba26bb334dfd8ef2f78415386c9b9ceff3d1035b42f229461b19044b5cf02a171abefc908d1d3fc0

C:\Users\Admin\AppData\Local\Temp\gooK.exe

MD5 0db0d4f609621f70aa68df7a22057ee8
SHA1 308ac0aea41dad7d7249d993728c955ec0556aa2
SHA256 5ec4320d811f8769d4da9475b789b5e5859a7f2d18e166ec281f11f5c765a294
SHA512 bf836366fb3ff5f9fa12b6f457746db4910e83c4128eae8549ac9bb07c25faa87b3dc6f2ee18273a051ee7306deb39e1b11e9e529f82b0b92f10c3caf08a46bc

C:\Users\Admin\AppData\Local\Temp\gQkW.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\UMMm.exe

MD5 e98cd01a81f05dd00c7b2ebed58dedeb
SHA1 86c6dee68b0ecba5b052be86124bfbc800f753b6
SHA256 cbe72c16a7c9a697d4594af257ec9d1ee007dd05e14c78d17e3e1219a6e6a49f
SHA512 7a82ba2d8f2730d174183c5e68255db8d1416f125a11f4f21ad7ba4a4866df7918c4d47508ad5de6ca025b5cbaee8d80b38ec201053134850f527b4eaea0ce54

C:\Users\Admin\Pictures\OutUndo.gif.exe

MD5 60addc7ed6cecf3e6455a00753bc362b
SHA1 82fe1d20d7194b9bdf80830c6451ca424f6bf6fe
SHA256 f5a197875ed069c08152209461522218c0b5526b9f0dd635cb0abe68768fa839
SHA512 ee575ed7a285ab2d9157893ba0d1e24eb79488ac922bc1d3c4df354adf2b7f6ad774b985d8d954c8baffe8d3eb5d7a64ff589d537a62cc48c8c9af9b2ddd9987

C:\Users\Admin\AppData\Local\Temp\GYIC.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\Pictures\ReadExit.gif.exe

MD5 8b31be121ee595040f580d1ed1e3c529
SHA1 5bb1a179d1e320442ea6f5ebd501cd6f0be30bf7
SHA256 e296b6966760fda61cab1611ee88fb4b7dee0f40b3d9c1cf2ff7ada152f60017
SHA512 811854fc07c4b59fe846c32082a126f19888e85c94c445d68c505adb2d297ddd6b53f3d7f006142eab6352093a2a86587ca72b24c706cc50420059ed11a4df68

C:\Users\Admin\Pictures\RestoreConvert.gif.exe

MD5 43d9a93c4490c3f498b52ca9e6eef67a
SHA1 ad9bf8f2d0f010fd0809025d3547ac02b29e024b
SHA256 c9234d0fb7fe0953d65cb90d9278ba5e85c3c0302a9a05293e21adfb5a012fcd
SHA512 d0f4f84faa2ad218e6ed421bab4f8f833d671ffd82d8732b959af4288a089336f1d2836df3d0f1532dfafd05f3939f3c50f7f933df7d085cd599d20d8cedf2ef

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 720ed30ef698f43be2a186d814aa5fca
SHA1 8fb75c839ee33f670e154d2438e594cafcf2eb79
SHA256 8b7cd9abca196799aa269b9149ddfa22d6a3f318fe52a4e7de8cdc3a6041124c
SHA512 5016e705a0bf05ae92e48cc95ba964fb102d8fcfc43162d198ef08e4efe3efe804dc24d7bb7ec92cbf586f3eaeadf3a15772ef38b51927442d8a4057ac11a977

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 4d4db0af1688eec4b38cc8413c461c78
SHA1 0513d5c764c841455eca4fd3135ee9bae760f68c
SHA256 e0a519b8859f9310d238b062776c2071727421814622e9d87dc26136d2cb55f6
SHA512 f1ec98eef3fd1687e81e0d1445576ab6ab0342757bd324d077c0439ed8276ee0b2b1ce97a7a2d83ef1a5b9b76193e37411ff943987518876ff22c292c7ec755a

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 194da68004c25f6d32b9ea5b25b528f1
SHA1 8fd39971d4cf1c5ab6a23e210a1495b1e0fe8f9e
SHA256 3b7956b293ae4cbd7220e6fe87a157347c0e545cc688e6b3eedabb923b2b6c14
SHA512 e2ec1c54183f97ad78b546432b5cef226d844d9c223b9d37847133c56c92544d97e482e39d3bc63e0d1d4464383b2dd7419f8b74c28b03f0e92e7c6676f91847

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 7fbd4cf936922f69c672056befea8e42
SHA1 51fc1df8a9fec4bfdd22faa619091c7c81539662
SHA256 f13a22875280b8eb317f30033c74ed900ba488e49d6377cdb26c7ee0772e7c98
SHA512 d6bde11b303dc68ad004b02487e3d4563bb08ade2a05d2f02458fbe5c16c9ff2080f04cb36f74c3e7415207d90474db1eed07eb25cef69915e55602fcb82bf54

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 47ab92b5629f71f6e93121e3b6b08ad0
SHA1 94a47276cbbb5299b08e665db6d752455f3ff2f6
SHA256 87bb387fd0a2d2e4635cf6966c80edfb379736ac97a904886fe7307efb456533
SHA512 377f17a3b4391a5063a9da710dc7b0851ed5686b10c55eaead675dd0e22aa4fa9b39e7b7949975c984114ebb7d319d1b98f79222ddc8834a22ce85d1f1985898

C:\Users\Admin\AppData\Local\Temp\uYYc.exe

MD5 7829071f1b4d1091f984f94be87874a1
SHA1 ee42af033904e0019c6354facb45aa2a8451bc2e
SHA256 2bc599cd9b8fd452545645be3ea695e068d9108561f93a086c6ad99debe6557f
SHA512 30fcc2757a61f00f5aaed249e3d39f9ac0301c3ed76c6121fde96942a9c714e04859d31eeef3dbd49b1a6d84fc7d7d63074f75851261631724880715da678187

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 e229b5e421bec7c27d4474f73157da53
SHA1 5e97b45113ecda67ac9c77a432b4890b9aeab904
SHA256 576d4dd86083bb36303dafc55401087ce5f0e5d887f5e5c7c7bbeaf2304dc63a
SHA512 922e69b0e1e4008cbd8c06e69427bf91a88c48295d326c4d82b374cd1ad320446d8762dcc4c3a20cc67f45bfe82806894dc528c310187f6529622fc923ad82c5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 35d3f5f0f459818f1c92f64363c8d50e
SHA1 7c4ab384f2b55bc2a50f8debfca37f1fcc0b1ec8
SHA256 5ee0d681064394b5e44eefcf9acb626ce6bcd0fea23ed00bf9759db458d6a27c
SHA512 8a2c9f9361636207f76b142c0fa6f753de39a65d639aace905dcb103e9c6a26d1f8d7eb3f41ae12c61c9e2fcc01bfa77e8c440ae28726afe7bccfa90a63cfb6e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 0a17a95eff4c0d8d3d7f3d2c716a9e1b
SHA1 2a9d949fb8d339f2670fc051bbe0169e009aaeca
SHA256 87026d69b6de247b0bb9f02160390846bd4f3becb1750a3a4cedbc7b9b3d9fe5
SHA512 98005f4dca6c39b08250d4c0afdd5a3b6ff03f09e3f919782690727b100394dc9aa0d18de4aac76f4a0400c660899dcb416bbcedc2b269c8f82172c0624b1cb3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 4dd54bb705b9ab4bce7618079c90181b
SHA1 699563e99c04acb42ed8bc436f54047efb702fe8
SHA256 22ddd44090eadd1bbed819c52976921a40798493547d9a2bc73a9113030b9ab4
SHA512 d304fcc6339a4b1e946601c4ac8656aba8ee5345daa384b6ebcfab881a4307dd786700d81f3e46f6308fa82c931808baf780829693c8722a5fbf41d7ca7cd3ff

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 563ba5d1b60f2434b79d15feefb5c9f6
SHA1 930bacde64a09d5723cb6a56e17bbbdee44a4150
SHA256 34ed8534397c46264b70817bceaba65d06d7a87b45dfc6c3bd141ad46c10dda8
SHA512 3256d69ee7f8300cf6b7bfbb183ce233064c4583995bbbe8ed293bd25c0e0c529df4a14a0563b39e738e92d0257e0bcc5a8ac4bb63dd78339ec34d88bee56b6e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 bcbf496f6752dbaf48c68af2675c52bd
SHA1 4feb8c443a9d75906a3f5a5cee7705153e2825b3
SHA256 a703e2314f25901e091bbd42dd9cf1b674bcee1939e48fe297a3b49b31e3b0e7
SHA512 ac2ee14fb1b1598b60ab7bc8675b8129b4c22b693437599c15d0ae88bd3b1e644ac02d10c9028289ba74bcb0822888b70254d72e70b2736a35e7a3d6127be49a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 5cbab46f7e7185ffc287b57f2385bff9
SHA1 89a18daeb8b72f1e5b9b1752652b3e172dc7076e
SHA256 dac9094225261d2a9b8628df050ed9ff2f86c50de17a8476aaa625ac663ab9df
SHA512 de34e39bb2285fb1661c5b15d0a53d259658d7690cc4255c3c0d2311dd1eba0223dade50e2f6cbd20ba56827c0b2648f265732da1833a78f8551bac2a5e1cc17

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 671998d1a5fb23a9e85f460bb3d96e96
SHA1 3673a3aff89e1e593bf8e08d9d6c9fe63fd45977
SHA256 1b3246ad25192405417f1f5f4e1e934afed90c33b682c04eca87f36c250d6775
SHA512 b25f9a433bbcb3c60875e82b18db03099da6adf0031f791756559f2490890e65e0cb2be15f24bbaa0705072fcdd0c556912e60ebe8b8351e820497b39fbef23a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 235d6eb9118444ac453c6ba7c5ebb482
SHA1 a62231d3a215600faa62f7a835d6d1ca03d3c017
SHA256 bde4434f5a89c1eae7ca185cc998ccd2b6881cbf8dea123b840d217a84f00cd9
SHA512 2460c37bd834a584ded5f615c2a5b4cad0166094422451ade758d0f92e2e52b29e2c132287272039395cb5d7ca8ce64dd1038691d24f258ef3e0d84977ce811d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 b7b8dc3edd208376d8122bc5f93c41d3
SHA1 7e97d805298ac03835ca0c5b0d991b0725ec4ba4
SHA256 bfad4490a5d0c2204a3fc227158b67833ed35124d27bf48d932eab59c952c8e7
SHA512 215caa5c63c8938e9bdf5bcdf6bc3ea2ca63d61d69f14a20693fc867663572d63b4716b1f3424af37f7de4a6c8e6bbcad3774fe814819607f96ed4445e7cd48b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 82c49ffca64e1e9679b8cc0a31371837
SHA1 628597758412ba05df44ad5650592327ed1d6dc1
SHA256 02411abbbe0df8b64774e2598d6c83a0cce2b1c3c09c5dc576f94999904467cd
SHA512 1f152f3416280bf93583c115fc8d77e58e0bdcb58e9a7c7c70eeca6b34291931f53964063ac9dcd1aca284a08f445d36e6d9a2309eba2b2e862b26d30e722748

C:\Users\Admin\AppData\Local\Temp\soIK.exe

MD5 6a895edd5c1f9ffa67cc5840228214af
SHA1 8ef3dd50e356efb85a176a18f9132fa3c4c6c061
SHA256 645645344d594a9f00b997bd25b9d8206f9a498f47ce4affba30db6688241709
SHA512 16b2f1e5ca2f3c48c2c3a8184c27275e028f880c4da55ae734e418bf3d55d7ee9616f00888b3d5a7e651e3eab536abd76e071edc8928f65337167ff643c50c58

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 badacc2abf2cd2c25000ca6b402fc02c
SHA1 b75853a8262a6527928a49f12ed7376fbbb972e4
SHA256 ea286dd444ccff2d762afb42f6a60cf29153efb5e1ecf85b069d20f2def11fb2
SHA512 0eac369500fb236db0400bc92e770b0fade92fd0bbba0164d2b445c6a73ca8a1d0dc6d64baf58e7acbc2e62601d5b8841d24bff8d6c20cdb1409dc2cfcf0b6a8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 7193fbf482f34c4b9c64ba7357d8051c
SHA1 aeef98e1b2d97ede6df0635a2761b47cd2ed9a64
SHA256 e835f0a57662ac70186870e224c459a1583220c991bf5a186ffd9261f8152196
SHA512 b6ad5f7af04a9b6063bfb7f90a439944df6c57c39a5e2e541a2ab5bde7f3d6c4720d23b3ab940a3721dd8b302e426ae6f02c060ef0ea65c295a5b8f689806ee9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 ffe5af28ec23fef3a807b35c47600d9d
SHA1 303eb4b40aa854847df36f7234334e01c6bf03e2
SHA256 266b7d95e24aa59d00edbbdb6d584161963f36af9b3f4e27ccad7f1cb2352251
SHA512 e0b6911679b072b990876b4b1328ca2c7dbf5ace5624cd7396b25181b539490b2cae48bc851b6469a7944577e0ee239c56b627aca186f5b0679f3fcbdf54b459

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 a3773fd32bc0ac5991cab300c1246244
SHA1 313873de51e8aaf9531fac50aff0a5aac434c9a0
SHA256 4e88afe040cc1a23394cdf8d72459f60da01405ef3161715eb634b2582f0d44e
SHA512 306cafa5c214acf69ade5e430203457f1f7b4c8dadc4c11dda9d49a76fd62539ce6b339b01aedc5b7d528f1c0a66b77eae602e300172901cd842cf1b0301264f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 26169564747bab0fc0a746975a0fe212
SHA1 98baf7a957afca02109d3c7888a132c56c31acd4
SHA256 1119e21dad36e9722d83b80e8f73018bf4e92c3696ce528855da048f681947d3
SHA512 54480e8d8211c8082e5a456f91628848c79cf73e787e9683df73d7a83adfef74c932fe1e2669ce133277ceb5815394691088ce81457b07dc80293136a82b82a8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 675f0cd6073f23e63d36f186c03b66a2
SHA1 52d3a7f7cbf55bdb203562611bc89c9a5fcec2f6
SHA256 3144570bd797902ef00d7cd75a3779dd8108a30b55474474bb939a0bb19ec44c
SHA512 d7cc63f45601061026a980962d9d8f9cd94a3b1b97d32369a0ec7b48348504449181bdaa0b717596610d2a40cddb94182d3228cac539839c896dddffc734ec2d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 27ec491c9c3c53d3fb136d7dbfa6e97e
SHA1 49229b0075df7322acae4c52c8dd0a98c7b567f9
SHA256 ce46488302278e7e2d7fe303ad3da6d14d0e92682f23edc40f7c77baf8f0d8ce
SHA512 e35c18ed3f614ad17d6defca1fc1773c7872add9ab0c7a503b3d5fee7154b478cf226986b9777fbc172c673320480feb50f70f6fc3b77b1189fa43370903890b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 086a2ec3a2d2bb4eb9d7f4b855839161
SHA1 4c051a95b81a8be14b4c243212c71f523984f6a3
SHA256 9dbc0972f92e96014ca0207c0efe3e0f431353e4415a7c5d3aceba96eae7e5c4
SHA512 e65fb73e8fde71c74a55f03697741d8657f8e9a1e290057cdcc7bce6f0c75602c97353391340f5fa0887207bdc7cb7ad918d32f6f3138b6e70cffac3c129f6be

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 738c768d2e24c39a3d3a72ae0ffdee32
SHA1 59552be342c5ed40950eb9df1ee3b29496cff5a1
SHA256 5f7edecfeda7b5f3a67e3810a3dfc2a78516046baefd31547b01b9cb9a7452a4
SHA512 bb9740aec6a12367251caca89c329a007d00316d4c1139aa8026823b805b8eafc0dfd6d821935d34c28b0881448221c7590d7f583d4aa319f142ac709497472b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 2351d2739624ec01425cc098f5d333de
SHA1 d42245e20a8a8a2c304b5e14c1cded979b6d035f
SHA256 9d7e9de7c1161ca2c8047e9bd906d579f089276ee727698974eb0b1a5f95eb68
SHA512 007edc7f0adb1e814c5f264979e8f1152b29a4550c2735e6e62071d35ec67a1d84e395180516151d7b556d0d4d926f907d2525949bb93682d24676f00cd08f43

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 b864cfa09427ca07d01afb0bfc39d100
SHA1 01dc6469d5ed87ee83bc40224ed92c35da49cd68
SHA256 1f65794f6a2dd9bd0e4a4f72f51278bd4f5a6fcf1bae3f1489d510b4b59fab3e
SHA512 fc60c12a2f32cec1f288af631a08f3f0de8e6b48cd080059476f4f0b79b4414ba6c8094e43a2f93e2f5b6470a446c348e5182a3e280b69dcfc6f1ba645e6d7f9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 a054f9d5264f8b7ded3457e37b125e23
SHA1 1c1ebb33b164ee94df371add04cd82a4ad285ec1
SHA256 bfae9cee0c115c3763948aaff9bcca64ee410dd14791a92735a21883923f4bd5
SHA512 42b9b1830ef1a479a239e82583aeed8880ff23f96e6da66fa1508fba0d6220fa2153adda8db4efba79d8dcd1cf371e9e875ddc11d3c674faba89ff8369db1b30

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 8c1f0d46da2cab3bbde65fb72d64e8ff
SHA1 bc961cee4436f998a1fa7a28f03fad3049a7c122
SHA256 657e757e7baba65a0ffa5258e35171ccff522d16f25601a437c6bfd485e545c9
SHA512 1f1f69b04679d88270554d47d1b61e7dd5779240883754c672c890b1cd2d04b2980389a2b7affa0bd9bfe58531c9f588fb77c870d435488184d94032433f9e5b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 ab061e0073adb140effb5f35390ae154
SHA1 3ec58c283054f45b2c584a7eb3e1d7a07055e9d6
SHA256 57774a9909236668f8e888125a3c53658ff4b7c9ec3c3fac43e4e3b83af76447
SHA512 1d4127e82dd9346970d527e12c7d78e3273e05aaec100035594edbf12f4c05346525b4f738b26374652caf455587e766a61b8e660f9213a1d65d45c1a45fce55

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 66d4ed6a2e3623a40439a87a0e2ab2f6
SHA1 e6c67b456e55674d6a8b3d1dbad7611764b9d44a
SHA256 208457b3fbe1aadd2bb274c86a69ca7d67f79c747d84a3d7c3c711ac61d1bd62
SHA512 25c87682a64d625a524f6749a1b9e45c048cd9474885b94a4e56e833b8ead7fc1d8c7e280584ef35cb490bdfac827ed095c89643b2665470b2bfa35204ff085c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 af0c871531d3ed358be49dbef25c8cef
SHA1 2cb4b6ddb2da5b678da1d68a6e9a95cdfbf1f73f
SHA256 8624a47d5b3d02d3da7cea5b2de45d0d4cc1288403cd42caeb5ba3b9ef926c38
SHA512 fe4cbf4b26c5e3255de6d7a670fd7d79840ef2360f92fae3b91a6360b64b2c717f0437c9d7228d10780f35e8768e42aaaa1aa9728e844f34dbc4c125dfde1865

C:\Users\Admin\AppData\Local\Temp\SAcg.exe

MD5 61f3ab2101d7c1c8c9439257ce2ddc40
SHA1 58401afe33a71cac2e0d415f6799be0793b43bf2
SHA256 008ec085e6ba897521b2861473d48bc6ea20aa9412b425658f062ce598329f37
SHA512 e974fe22241b0f20fcd2e23ed11624707f063b7af8c80fbd1de97fc76049903c8c892ff52c9deeaec38e62c7dfd8bba328cae32655b1dfecd6a29e70f53ec5e2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 401d461f4d3df5f112c67f8e5660ed04
SHA1 c8eebf67d05764a60f554fe6ba6900cfd82c9697
SHA256 1918205037afe8e4bb172c6df7a631b84d6dc756b83c6a7f6aac5848ab9154c5
SHA512 54d2b95fda484c1caad6c60ccf6e87cce9746814e31732ab4ab38b4cb5f690762d05f0908ea36cc200cb117141c1160de9eb114145c766aa294d616344ad8628

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 30ec93b311d52a709f71240908dbebd0
SHA1 5d473c39e20380b982ab64e4131455a50d03d08c
SHA256 b424d13c21e3c711a4740d7073409d1b0624e04eec5a1d8a156fefe3a84d9277
SHA512 e5ccb0b1992a00aefab8afc564f2b3282a4e5c3a91e08c080ff9fa3ce0e988e5fc3d820b77cadd708d53b65e461f52a8fb3feb9b5ec78993c42698a8aab6a54a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 189162ef81a3b91e40ecffffcfa696c5
SHA1 8e4fab14f7904f07e64c6e3a82259e8eb9f46508
SHA256 8c2528ca5c88650629e5f6e14d7ddfa56c1a910e110c69e9ece5191a3b38076f
SHA512 8d51b446018a3f3588f8d7dc88878dfa658ede2f6ea97f3a0f39e9d82cc479722fb1592de8bd51173d8cdeaa441f0dcce72a1a09a62efb5dfb8b014c44a72254

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 02a2f5886a000713999695eb048e430e
SHA1 ba21365f7d0f9b0527493b42ab6bad0d54197f47
SHA256 622a51777766e5fa9286202fd6ce299f8d8e4e6d612303bef724655ea897462b
SHA512 f865fbf36360b0dc66f3d4fab0eff546931a5476567e013a06ccb4d4cf766d62475050249ca9fb094b75ed6a4f3328d20c0bfbaf8068be944d05c4c7d9a8fe7a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 37d567f85d85ea9bab02444c55d0de4f
SHA1 b61a69901fad03316e2cc31440959f49e921efda
SHA256 89ab2876405fcb669abc8e9ef3b2ce2115cadf9ab2e0e0faa84d6bb4346567d6
SHA512 aeb7e15867aa4bf6e478bd5bdab86019e9ebcc8f55b68aa2a308d86e19e27b8e0ee8688a44d957f38756e522d9dc5beb5237ebac856639693c62f427cfae8e5b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 7a423f6b1e85060434acffcc86cf252c
SHA1 bce42fbe9f93b2fe64bb40bae49dca60f2e8bbdf
SHA256 61c3e4dee3f0092267674f4b0ff47801f0c047d5ac821c0562642f65156b74e4
SHA512 f81d2172b025b22c72eac289beb145972a29c81edeb736950898ca2dc641f523ed894de67bf481f968dbe55fc882512398374bed68bd0e7c99f3e9f491909829

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 4655afe20af48dd267c548408a2f7381
SHA1 a7dab75cecb9a54bd246daf9decc649dacd6519e
SHA256 d4033e3bedf35af87b5420bc21addfad06d8e959b84e3fd76dfc8fae37f9e759
SHA512 95c19761cafe7f4e04edbf224baab77e2a992843a53eb64cf91c0b4de091fcc283f90f56e75a7d6175794a08bf62b0392440ba890bee52f3a0de8a48a385d248

C:\Users\Admin\AppData\Local\Temp\OsIw.exe

MD5 80e3848bba5b827a34b61d6740c3eb0a
SHA1 1feb2a571fe26fa7fa21e6a7692407aac0bbe0b3
SHA256 65df1ee2197239144132b958f2eae38e83caa1df3ead50ed2c1179a83c7acf0a
SHA512 d38ac56bf5bd1ba93f01eb4a724e28e432b0991410da9af7a526955e64326b419c082eaaf49fe190a41a3eb3808776030283c0aacd9bfc465755f5af150000e8

C:\Users\Admin\AppData\Local\Temp\ioMO.exe

MD5 4744cd1680d72743763fb107711f8da9
SHA1 d8055ee80323ed6b0fdf4d483f8563abd3add60b
SHA256 abbd57ebe1ccc232048cff431eb0e4006cf323b42766cd1d204aa5cfed84bb7f
SHA512 89ff666056d06289197ea6a6f703f8006f140a7fc8f7294c573e0f07442fd4a3565bd837c1b390d215fae401e03f563b3a504b7c0d91a31f6b35ca5f977b16ae

C:\Users\Admin\AppData\Local\Temp\IAYQ.exe

MD5 75a45826c2b741ca41447403f9652ffa
SHA1 9547cd7870752802323185acb5f369bd26298f11
SHA256 0cf5f702e89c00555a88089f0f6765efc6e07e32a5d93939e7ca1bbde9edc9a8
SHA512 f1ec775eee5599191190ce58429b20819797519edaddb80d9adcd3b00c5c707141e70b54e6569230d1085b887854ddbaadfe78001ec12a6f12dcfc7f08d295af

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 7aba1ccb75ab5ac76d4835e11da904b4
SHA1 35f5a7180a8517cb9cea2ad38f29284f0ce758b1
SHA256 85722715f29fb04207b599b21450f64d40ad1b639c0a6ce789d8b6d88a939d02
SHA512 94072b306a4122e53c8be2e792d8057d41f64d2c75e8e06636e64289e7075ac5e92974b99d09486427b7a9d397c556e1a41312aa67156bff9bfc284e118cf468

C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

MD5 64e80e1950feb6bbcaac520612898225
SHA1 a6e2a924ce3330b2ef7396439525f43ef7f8931a
SHA256 c07f85d8826c8611a9bd349ed37022ba1bb0538c8a409005f6e50302c084b7e5
SHA512 76706db2c64f7257057b5538316bf0f87f0b1ebd64bfe2577c4c571231e09119b0d930713b4e6ece19e2dfcccd7503dc72a18a1d0900ab5320240247e4ab0f00

C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe

MD5 3a2da5f50246ae60d09655e746b71f60
SHA1 d45294695ef87ccf7873093f3ed22fb9badba309
SHA256 1aa8458d2a2f18bfce245b44b333307508b98efcc12d2b144f72ecb29a7db4bb
SHA512 a0e000435d10ae042f25eedb006b63678f93cb64d4da0b67f74b516cf23f66d8a736d36c5f112107604ce74c89dcf496a7bbe5cb7bd07ba09e0592f0dc4d9deb

C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.exe

MD5 ebc2ff489c98a212bc72f5a531b24411
SHA1 91752447cf429c93bb9be6304ba9a8ba9a1c5b32
SHA256 c1011044617371d343f31b8bf0f9cbdecfc36ed47afe243e87ee3bd00be0ef7c
SHA512 0e0ac8e6174190e90e4b5583b4b41e19a1ff27ab6e03cac78dc0d49aaab4ec2bb37706c7a58d0901b05b67ee0c608326290c025b7c2a5516b3f97f6508a8561e

C:\Users\Admin\AppData\Local\Temp\eQgo.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.exe

MD5 9bb619749a58ce8137c72b3a1a6af312
SHA1 cbd0c4991cfff8e518c04330e77dbb8f44bb929b
SHA256 ee85ffd72517775155355a4f23ba26133ebd4ac571366f561125d04b0594bbf7
SHA512 5977e128ff4f7ed3db0a3960a9e5875081177cdfaf3e8e93816e136e5d057f922493b1710fa06a91fb5de3420337b816a6fb77712e9a74e2c0c9ba08e8b1384c

C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.exe

MD5 82a4125b8db59d430dcdde2fe973e994
SHA1 5e7292ea2ec5a0d7513171b79abc6181e051b667
SHA256 9d0efb70f9cfe56007252ec042c61adc74755c255e192eec7bee2b418679cf86
SHA512 c16719d856b40952bccf08f419794f5723029b2cb338dca82825418bf5fdbba36af48628c700253a57bdf16355cb75c4aeab24a445d451bd5032d7d3b4a3b72e

C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.exe

MD5 3b0564fc2060186cf59c8fba60943303
SHA1 93be0068c3cb424e0af8308aa78cd34456924aca
SHA256 67ef5bbc0543cc565a1f7174e1ea289b778f919e8d83cc18d72443f1e334ebe7
SHA512 49a6fe5845f0c04af38cbea43c47d1b2c520f970bfb83129f121ea61503b1f99121117bb5d881e64e9a40f8c9e8537ad59a4577436739ca3434efb7a14ea3179

C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.exe

MD5 f43546e4c7516d5afb489e8c4b85de9a
SHA1 baa35ff5e9697628b7c6491a1439426b7a7d4933
SHA256 ff072018f99806437d285b0bc76c6f8c6665575a901d39a9a3055a4c521cb196
SHA512 6fc59fac220ac4974c848bcb1e3bbe2d5100dbdbab90dcfda6cae909528dc100fd8c5c98b621705f3942a7f550f08843462e66d02cd8bdd73fd37e6e371d3368

C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.exe

MD5 5daf5a031384752728fb4fc6f2d02b4b
SHA1 af070823e941e9d7d1eb1064c86eca8a95c9cd4f
SHA256 5bac3d6b7c0fcc3989d838f4baeb7d2b79dbcd89df5a3802f1dd07805e2dc87b
SHA512 8315b59f79c9e13f4b07e3832509705c5c1cf1e9ab5e69b6c3b93968ffb255292464fd04a6ce1c417427c85444d65f8abc78a1c55830c5e74f9781ae3631394d

C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.exe

MD5 46488bdf5e4ce5b927e31ba112fe9398
SHA1 a07fe7ad8fbfb09a80e0042e9f3e69d2bb70e0a9
SHA256 5ff1dcb614a7ddbaac418e6872175ea3738bd2a0ca0f8e82f4b3138f44d7f760
SHA512 48d6eb9d87e112dafe9a0e80ad190fdce10829e8c3165e95b78b365ef0c507e48c93cef35fe78b25a91bd8282aa6acbc80accf772ddfaf1194a6809d7ba328b5

memory/2668-1744-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2720-1745-0x0000000000400000-0x000000000041D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 16:10

Reported

2024-10-27 16:13

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (82) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\ProgramData\cSYckEYw\gWsUkMgA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7z.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JaUUksgE.exe = "C:\\Users\\Admin\\iYcUkQkc\\JaUUksgE.exe" C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gWsUkMgA.exe = "C:\\ProgramData\\cSYckEYw\\gWsUkMgA.exe" C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JaUUksgE.exe = "C:\\Users\\Admin\\iYcUkQkc\\JaUUksgE.exe" C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gWsUkMgA.exe = "C:\\ProgramData\\cSYckEYw\\gWsUkMgA.exe" C:\ProgramData\cSYckEYw\gWsUkMgA.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\cSYckEYw\gWsUkMgA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A
N/A N/A C:\Users\Admin\iYcUkQkc\JaUUksgE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1880 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Users\Admin\iYcUkQkc\JaUUksgE.exe
PID 1880 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Users\Admin\iYcUkQkc\JaUUksgE.exe
PID 1880 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Users\Admin\iYcUkQkc\JaUUksgE.exe
PID 1880 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\ProgramData\cSYckEYw\gWsUkMgA.exe
PID 1880 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\ProgramData\cSYckEYw\gWsUkMgA.exe
PID 1880 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\ProgramData\cSYckEYw\gWsUkMgA.exe
PID 1880 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 1880 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 1880 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 1880 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 1880 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 1880 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 1880 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 1880 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 1880 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe C:\Windows\SysWOW64\reg.exe
PID 5112 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7z.exe
PID 5112 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7z.exe
PID 2100 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\7z.exe \??\c:\program files\7-zip\7z.exe
PID 2100 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\7z.exe \??\c:\program files\7-zip\7z.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe

"C:\Users\Admin\AppData\Local\Temp\ed116227badbd21c809fd2482e74383036da4f2c135823e459a036f0a017c9caN.exe"

C:\Users\Admin\iYcUkQkc\JaUUksgE.exe

"C:\Users\Admin\iYcUkQkc\JaUUksgE.exe"

C:\ProgramData\cSYckEYw\gWsUkMgA.exe

"C:\ProgramData\cSYckEYw\gWsUkMgA.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\7z.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\7z.exe

C:\Users\Admin\AppData\Local\Temp\7z.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

\??\c:\program files\7-zip\7z.exe

"c:\program files\7-zip\7z.exe"

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/1880-0-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Users\Admin\iYcUkQkc\JaUUksgE.exe

MD5 a39853f14e08954a69b398eefb2a973e
SHA1 ade2ca55da80c21027ee6640a045d1c25daa9447
SHA256 6d651652c4bca5f3eafa3d384a5a9abeb0a2336423d0e588c94e4e23ea41889d
SHA512 2ed653de5816ec85439e9185ec695c004e4827b5ca951f1fbf51fccad44c2cc22c1c0eeffd7f10590f925b529c80c67636a397916538e306fb66404ea5211387

memory/1368-8-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\cSYckEYw\gWsUkMgA.exe

MD5 4f498fa0d0f6940a014d5734616542ee
SHA1 7a4e2c7eaf9667a287c198493f1544d37d34fd18
SHA256 d597e77a7e51f45891eeab40a6383b9766881fc2d98c8810f87a999f30665ee6
SHA512 6a45f918a4f93f006f12217e7673b1c54b7503e5b36f495138a9aef56ee1efc3d70e989aefa88a8dc60926beb30bdc710f83cfc33aab29c24afc0aeab100fa60

memory/1868-15-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7z.exe

MD5 b0879906c12211847bd47d82af78cbd0
SHA1 93886552595c9c0d030100509e9e4d0d874966a9
SHA256 c8cffff93071bfa75a90a029518f67b2d3f454c7e367383681738eb43c11dfb1
SHA512 dbe2fc5d47b7f3ede51e8e5112d99d1e98759677f652e688cb3bc812db37548a804582cfcf06e6020f1c3767af0a3a196d5a865398c5462a65de3a8c278ccf26

memory/1880-19-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2100-21-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 88bc8ebaa21ed10fc0cdaf99bfcee7b3
SHA1 072856007131e21aee72b0d614c86453b24760da
SHA256 18ee9cea24149601cc7392526cc8e3d86ff28ff0bc28e0fe960584b0342313f3
SHA512 a5234cd7978ed69b1edb320e7fe7fa12f0c5885807d67f2ffd2490a1f1a341a3fa59c63b8cc24760e3ae6e0bb146fe3af72bf64290effba6a29fc8c6104dd7bf

C:\Users\Admin\AppData\Local\Temp\CUAU.exe

MD5 327885119c199fb11144ba501322c965
SHA1 0ddca3496a77fdd59adfd89baf04f8835e3d0987
SHA256 8ef5189cef258f41f620ce7e47ebf71db376d31db5ca5489dc23c3d81d1f96b7
SHA512 5489ae44b067a679212739b5d7f79f842c6b133b5e86e066f92ecd2b7a3d90e6184368291c16ccffdb1a76ec70d0517cc122072e644a5470fbd71cbe12c6d4eb

C:\Users\Admin\AppData\Local\Temp\uIMc.exe

MD5 1b1f318690ea8e711c426aca409e4c1a
SHA1 bedaf2d1bea6ca0b121199db94335f3c5eef3744
SHA256 ad92e3eaacc038bda93d787be30a74d6e916a56a2396ff5479e699f6e5150ca2
SHA512 f48f717b4b0a61b7a14490d4bf0c2a39bc1f8b3bf97eb5fbd33d1f7298422afb90ce65fa7b749a8074fe59ececbf873aee8b6d533e70c92d903d471185c0283f

C:\Users\Admin\AppData\Local\Temp\ggYa.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 1c5d1c3a15c8cfc626446eba8eb1c402
SHA1 e4dcf523f579126c71c58e96147afece1ce93801
SHA256 5c9781161d05319afbf6dd7276ec4ae4e316b903dc617051a1fa1a03a4eb40d5
SHA512 71b91f7eca878cf2b2b6156c2d957f2dd926a454798f15e0f30d807bc71f3e93608e846191137e56500f1af58b8039d06239651f8b9439e1ad2a117ae8311ccc

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 49a5c0c043efa31b658b6500dca43b2d
SHA1 2d2558c5c25e025e442b6c0c4d8529107e3ce10e
SHA256 d3096841ce81ea3b40f0f453672161a12d0c84fb79186facbb49ff3364ec2f37
SHA512 a528e91d4e7130486c35c07b09f871a038a00aef644118f101fe92bc1d6455547c5b593d5f1a74593a0aaa11f2f1a8134a78a38d2a9a5a015288e582d982b39f

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 a070fbab395394a7e096b9c2ad17e766
SHA1 7a1aafdb7388f3c34bb9a9ab2c2dd07b92b49090
SHA256 ca295b9142f06eb91eade3e82c8c2d564d7893a94ad48217b23a693c0e61ebd8
SHA512 4e8e35d06032beee7ed26ec488f249d0a6ac8d975fe94617f5e1bf61ccf4d7de7787f7552b16a67462a6cd452a94cfa78be947669820fb2112b25d0ba8f2c57e

C:\Users\Admin\AppData\Local\Temp\wQcG.exe

MD5 1c6f0afc8cf0529cfd239dfc0eb8cd85
SHA1 b8ff6f086eb4aec8326ac5b576d3ebca11dde74a
SHA256 b36894f12c6d4762e17a07e8e4f677c1721ff87a25be00a41578842e1bdae8f8
SHA512 53d0b83b33f210a67fe6c27c8e0f372933feda766241625c38658c8189fde48f31b342d4441cbc8799c3cfdfa777194bf51aded1ed0ee855d7a496eef617ba36

C:\Users\Admin\AppData\Local\Temp\KAMo.exe

MD5 4ced3561835335b64622362b830a5eae
SHA1 f181cfd0b10254204e0a5aeedf9db17131a7533c
SHA256 67e6ffe5582a5b13b6f4609c834244be7f6b4e74937d7892ad859f66081cc6fb
SHA512 41511c02a675bfa31a0011695461f4b8dc43374bb21c4596f24e26918ad7030875780a06dde7cb8b9c3d3dc2891930f837357af5ece57e53ca9b6691a566511a

C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe

MD5 6dfb584811dfff392bd024fae935af9f
SHA1 e5f4843daf384c7a6d43287cde10b9ae3a4378df
SHA256 1ad4c8b6009828ed78ab32fb3fc4b86c62e30d19a01ce799c4e003930befde80
SHA512 07baeb6fb393e60ffd661e45efd9c2d2408fdd031c5639bb80b9f338127c5678571324ac1ecb59202b0b9f7feca01571e32b164d063bd99e360c4c55586d958c

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

MD5 f340fb017429c08503b043eb1ebcc181
SHA1 2d649b1dafe2f46ce385dd699447bbb5a2bdec87
SHA256 dc77cecf37186c7082a2b129694cfd2d063f8dd1d25f7e75a95bf30ac5e62bce
SHA512 ccf6955b776b170d322a778a950934447692f4a9c084a4e267883419f8a80738ccf6a0f05890df442186a676fea8e4ebf117e8586b18a0c175a2d8bbcdc6af29

C:\ProgramData\Microsoft\User Account Pictures\user-32.png.exe

MD5 6025e18af6984da5bc557dba8caa51f5
SHA1 49f3d9f85ad892c6ea331f145b760cb1d761a8c6
SHA256 3dec21ac4788cc87d4a0ed5465edfc8f297f44463b2e110f1daa78466d07b442
SHA512 f81b359a8ccca96e3a994514ca5dd290ae217c4f4393fa1b3a76c5ac1f9d3f5229ad3e548f77e74078c71395c9d3bb5152405a6d2aefe470ea2c380c80f3e6c5

C:\Users\Admin\AppData\Local\Temp\wcYA.exe

MD5 0735519c43626ca947d03265ead4b0c1
SHA1 5edc4e5b60fa137e92fc500b174f318b08c548c6
SHA256 533e143e20199ec3399619a8d2bfe59fd58d6910485ffb643b1b55125ca4fbc0
SHA512 ec94659e5e6d659bad49abddfe5e129fa688a4402d6adf4b67db6df7cdd38aa198588934f94af2e362905af90368c42388bebd49c38a95000708e90c0349c5f8

C:\ProgramData\Microsoft\User Account Pictures\user-48.png.exe

MD5 d92a77597c7bcf8d6dc1d84b313a3163
SHA1 d0b52ed20113bd5cd4af2e4f390563c255df93f2
SHA256 21744409ae951472dd116e0de9858949b901deabfe4537925def3435de3e9066
SHA512 e48e0b57a5820d64b460022130c1b4fe73d693032c54a117a6abbd40f5b31c7dd7837335672ea5998c75517e3769e021a80d050f99fe8e00abddaac5be8d3f50

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 682890fe5ee33f412e96b9649379ba91
SHA1 b4625ebd738ac0b633c39ae03396e636598c41e7
SHA256 339d5f403f23c0cdcd0574d5342c4ea4814f4f317a9b694a425a90a3906c8545
SHA512 6eafd4f03749107f8f6643d7acc1269e6f4d62be9e5f377f187e7f8c602ac4faaa131e570856c04fbfc5c56ac62b9906c65468258e4136d4be8bed4b288b5cd2

C:\Users\Admin\AppData\Local\Temp\qQUK.exe

MD5 738dca4d46e31d3b86b9be020708159f
SHA1 a03e522e67fb8416ac9ab4ea0f2f022c213988a2
SHA256 277698c981ca5fee59a5a18406d692ee57f4d4277fb61c1f8683afc2416e537b
SHA512 99f691e108c8bd93b0e04187f285011665b777281c30528003c1fc369c1f58ea41239471dfd8196984e2bb16f03eb0c11ced3fdfc0322e9d39b1b3698d359a94

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 7cfbc70e84dfc37f8fd2d437430efc92
SHA1 f9312ccc54a1a4c0f7f32511f42ddc4d5250ce28
SHA256 85a3eff7d1458dee9ba36442ef6e9e667a6df90a55b6535052e4833ed7cfdd2b
SHA512 98facc5b2505e94a8f55cc9891386cfccaec6ec913d8f1461a5f5fa08251df88544cb563d059b1fdb961b933964911f84dfffc03894ae4da9ac9738b918009f1

C:\Users\Admin\AppData\Local\Temp\oEYs.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 8416c958a4b1c844f8e27f3fbf5532ff
SHA1 9b7a3f0ad8f8b69afa738efae73dfa9da801e299
SHA256 cdf17f9a09d27e8c9d82e955a43e16a3c94a8f9dc4b92764b3ff11dd1c5de7f5
SHA512 8350855492fae4fc3a78fd0be8bd8b811ebcfcddf44cbeb0e50930eb0ae222552f9b1ce56d02165aa37235f9a859a7ed3c26824f643a41814b1f59aafd41a1d5

C:\Users\Admin\AppData\Local\Temp\QIQS.exe

MD5 42562c2967a9297fd6fc727fa852adb8
SHA1 073e6dbb7cd2c4dd5c8889403f5864f5f643116d
SHA256 2891202f5dc63d543fef8f780da36e02e8905ff4905480e4bdc5b43d97566f88
SHA512 5d1f51643c090e02bbaa961a1492c3c1fac786d3c25cdc3d3bfb6bee93e4f343f2fad2453dfe852e923aa0b7dcc4af8e39a9408ab69a1a54f92f22f0088815d5

C:\Users\Admin\AppData\Local\Temp\WUQA.exe

MD5 43f0ab804d3fd1be83100a3453648bc4
SHA1 02586b7d837a6849e79ed5ec33ce6e963a8ec526
SHA256 ffa3fe1882f5a4b104fab04c5fd934fedb2b6ad91167f7e7b9e60cc219c38032
SHA512 10af6877fbceeb4adb517d21a5a952974ac66644743ec88273f33ee1b15ca5adb2d750a1a1389c64b6e6e9c86ed8fe2aa8a2af9ef5ed4d4c6b32a2b66fe4cbf4

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 dc67a92110197fd7216d1a55189eaad9
SHA1 4ba54e39b457427604118195a5119e38f90f15e9
SHA256 e8d4a3371895fd411d63290ce19696ea05f5e04087678260275cbce15e8112e3
SHA512 73bc20e89b2bd166fc54ef3cdfef6914f37a52b0fda6e16d66bbfffd33d7115b393b51d37891c5d9e63d7e9beaaad0004bac2fcb4010bd46d8dd025561e0d2c0

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 17a7349d61a6f8f7d6e00ea870f49e43
SHA1 e0afd1bec7d222a947a6a1c411c73b05d53d6ee5
SHA256 23336a41b963960a93fe7e9f8ffcaafa084241a3db7f5a2d1bd1250681d69d46
SHA512 9c37a401daf1fc1abac8686768e58ab5d3d2f4d5b3768f4d52bdad63008fe6e210eeefb80112253bdf61a8998cad7bffc49dcf44aee85f732f5be5ec50fadf4d

C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe

MD5 65dc0a07539d8c34bf5a311ed31dad5f
SHA1 4cfac3e7cb2b818c4563c0941a81160d5a0b3a92
SHA256 853ec8a63d2b3d82755f131e2907499b8ff3dbd19229f2b2891dec789ec8bebe
SHA512 6880292e9d13fc077ae057864e8c67779e196341ee35773d208adac9acf34f2c40e20dffff3f9bfc4094e18638462a0da50a94ada69be49d686e528aa56e2c88

C:\Users\Admin\AppData\Local\Temp\IIwQ.exe

MD5 5e4c02b4a68a0aaef59ce7ae6722e96d
SHA1 bb627d78dd0c909507e8cc8e84b8300d33e7acc4
SHA256 a353880956c9049177cf5e37efa39e920e71defb237dc9ed1920676a6145a3d9
SHA512 b7a353591f5eaa75e6497c62eb70173e2c34c896276f86c12a872d4269e44834ef4886911e6b368fe354dd30f0498c100e3e3d8bcf47712490ae477577399496

C:\Users\Admin\AppData\Local\Temp\qUkY.exe

MD5 5dc31a17e322e304c6570594e954c083
SHA1 86b2f475eae74636e22d43518dd70284e51112ef
SHA256 8a0b3e43d5039a6ac7ddf9c0074cee59e1f8c4f646f02236f9350d684b8ba8e6
SHA512 d7906be6ed9168df78fb6818e90aa44965b409bc33e2e9163802ecf36d7eff0d05e041cc5009672823a38c2bf254b9c04b906b4463efd275f21b7919b2e52c43

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\128.png.exe

MD5 8d2f76a89f5681aa946be227502c200d
SHA1 fd9406c1286151d24f71eb1c6b180efcd257493f
SHA256 2fb917081876526d547a62ebd5bc4bfd83d70401e2c42935470fc8fb4fd60216
SHA512 bcdb40d397eb6a89803a8f41450f5a95cc181fb3947088e29af94c3570b128877d49c51e1a85c7f2e43fd65ba313c5b6b37d480f9e9ed3d8314b7ab6ac76da7f

C:\Users\Admin\AppData\Local\Temp\QgAw.exe

MD5 dcc61d6db7716dc04759b65b208a3965
SHA1 119ba043205f3fcac0896ccc214725df938e7fe6
SHA256 559bb6eb71e6784dffad7418ed8dbf04a7230df1e0ad249b63f578ca66ae689a
SHA512 b5911e2d82a6ea5a74e9f9a67b0093e58e7aea03c1a8f57a1ccc7e075c5f380eaf3d1dcb88ede610caac6684f7cd8eba82002a3418e444ec1870f6640526129f

C:\Users\Admin\AppData\Local\Temp\kUYq.exe

MD5 512af848e355e6d7c041c00191255b73
SHA1 ba20782424be3a486bf12a862e7b42f9a92cc812
SHA256 30a856fc116d9b9395d1e35982f9735d74a7095756151add9698aefaf361ebf9
SHA512 b98201b914004d380e7f88f5b933b6628ee9e2d0fcc0073e9df91a6cab8228a380f5e7bb4f78edec2a6913b84ac7bfe6710272f259754cbc3ab92cf03d36785e

C:\Users\Admin\AppData\Local\Temp\gkkw.exe

MD5 414de473a66a82017d970aa3b33b4de9
SHA1 fee0ce0fdae209a72da0f1748e97a7f8a6633774
SHA256 a0a9edb914efc666b6be6f06ee7d327ce4dec087f4071640ca6f5949d8450422
SHA512 634ca5b85fb66ce67058fa325b3046e5c923caeb9ac9ea5fbd5683b9df33d5b2e3e3d74657bcaffa75b1f36be78b9335ac4ef3d81326935223080744f04d225e

C:\Users\Admin\AppData\Local\Temp\iIsO.exe

MD5 82c0586f45d77b9f3f22b0b1648c6d40
SHA1 d2c232785d12796bc7b668e51fc8a3402b20ebe9
SHA256 4c17783d5d40e33a6d50cd5d42df3a0242342f8631dd9a147899df261de08d54
SHA512 68eec8843327027b6dc309bbf35aa0dd322d0edb3e7ec262bb93e71a516385b60fe8218cc41e15f2c596cddc3f28c5453c08019842810de6e373630d84e47808

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

MD5 ac08a50ddb87730f412e20c183e041ef
SHA1 027cdfaca41ee39970b0d73589b9631e73816e38
SHA256 69d3e6057c2cb7152bb7ccdfb05080a608fc721db5ec5cabb9a816ace585ad7b
SHA512 232ead8c5b4f0afbe0535f065f5edf9de5751d760e5201ac02d42cf8e83c6d0284478d41847e82253461a9bda85619019339dc484a0669375c3c8842caf7bf79

C:\Users\Admin\AppData\Local\Temp\UUwM.exe

MD5 be4d076ba7be51c12a7204ee6e115691
SHA1 8969e2b17845e6272b934c59da1a1bd82f1e5d68
SHA256 b8210977b2198ab2045154446161cb4f00645d0d2d972f43827fba6f1491beca
SHA512 92f53c36d107a2e2e199c6fcfc695d6573e46ffc02f6cc6b05f7a8a0012a62d98eca8e1604c291eea04dcc67bd862068059da78719ad6815fd8e14e7239381db

C:\Users\Admin\AppData\Local\Temp\MYgY.exe

MD5 557b80dff6a0ba88aad32fb3bafb23f2
SHA1 af7d3a189b4b72cc332f3bc360721fb1ade4f1d5
SHA256 9152b645e74dff5a07fb9ec904446ba7397be8c37903190bce81ccf7947a5b1f
SHA512 53f2531397449b778b759d3ce3720824d15011a8ca5405986e1b78a49189354ae91ff74a91fa5e94311c6817f538e1e16fd9de8fb7af5fe52988307ebe11da5b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

MD5 590baca34e9aadb621184635dbed8e0f
SHA1 ec213662805bc846c931c6cd656cb680223fe174
SHA256 3f1a83a1224da018b1d5d1285df336c459c04e8c9e673faf56018f33480ee8b5
SHA512 2887729463ca9da67817ae412c8dcf56cadd6e842b96f6bd447328d39ee29b8700ee7598198ce567ebc39fafd5647a33c4990b90c758346d45a5ab50356f1dbe

C:\Users\Admin\AppData\Local\Temp\qcEs.exe

MD5 b0f7e737a74beb85d0644fa88e2cfd63
SHA1 bc32093f6489c581f04d4990e1dea74b3ea5bc3c
SHA256 5e3780ad9e9b91487f6c2a0fd056afd604595f5ef9cab1f0cc59a8bb9b6a79c6
SHA512 1f4154779729801b511aaf4142229a7224ae9f272dfe84cd30d3badf0e798769a9bf6839856cda0d0ae1556f7c9fb6e3507eed9802a1672137cf054e19d0a5d2

C:\Users\Admin\AppData\Local\Temp\CkkS.exe

MD5 d3e19756d78731497b3b200d377fab9f
SHA1 c311b48b457adaf79c837e707ca35c006e3c967b
SHA256 01aacfc4cb5ad613b9aeddefbd7b8e089fe80abb4231eac685a85138cd35a52b
SHA512 ff6ac67220a276da34fe690333d77346c1e61cdc4012b0eef1fff4b90eefdb2b89ebbd65fa047126053804411c66082571219954ac32b4a105fcc2e1964c56fb

C:\Users\Admin\AppData\Local\Temp\igce.exe

MD5 24d5f234371b91313d94cecaea94a9ca
SHA1 05323ff4fe4642bf32c836896c5331048a7c2ba8
SHA256 030108022a0a7a5881f086f22f611d1908e9ed83314b0c30f676032d5a1a73d6
SHA512 3739ea1f262d35fb1b430cf6499c001c03abde84469db2187a8992d4f6e91847d45a725e51dffddafc666ad6eb4fa2027ea924d8df3522b301baca8ece0d8d4e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

MD5 7fe267b3670907c7141dc80326685afe
SHA1 7e6232d06751ea0d647b3f08679c640929e0deb0
SHA256 a5e1527cc104f2372ec4a008b88025d3c4a319fc62b7730d8df270ae5028f2b0
SHA512 aed65d42e7d895fcef7a4a93bb9d385302de1c412a9ae17d3272941c334ede13268886e8cec661aed3deb9501df8acc22e4003de03ac5a5514bcff2560728893

C:\Users\Admin\AppData\Local\Temp\EMsa.exe

MD5 f1811a0acdd663486b8557b95a583703
SHA1 10ccd5316f6e5cdd0d5e74f74f5bf7a1f145b883
SHA256 e48d5b839dc7620c87a1c8c5841ca12a6f8edaa48a4919c72d97e935ae9b820d
SHA512 bae50cd84405dfda783a7f899900eda0b7abd0b99f6e8708a2c6e16a3f80919af59ad011fbd9f58ddb7a1f8938db5435aecf09e798faacb3fc4884919106b3be

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

MD5 8b745e70e1a9ed17d345e1c5ad4e5cfa
SHA1 d87a749fd25a2ccfaf1cf82f89f58536f8a296b3
SHA256 8deeb45856ee766d2b670370ae0cdb125478d3d831f663c5ee1d585aeab57bdb
SHA512 75f26b9d0f2eeaedcfcf7183b94f5823ee1586da08649d02657ef8e01a288f86853d65463c535326abc499557cfb168d185b3e29d248e8cc616b2590e3aed4a8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

MD5 b44597ea2c3e02fce2768f33a0d356dc
SHA1 7f54a6f75ced7f14e605b9b9ebf233a41f5fad3d
SHA256 d2a6c1188548cb89aa723e41f53ad1be426a76cdaf775a6086deaeea7a860563
SHA512 70e6d7ecac1e8ccdeb8fe31d6cce21c6eeb6e4ef00d8963d055b61290f37df18154370684b991fd033d500fc5107aeb61784a2af35161dd73acf2573eca0dc3f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

MD5 a7ce76e4f3931fb9ce558acfb4e1fa53
SHA1 12aaec9eafbe82dc50ef12c8eb0504d22e0769cf
SHA256 8a9d898aed0201607e5a50cb3d4ddff0f084ff009472e5b3cb26e31ecd64654a
SHA512 d2dbf0d1af248e04e900348460b95f4444b435ff12bfb952549dcf5e78da63b69265337b4334b37de1bae77dd61070a1145dbb964b05d11c4386a9c2ca0f3e1e

C:\Users\Admin\AppData\Local\Temp\MkES.exe

MD5 3d352e665c2a5409aa433279f12b372d
SHA1 6666ad2d57e0365877d046420e0465eb14645ee1
SHA256 326d5df7f792bdea84b241a00c79b2ce6b630f6cf9009352f0a224e0dda26a57
SHA512 bb867171022f37606519faf51fd177d1f4453ea3e5e676bc224692befdbcf20f9b12d723f0641654338bbd77c2a260129ea52b160546bd1d6d26d6b04336922b

C:\Users\Admin\AppData\Local\Temp\YQMy.exe

MD5 c32e17e57dadffbe06061e1ed377a132
SHA1 24c11f472436459f205b6efadc761d5cd6c13eae
SHA256 0a24ee2126598e8066e5d38216f4660f84a5af24fc268851570945f253c8cc1b
SHA512 a33be8661e2299963209889e3818c99ae04f1f8675c972f2b82537733a4f7a75a7c3ff174306f3ca944929b5d9379c0fccc06d03f08139a39246631a6ee07d64

C:\Users\Admin\AppData\Local\Temp\IUYQ.exe

MD5 5e37225144f5f5ded6dc5ce22db44ee4
SHA1 85e61b2a5f70fc646a92df7c066018ab192574cb
SHA256 d64de45fa4be1a91dfe2b3f70a43301a4f3473049ac8e5a5054529ce6e7e6a63
SHA512 e6c22f6249881b125a484082cf2a23deff6967757189ad4aa593ec30727cc81ad6082002b44a8bd222383b0bbd3a8d2271e7c066d776e5ed713bca51682b34d4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

MD5 0da85739e9aa54b8c7df619d3313f939
SHA1 d23011dbf7b94251b32d1c3c2100a666f53cab05
SHA256 7d27715af4b6bcdbca011a09bd5e8a7ec39718498daa1f08fad157142d221f3a
SHA512 a3b6d39a19e0da9a599260c50eb51c3c3e3e2b6e039807bffdaaefc7bfedc01826a9c6f9d4defd8bbe1f7352dabe20443475d5fa455864717c2723ffe59aca1c

C:\Users\Admin\AppData\Local\Temp\Usks.exe

MD5 a13cbd46ef126fdc265de719acd64561
SHA1 6143148af463e145d671fde5d0021fff2d45db9f
SHA256 2712c8738cbb10040c3c8d818fc42933a4050b1a436f77b9868821ce947a2f71
SHA512 bd27bed9fe316e8e8905646ef1eb74e51d14f8de9ac685756e2453b55de5d0d783861beded0ab2b62e94be119c81ffcd4583135c8d446a1943dd826c5dd894ea

C:\Users\Admin\AppData\Local\Temp\YMgi.exe

MD5 6e09811f36c7e32c7745c9dc6a2211ac
SHA1 78b8e1249ede19367aa29f5c7388b0bd3f352ef8
SHA256 8e15b4b09afca2904ed11c2ccb764a08f62fc8c4331c57e737fcfcd0d3b7b6de
SHA512 8e5127394928264dbaab268cf746433f380ef7d91c75cda135c32ffc0cdfee271c5b0bccc75ed900721cd3baa2493aaa604aabbe989d662d88ab28c3606b1ea1

C:\Users\Admin\AppData\Local\Temp\MkAi.exe

MD5 178dbe8a3a4571badf5979015f4e443e
SHA1 05d87a7901fd95f99d9b99bceab846aa38063f8c
SHA256 a81b6071af76aecdd1660a923b250324e89e32b7b98b843f251da6921ecf81c7
SHA512 fa97d66855065b95b84a80b9c4b81cbabfc6e4c1c3e5fbf587f094e05b6dabcf4ce236b6310d69c33e7350436b35f2a216830c5f63f3b2d3de90601d554b9476

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe

MD5 e395bc53089a59e33fc468cbb3a2a2b3
SHA1 bdedbc708a58d06279e6b5cb973dff7f8ad45ef8
SHA256 36537b775e35fe3756f1153c5e2c857c6ed1b204381d95a7b08443535994a954
SHA512 3134f0ef76608384f5e98cbc002b3de01fa3ac38de332b49e1a5395447a71e846b57986f2b9b46f66425fc007b4df78230dd82855845eccb2738b695bd2d4b50

C:\Users\Admin\AppData\Local\Temp\SEwY.exe

MD5 b07a1d76f8f704919bd313328b3082f9
SHA1 870a91540df1ff921cc266f2a191740954dcc0b8
SHA256 0277f5fd44609dba4deb0da55a954bca1adb9ec570a6cd03119df16cf2e4cbf4
SHA512 851604a7b42ce165ae93eadc9bc051accc213cb957de4c4700562fe13751273f71a5e315fbd093b9ac0f5ac712f5d2a3dd05dbb416923823c0edff35c6ef18be

C:\Users\Admin\AppData\Local\Temp\AcQe.exe

MD5 4177d9ca5a9a6cc0cddfad6f232bea26
SHA1 da68bc854b47c1101e043131ed2cc591f52e22f3
SHA256 5de02ff64523110cb2dfbb1b99a5fefe4f8fea6fca822662b9b92e54a6243975
SHA512 4598664a994cd433df20543e022e7acfec9e91f091a8524c3ddd3b02d4b5c95c81b0a11bed312ffbbc530ee1af53a261ed21ddb3439e736367aa75bef623c04c

C:\Users\Admin\AppData\Local\Temp\MYAk.exe

MD5 903e986a0300ef23055120af79334a50
SHA1 f42cd94b9cddcd5a3f75dc2edb74512c67443075
SHA256 5bb6f7ca94b6551e7ae1bf95163de39a4e0a32e93f9a6a242bc27c475495e521
SHA512 a95ac1a6f6bced4a83e050edfb0da9088be6a272eeff4789132b2c12e15c84d6bfb8ceebf57d1357e294bb5831eb7234faa6b5e9dd53ffe69613fd8926e73e94

C:\Users\Admin\AppData\Local\Temp\cEMs.exe

MD5 184e9cb9cbcd62361f3db47e2f5db4f3
SHA1 cc671df400fa9ff2f3844fb4ebc79f0021808324
SHA256 d52112fb3eb6bb560bfc0df427f22d003eabb5ef7e8e8710730ef350804a6ead
SHA512 6a0b733883e8f193c02f3e3b13a5d5179911c2b3fd228a8ca88a6042f2bd76e8efb592f0095948ed81672d4fd02e17f689a18dca6266f8017703170f5cc1159c

C:\Users\Admin\AppData\Local\Temp\EgMk.exe

MD5 c263af644e5912c9acaff4aef895011d
SHA1 7f8d24a3d4617d591c329f03435d3315fe38f5c0
SHA256 96c1bce4e7570c76fa819ae3e6a013b96df7146e568bd23ad412c4f3e011f940
SHA512 96482ddf1fa3399b55d090919654d231acbf22fb2db96bd6300f23943e61e811e1231e78aec92b0799754a62a5240156e36f1fc6e070bf7a642804cef0bca8cf

C:\Users\Admin\AppData\Local\Temp\CAAA.exe

MD5 131e423422115b481b11023ae5ce80b2
SHA1 aac87363852474673e908e818cd5a38d0df8e799
SHA256 a831a594740e153c96e1d2caaa7f2537bb33b30a9a5b233d2836f6e0c154360d
SHA512 27ecb460e712d08db7dee2f3d68a362ab502f90f6f9c4b47573a5f9e037e99f64c6eb7d9790f45c4a2c55bc44096be70fc28e864ccdfe757b91d840e160bfa8f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png.exe

MD5 1cfd897687bafde27bf6ecbab8aaffe0
SHA1 bc9ef43c42870aeaf39438cd9c6bd632990b2d84
SHA256 69cd0bf8082b2accc09f88a794cb8051bbfb878caf95a57119c0d686848cbf80
SHA512 d18b75707d3aec74676dccedea169938408a7c05fd21c24e6dc8ab9a1005d999e882f9ffa4544ef7cb5d9b7b3ab90a958455c91c37441642529d7b20bd63d9bb

C:\Users\Admin\AppData\Local\Temp\ooUw.exe

MD5 53608e644a50e9c6c53d2953541763e3
SHA1 ebc8130ede20e7b0af450fe298fd0078495af512
SHA256 6be67c2c1ea32a73bee2fa9b4adac227c9a55d99865f1f3428b7a55c01e54627
SHA512 0243ecac523a402ace42581c368d4cd8c334a0615e469686cffb817ab12712debc60eb35b39eb02b9cc97b5e18462c00470832c82df86e23d48a2d74727f6ee7

C:\Users\Admin\AppData\Local\Temp\Oogo.exe

MD5 58a27893298241b3efc3138efb80bf24
SHA1 e0386965b803cf0bb1d9d5a46c3f55709a15add3
SHA256 43ee77dfdd1528b76b40b830cbdc40241eadf1bc65f96a9f1071fa1743ade743
SHA512 e80f3a75927152e1b18b9af6b6ad83e1d199111152eeabb9c35dc824c1e5dafa30cd2f1e476346cdf3e92534e04a1e8e8b8160d5af73108b1f0f84ab2d9ec726

C:\Users\Admin\AppData\Local\Temp\WAAY.exe

MD5 056edee51c1265e9ef080942102f723e
SHA1 289ee36ea923a920f10e8bef9294e4ab078b5b91
SHA256 deee0195938c586b6f0b3f43242bfc35965b8f1485a8966615d544c10bd6d8c8
SHA512 cb912834e6e0744ceb302130a5a9071251cd8adc9792c3fff54c7233cb2ae51e0a2f0479f29e20bc85bd37a1a7352a3324318886bdb97f48cc5f8c755549b0c7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 fcf59329fc29335ad952afade6467013
SHA1 37cff61f10184548d2d223bef3ee3767dc0ffcbf
SHA256 f498142c99f4afebc6f9f8df512867a103a4897be60061571298d483e919b0dc
SHA512 fc66bdc8d26ac8c0ac6471e63d19d2f02bf5f16e3dac86b5262c836f4c25b799afe29dac9d9527b142b8c6e7ae73006fdd46eca02b87d68ef13c02c4c917c166

C:\Users\Admin\AppData\Local\Temp\yMca.exe

MD5 b6c6f646e50ea324a9593fbccaf6db76
SHA1 c4e4b18c532e097a8b796a8986b3745ccf5b884b
SHA256 20a70802cb2097a3e9ea7998d39c9bd23749d346af2d9dfbdf23210be20f5d68
SHA512 a2c280f85f643f99dd32a17e49bb5eb24931997d6ffd699007beb68feef64707f912d00c1c927021b4befaa2d516c384b28f3f26e47b32ac1b6a1a0481ce449b

C:\Users\Admin\AppData\Local\Temp\cgAG.exe

MD5 6c32b5f55946b7795f2a354c40b85ecf
SHA1 d52b3420e7871141be457574ae7e917032c9c394
SHA256 f3871392d88719ae47a326232fbfc0670146a32d603a9d064c839e18d6f5d1f6
SHA512 7bd59f974ff529b2b5dc7745b13b6cdaa7cf5ee4a03bd9dfacd20be38e0857962c4200391726ccd8aa5e5e8d581eaed00bbde01fd52ec5bd93e0ddddc89f64ad

C:\Users\Admin\AppData\Local\Temp\MUUM.exe

MD5 b2fd2d8cbe69a96218926ca3de8a0647
SHA1 ad3ff5566202468f04a04c6876366d88fa36449c
SHA256 22308c7eaa61225515161ba92e30eb0fb876d6d3479ffd8290fe9dcd10cb68c7
SHA512 ef3b7996ce6553e2df306517685e1e52c4a82cab7d131953a84a38a73543ce3dcf8a2400cdecb42c7e70cba2b21f7205b12f20ffb0c3f622a2d10082cc6c66d7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe

MD5 c06919e6812c33580719cb8397603824
SHA1 f21f19ee039001eb2b07095fd34b7b266be2173a
SHA256 c5f455a6bb306dfdbb127ae08ca687b877e0771f8b6c11ad64cb9c92d6c0f41d
SHA512 223ffdb99085f5c283df2250a096ac6ba6c7642ae748fe622d826984a36ec3d1b85d7612da14433357027eb96789bf8bc39091cc88cca27284fbb201c297f5e0

C:\Users\Admin\AppData\Local\Temp\kskQ.exe

MD5 c7130b4977ac03d1fa9b98b32a44846e
SHA1 563240bb30b5f62ad392331200f821f59ada50b6
SHA256 b7e85ac95a286e1b1ed328b0d93bdd86c6602c877ec2d696d7a5575f8ea1324f
SHA512 1a86e4eecf467ea341456e304939a628ba49a040b4e2ba59b25dfbc3003c7b212176109cdd19e5998e2dd2a02ef8d9ce3c709aa4c7aa820a8c4fb08d756ed98a

C:\Users\Admin\AppData\Local\Temp\mwoa.exe

MD5 fc42d24f56d9f3f1187d8736032e5ace
SHA1 3adf487e86eb1f5ed2c0defd2949b448d1a0ae25
SHA256 b3f5f6c7ca5c50403e1b7bd153c3b3f0d8ea27e592d86e5f61262652f92e166c
SHA512 ef715f0890ecfdd6d105720e6ef2522b4e38d13c67cd6876b357aa44bb39642eea85d890bfebaa90dae49efa4a3dab5f04769205fda22c7182477b1d9fb77039

C:\Users\Admin\AppData\Local\Temp\OAYQ.exe

MD5 a9fb1fa7719ec64790259fc3b7a88798
SHA1 8690bfe872fdd09dbfdf7d8da696fe7929e921ba
SHA256 20c19e36a0112ebb8568535e096e167b438150f4bdc5788ed3d08ec170a93fbc
SHA512 8f335307059443962b5c1467aa588a85a859ecfc7519c47e89d1da2b06072c55f3cbb158144cb9b36ab3981f1aa65ff661a0e41a575c1e57163072758718f7ea

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png.exe

MD5 cd8652e40c59034c946e4b49fc71dc15
SHA1 9064d3c59fda0bce59bdc2f7ad3a660f7a4961a5
SHA256 da3c2199e03d88d9d88b0f7858feb874f953d7dce4914b77e5f5f96323aef01e
SHA512 226d12fbc78e5abb47011d1a1f540b726fdb891f34cb70783138010546d4dae46066a2bbf961b130dfc4cb6f4b508e92d6aadaa285393fc6f956d3591c84d653

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png.exe

MD5 850d029c3579b3ba7683562f24b62ea9
SHA1 72ba7044850c76261c64dc0dc066b60f5f2c67f8
SHA256 5457370a25afe4bc98fbd46894fe6d63afc3e3e472058223dec37e16b3b43efb
SHA512 0e6edb50d4ba29b7befd4deb99b9075f72884c1cc0977223011337afa43ef11c621288acee8c1446c960f151fe4e3cbe3a9a02a23a747902683efef0ba0ee32a

C:\Users\Admin\AppData\Local\Temp\oAsC.exe

MD5 0ce9e9ff00b2a3e242607aae20c80fcd
SHA1 9fa3f65df68d4e3f196283d1ffd11b6cdd414494
SHA256 318131ce878501b1a26206362c4c2b25077318f6cdb408b802287634ecb789c7
SHA512 36a915ab5dc6b19f1a31c84e80d7b7e8cca798887d330b50529c78cea3b059715bb649d8e52b21d559ded28bab016ddd26bcb69dcf051b29392710c445577070

C:\Users\Admin\AppData\Local\Temp\yIUM.exe

MD5 25e4f50611e59e4a3c05dd9bc4a7d24d
SHA1 8a7a0131c657bc09f64e03260e91fd1bb6686132
SHA256 c3ca6e63e9732fd4df722f4e4c1c73bae64675bc621b1300eaef9616d26bf059
SHA512 a244950b382468f9139d7c58bdddd09eda11eef09deda29ada13a2e6c59f91367a468cd527316183087f4401b57e9a96ba3d4f3f048583f7525ff4d388937848

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe

MD5 72d6ef47d6952698dda87a9e27ccc8f6
SHA1 457f00ab7279b04dc933fcd428f0ef9403f4551e
SHA256 10a74a1955f046c69b425e9f376377474c29450c95dfe4cb2048d11a471e6200
SHA512 8e112defc16b00fe827ccfc8e48b6e96f03c6bdf6aff5f5fffde38eb5b8b39bcca145e494bb50a05db775ea882b62e1c46c0b77d5947e5a1b5743ac8f910688d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe

MD5 b6e41f555a1c4a26f471cdc8692d4d3e
SHA1 e164318c7cbdc2461f4a25b93c3814912d329bd8
SHA256 12d1c0f2d652ef7b95ee08c28e615f0e50d2deda2206d1113840cfe47fe14e41
SHA512 7c082d459a46185d2494486512b93439143f6d997612fd7ccf0391daf70d686f2f93ecb7fcb913abd6e6c91db929c30f400d5bbb685a3edc7db087a9efb4b3d2

C:\Users\Admin\AppData\Local\Temp\KAcW.exe

MD5 130843f8957bb9be8d8a201586151ff8
SHA1 d68dd850fc34bbcfba38209729fa227ea84bf030
SHA256 289f15cb4b7d02cbce8860d1e1bc38253ebbaa049a163caea329d2386936ae7d
SHA512 b9f15f9ded2796baf7c1dfb2fdf72a5ece9abe1bad46c31f49d1c87fd9f27e4ce8d5c6d88d9f68fe2c9242b061174cc71d382e56947af9a83e39f100bab7aa88

C:\Users\Admin\AppData\Local\Temp\aAgY.exe

MD5 0c5845727269c8caea7edbfd2c1750c3
SHA1 ddd8eb602020b4a710b9cc210889b1a23be721a9
SHA256 351043fb8b5d5c3fa580a526282d3db478a8bd017718b61960762f8adebd6307
SHA512 db4bbf869d68355478c9e4a4647a67f7a03d60be87c3749c6f2e86307c71b0e818e555f4eca858e7590bbb9458292f5a8801ed3e2cf12af2bfa3c865712b1648

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 bdfefcf66d4617dfdf1ed5ba2ac3596e
SHA1 65e2492f24317cc4d8178685b1f174c7e366b70b
SHA256 d6f5d7d55f0a98f1710a7c43069f2861d1071f0ce5c32f30f601c4a5d1b11e10
SHA512 7187f14ce062937502e0e0d68b3104358d6fef85179d86189e4c67e113b02a50181d9032ee30906bc55ac067fbfd47a1c2ec0401b7db58ba9c277573ebb15951

C:\Users\Admin\AppData\Local\Temp\owIC.exe

MD5 4c8302a0bd265670c603343b26209242
SHA1 d209d93e407b6d5370239dfb80e85243466a744e
SHA256 127693349b7564acdf8dec590b016927cd3a59d04c3426b0454e557e7a9463e9
SHA512 743e3700631cb39a9afb73b4502246d0481ee5d52bbb53e2b798cd434091679a18d37d2f4eebf3125df3675368530bacc5eff04ee3ed61bf35b1df266c18c38b

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 b8a85f0710d8179aad096d64509f191c
SHA1 81b19640481ace7a5b82aa720b0426f30ce3e4c9
SHA256 a7bafed7f01ccad960b9bce419f495eed400cfd582163878d9cd703483c3c78c
SHA512 3b49942118c9b449144a8f6e6a925e2ff8a571cac2bcb9dae30c7e61cc6c1efb9be6e694c24b68c3ba7d15e54cfebcc7a2f3aa2b71c362f57bd87403bf4884f6

C:\Users\Admin\AppData\Local\Temp\EYom.exe

MD5 52a2ad26baf2c568436dc1d94d925864
SHA1 e026b7b2186c37a1c0f5a077fd197d9bd7d2d089
SHA256 aab0595da26b7d9f9a0231b95f6f1608b84e25b1829dd4ec78ffae568c889ead
SHA512 e67cf517fe574fece318e09efeb70fffd1fffc58c0c2d8b128ba84e82f4eed636aba24f3aa61bfa32c5024f90183e948bb5c69e4402c0a538ec97960f98e06b9

C:\Users\Admin\AppData\Local\Temp\cUgI.exe

MD5 438b28c47042c38ca4fbcdf429091783
SHA1 b0ca3804303dd788f7143deddc5336176edb2b78
SHA256 1c0bddd5639dcb79f2059c3646d6169acd998926f8853f48320701b00d99683c
SHA512 929ae3af138d0e4f2c6270fe96c1949511306fbd5700aee9b8267d513ed347051e70ca74296be28c20dd1db4b25f13c26a645c926313d1855bf3f304d10e7dd1

C:\Users\Admin\AppData\Local\Temp\sMIs.exe

MD5 dacf0df6899254df22d37d178d8fc24a
SHA1 167b076443e8f7c5a7f70577c77dd54408e34ecc
SHA256 ad405490e7bf04126ffe286a94e8bac3c32fcfb5686700dd080af9eecc72d406
SHA512 bf0e102f7ce56e48ae8a35751561e9d2cc5a12ab822748195c29b2f366c8fabbf80aa96c8d5b51f48b21375e229725537f552b8b39937d38cff0547ad8d352ab

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe

MD5 b286505e9ff24258f135debf9b0a3d83
SHA1 758be5ca79c22974fbd1afc67a5321096321a018
SHA256 ce81ae2da2b08e43d062ec8906e509fee18d758c9c3ae0b49182c53edba8010c
SHA512 12634490fe6d0e368e990fdd14adb8b8c82c7cfd44ae79213f2344c542a252445cc832f50322e38751973dd65105101b352af04b1d21274fea0620c1fce8d66b

C:\Users\Admin\AppData\Local\Temp\WwMW.exe

MD5 1253cb5581590c603c944872d0e5e7af
SHA1 9fd768ef906d489221f256e3d6cabce92814450e
SHA256 328777275917c0bd8ea3d3cec6cc1bbaec1cfdbdc3a578d2efb56466ca70859e
SHA512 386e25dae8ec70524fd02a4c4b09d29602cc43bfbf54da86108190b7a1d11bc3b9a83b3f8adee49bc7ce698302c5ac9047cd08af1a8b2376a45b16620ecc6d57

C:\Users\Admin\AppData\Local\Temp\qcgO.exe

MD5 5acc137ed32772da685008b85b50bda9
SHA1 e3f5895035f109c1edacb6cc8c8b00cfed97a2d6
SHA256 7d0f8cfe6036a7303db225bc66ab30c63d3249f20929e95d516737bdfd25eb30
SHA512 e119b0986a32c5c8a817ef9e32452ecc362c1e6fe9f2124637765c7a4eb3fa3fb8cf509462c85b6a0caf2c56532311b47b6b09a0af5a8abd8af7b0988f539f5b

C:\Users\Admin\AppData\Local\Temp\KwQS.exe

MD5 c45c4ad8249ed6e8947dc3c4bfd7a601
SHA1 7ddc0de319e5be8813ac82a4e2619edb1584b94d
SHA256 4865611e0bd6e94b3dafee7a222349a61e4ea034846981776f7fa1bc60e194ab
SHA512 9eff5b714e7a885d3a3dab2fa4cc5c5013ae00d264d5d48381c88fad3186d9039dfc98c914cb8d283a29ea00bd27903f6596fc951201240fac0b90ebd839420e

C:\Users\Admin\AppData\Local\Temp\OMQs.exe

MD5 442cefba2ac4e44d256fd77fc6d55679
SHA1 831c5c1a0b061b886658267f13d6e6a289b9a8c4
SHA256 6d1fce882efd35dfd65c7edfe224c6f217810823fe8cfa23003b5efbe6bddf8a
SHA512 f519cf7ce5eb935cdba943269516ddc9a915031e9fccc25111dafe3e740662d185fc531cbca61462a96055120f204174550171c6bcd90aee0f798b26a6068412

C:\Users\Admin\AppData\Local\Temp\QAoa.exe

MD5 afb53978783b06dee54e31947a884e46
SHA1 2b2732fc8b29a6088ccb97624df7dedf56916c9d
SHA256 23125b1403fff1e72a9aec50c7f3bb9a22c005af6b005866e38ba463d6fe3142
SHA512 736cc72b8fcc8dafb1dc96c581fddddc32be1c2c3e870ab3bd8dadc58e1d3c1ea4a5eaee91de3ccbed312ab4bed0373e453a1924e2b6ff60724f8ca4cb184945

C:\Windows\SysWOW64\shell32.dll.exe

MD5 ac6da065f0df84bb90ebb976dbe85bea
SHA1 44815e710e705717404528919ed9d7b225111982
SHA256 0c89adf0807b3a45fc422a804ea31e960c99eb99abd4782e2bfb069e5489ea13
SHA512 a1352cf4eaf2969aa0f2faa762eb36d5eec9d36e26d6225f0418072da613b47bc0b7b6d64ab0ac29d69dea45471fcdcf64b761580d41cd5d7df852167a7f7289

C:\Users\Admin\Documents\CompareLimit.xls.exe

MD5 e54e6512e55f054951b383a83c4aa12f
SHA1 687053b8744f62f75d0b6f80d555b61d7b51a108
SHA256 ffa1eff4cdc70e5819773b6aba6d464d19e49e8b06c2f29c060899d151adfbbe
SHA512 8833f606f806c202cb7da600938caa072a5474bb15577bcbbe7e1a0b0f4a02723fe2dcb9c0d2461b52b4018123158ec085863acaa1090efbe2ba26627c2c18a5

C:\Users\Admin\Documents\ConfirmUnpublish.pdf.exe

MD5 aa9e075ae6f87b3ff9c6f657f95e80a4
SHA1 e32653fa6dd7a5e8104d5f2eaf2444df42bff9ca
SHA256 b84f2e645982c889fc2d2c831e28282c0043ae881b8a46b8ece57798b82604ad
SHA512 656a37dca6a36ada0317720f0933ff5c9255b0790cc819be1b7922df8fa0a0fca34add5d8490bc9380750edbd08f34e480b9645ec357eb7fcbab4af5e2764c53

C:\Users\Admin\AppData\Local\Temp\wgMo.exe

MD5 50148ec3ea7996d42f6bea954385a5ee
SHA1 e3bebde3af3f4439e0d3092dc9f906cbc3f22453
SHA256 7dff51901b86780d92710d30e5d0c9013115cc478e57ab3939026e6f7037acac
SHA512 eea4d7b9d47f9541788129ec03303fc9dcf389ffaecbf29daa358803f894a9fcd9995cb073abd376e2f4e6c0b9336f8866543a77d2e3ac6e39af7a392031d04e

C:\Users\Admin\Documents\DismountMount.doc.exe

MD5 77ac03fd5a73101332eac567d1a62dab
SHA1 ab1293ebcf6713724f69426988fd1eba14e632a0
SHA256 81884d3d5a6c8961d94c44dd96f645c7d1159d2e602f8c90564ff8f58b843d3b
SHA512 ca04c1272032c8c9354015b56963523086a590890905cff0de3241d1f68fba1925ee570637ea2be46e4db7a82621d39b1d29db3dfce2da0d182fe6a6709864d8

C:\Users\Admin\Documents\EnableLimit.pdf.exe

MD5 6f53530fb4bb7e7cb1b2494241e2f50f
SHA1 ce34e71fa99757f21e20d69a972abb4aeb2e799b
SHA256 2f93ace344c0b9f38a5123ce56dd2382662ac65b19283bf4945c39fe5f19d501
SHA512 119cb82885c65d629cd78aba7e96556c3147ec770f148996ddb44b9c5139a7e070ec02331178f2099ee22379f8e7c46a965861e4b68ce07b896f0b7b4357a11b

C:\Users\Admin\AppData\Local\Temp\Wooa.exe

MD5 a600da1cdb555428ce781ad74286c847
SHA1 17df99883c94ef26f69cf9fb1d2f058638dc5b75
SHA256 3364cbefd564375a08eb12519fb78eff2a92c59b359cb336fbe5bf1c98d79780
SHA512 83c2799c5cb8b961fc9a7f2bc553f9411b54906b3a7718fa2e5b400894bd7b40a50468951da17838478777c828432c9a238ed13c77093da96835cf549d89c11d

C:\Users\Admin\AppData\Local\Temp\AsQq.exe

MD5 927da2750827406b4ec47369aa9f49df
SHA1 f20eaf1ba40394c401f0b22e0e35ed86926e8217
SHA256 2536698c54f0f8a74e14ddcbf2288073e7b4c7e68f7c8a1794a7bb5223289dc4
SHA512 68cec2183dc78b330763c85c50b576de53f201f679101f3997b3b966fe0b58b022cf439e054c01d336b555f42deb7ef1b6a8e39300878dd639633c4bf13ad015

C:\Users\Admin\AppData\Local\Temp\esES.exe

MD5 7c0057f69f80113fd2e9cd9c4a1fc682
SHA1 445d0f65d1cb6be68a051f233cf0c2e6590c03ef
SHA256 100beaf890b3a20de95dc6a6495fd77aebfc0bce6a2331a9cc59d97d1ed4eee5
SHA512 4ec7661e2148ce5da1a8a2300e0b2999ddd7b5067752447e63350ff8e96d00c72349195b0b7921ba408f6b87480967479b47307a4978895fdb74ba2be8dc1462

C:\Users\Admin\AppData\Local\Temp\SksE.exe

MD5 6679fcac1835f877c45c180e6c8d0dcd
SHA1 b9805b5cb1960ff06a295f2e3cdeaca0569850d5
SHA256 67a4e9b03d42c91245edd91a70e18d623f0d9cc1e06b57c5f400cbd2d1c6816f
SHA512 34c29014fb0cd5ac0ba04995cc5948f10244264759abafd3f309c214b3b9801241f092217f1b1cb9410d617860c7bb44f67a362e5953e282e494aca5783c10db

C:\Users\Admin\AppData\Local\Temp\cYom.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\gkIu.exe

MD5 d6fe8bb83144f686ac0bb7f47b5b7d1a
SHA1 d381fd10526367ef232f5d8b43547665595e496b
SHA256 059b91719e9aa5e4c15d881eb07bb56e7485b7a2743e1955fd17452d93e58393
SHA512 198f020699ec1e3d239e637603ba45dc4b9eac53b7351346ef637ee78667c41b64ffb3c0dd3e55d205eed029acec3cd28413a54327c794bad611ae3968b57e3d

C:\Users\Admin\AppData\Local\Temp\SEge.exe

MD5 32c52d1f28bc9092cd359566d877c5a2
SHA1 4c2b722d92e431c3b7702b07c933112f985269d5
SHA256 f2dbb9b61f4f6379f62d8d6c504d4ec0b59abc1d3c9b166d42e25d50f856997d
SHA512 b429530385bb787b33e7548e65dffb32543d3b644df32be2eada4fc80c0276fa7924e62e6e8d9e175bc26271bf695eac1ef5b823ea0aa03c3e81295922360489

C:\Users\Admin\AppData\Local\Temp\Msgq.exe

MD5 6a08065d0c019b2f2ec89103bee6456e
SHA1 64dfa6cedcd5ba467af76a80dd73f158b0c9f022
SHA256 1c2d7a00c15388145220717b3a3f4e1c5a6941e364dfbdcde175c942fb082936
SHA512 873080d36fe34e0d9db41355bb97a6184336bd840d844d26dc377a8df99e60f6d867ef87fd39ae86ab242b374428a44e99e7b3c260f101fc9484c339b7df085a

C:\Users\Admin\AppData\Local\Temp\EIYg.exe

MD5 b6c4aad8b269d00d46b0742d87ab8440
SHA1 3edf509699a0add75e933de9d5f556678d79d5d1
SHA256 f99175bc7801657de066aa58bf4c919aaddb39ba1916fcad90ef431956d058a5
SHA512 feb306673de6c493ee8eba582e8d854d68ac463d3825c4250836060276ca1424dc616f0977a307f9b87460b5922dcc9b834116f42e8a9123ed46cf4735722869

C:\Users\Admin\AppData\Local\Temp\wcAi.exe

MD5 491cebbec41b9467869071bea2dd2c72
SHA1 fcbf1ba79838b502ddb27ea08947a26ac6634778
SHA256 24e54fedcd78d81966a1b9be7e4f7141d5f6db628a6b63b807b14f68fe6f4997
SHA512 e86346c0402691a7522f4c9103a4fab40c9c4b2947197170b04229181a23b274dd5ce51a4b2d353608049c8ecab61361adb3b7fa99ba50e59fe4eb1697069fa0

C:\Users\Admin\AppData\Local\Temp\GkQy.exe

MD5 6c3f1514c1d44c255634d13fc14cde73
SHA1 cc33e44bf7e069160f8fef43a48b00a7a615df24
SHA256 59020ff869e3291658d9ddf644d506e0dec0250afab7eb581a0ff7ab63699c9f
SHA512 56ee24bc4c8d47ef028d9ad2374af60ac50c4c7248f80b9a20774decc0fff517196ec425b8ddef639dd6ca785b22e2258e38199a895d117d4d63683c85b63c59

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 5a5bf1ca2740bf22d3d67136cdfcd94e
SHA1 f96cb7ff79a443c7b0336816b43bbd8487afad16
SHA256 0dcd7a3d467d0352b2cfb74eacacbdedffe3a2a6365bc801005f9fa8ba3c7ab9
SHA512 89155b11bffbd28716888c9aec13abc8832b42431ac87d14042272f2007c45a60cef2569bc83b83fd228e006bb0e691b096ab98a554ef79b55795b3ef0907e65

C:\Users\Admin\AppData\Local\Temp\UQEI.exe

MD5 3ad8d00e318de863923de3a8de777bef
SHA1 2c9d6c933bfcbda3f4c6bae38e8bcc1fc34af6c6
SHA256 5e0acda2d5a5ae95181bf12139cb15c1ada9a0c01a27fb410b943d12278b0c31
SHA512 2aa02de998790204330e28e084715075e84e08a66e247428ab1ff9c8bd267c51dc4b74a2d1fae2b8beeebe2041c8aaa742cb4e3fa74acbfb7819bb62b62573c6

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 bcd71bc45749fab76cdc8048d8a3da33
SHA1 9b17369b6094ea241ddd6bf3e92ed1db43d1440e
SHA256 45cb4edd8af3ca82ed8e2068a48b4734045b0f76aaef23bcee29cedc27ede644
SHA512 796021426b669d435f6c31810d3a6e9a37f9bf39f898b36cc3ac70ab4ea85807cd32f835a62ac6dc27e3d9ecaf31606568e5193a3bb00affab7c8705493111bc

C:\Users\Admin\AppData\Local\Temp\SEgs.exe

MD5 4cef108db9bda20549b4650c40471197
SHA1 dc8218586188673c0563d007700dbfa169c67b67
SHA256 08a89279b51b3adfc3972c449d02c1b4f116590229d36f12023df0b0c09f14bd
SHA512 27e0489834b7e0da7006f3b0101f6c99a7ae38597f5f089ba2ce0db54246f55e116c50cc27538656553c3b3170b674912199d405ff1115a18a80277899b63a39

memory/1368-1563-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1868-1564-0x0000000000400000-0x000000000041D000-memory.dmp