Malware Analysis Report

2024-12-07 10:10

Sample ID 241112-1q99qa1mbt
Target 4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7
SHA256 4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7

Threat Level: Known bad

The file 4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (81) files with added filename extension

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 21:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 21:52

Reported

2024-11-12 21:55

Platform

win7-20241023-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\ProgramData\KkcMowYs\xEwMMYMw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OWAIMIYU.exe = "C:\\Users\\Admin\\csAQYQwo\\OWAIMIYU.exe" C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xEwMMYMw.exe = "C:\\ProgramData\\KkcMowYs\\xEwMMYMw.exe" C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xEwMMYMw.exe = "C:\\ProgramData\\KkcMowYs\\xEwMMYMw.exe" C:\ProgramData\KkcMowYs\xEwMMYMw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OWAIMIYU.exe = "C:\\Users\\Admin\\csAQYQwo\\OWAIMIYU.exe" C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\KkcMowYs\xEwMMYMw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A
N/A N/A C:\Users\Admin\csAQYQwo\OWAIMIYU.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Users\Admin\csAQYQwo\OWAIMIYU.exe
PID 1980 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Users\Admin\csAQYQwo\OWAIMIYU.exe
PID 1980 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Users\Admin\csAQYQwo\OWAIMIYU.exe
PID 1980 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Users\Admin\csAQYQwo\OWAIMIYU.exe
PID 1980 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\ProgramData\KkcMowYs\xEwMMYMw.exe
PID 1980 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\ProgramData\KkcMowYs\xEwMMYMw.exe
PID 1980 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\ProgramData\KkcMowYs\xEwMMYMw.exe
PID 1980 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\ProgramData\KkcMowYs\xEwMMYMw.exe
PID 1980 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2496 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2496 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2496 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2496 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2496 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2496 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe

"C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe"

C:\Users\Admin\csAQYQwo\OWAIMIYU.exe

"C:\Users\Admin\csAQYQwo\OWAIMIYU.exe"

C:\ProgramData\KkcMowYs\xEwMMYMw.exe

"C:\ProgramData\KkcMowYs\xEwMMYMw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:80 google.com tcp
GB 142.250.200.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/1980-0-0x0000000000400000-0x00000000004A3000-memory.dmp

\Users\Admin\csAQYQwo\OWAIMIYU.exe

MD5 9932611820bc983814bb9130b057834e
SHA1 073c9848b8508c405a241c3bf675bd04b84e5804
SHA256 ead054d112142a383e661cecef0ac3fb87a48d8d970b1804bf14a4960a95a6f0
SHA512 7e4d79ca01001c4c3217f6dd008221f91d84b31dfc50df5a0daf304f2084623fb490e3d6eca01065ef0ff3b13970535beb32ec417d53098ae1639bd96b957478

memory/1980-12-0x00000000004D0000-0x0000000000503000-memory.dmp

memory/1028-14-0x0000000000400000-0x0000000000433000-memory.dmp

C:\ProgramData\KkcMowYs\xEwMMYMw.exe

MD5 451e38b007c7f0ba1b9e76a93e3fbf61
SHA1 4ccc69791f1318ce994019d2ebf92ccb2dc30859
SHA256 203db2a633f8894ebbf84d29ebac85865859a8d8bf978a202a8e12e190dbe6d5
SHA512 0eb7c7e192f13a1092257892f7cf8346267fe02be3ea68a6e24299229c53508f5d06b26d94f9634abbe158a29224033700bb3f8ae2f03e000b0850bc8bc7dace

C:\Users\Admin\AppData\Local\Temp\ouAgYUkw.bat

MD5 085b04c1972aa1260b9cdccb808cea69
SHA1 122cc92f6d58b111dcbafed5b3acdb95f754f7ed
SHA256 fa4040f54319a8154a7885ed3f497590ef440ec2171dd056a9c00554a2f44108
SHA512 a601b0568fdd987b358f2ca3f1457080194737e6528a56c241830ffcd2f3d29b954b49f8906f681a844d48767424d07ef73a53de9c38bb5ae98b9334d1d300fc

memory/2628-31-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1980-30-0x00000000004D0000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 96f7cb9f7481a279bd4bc0681a3b993e
SHA1 deaedb5becc6c0bd263d7cf81e0909b912a1afd4
SHA256 d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290
SHA512 694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

memory/1980-33-0x0000000000400000-0x00000000004A3000-memory.dmp

memory/1980-11-0x00000000004D0000-0x0000000000503000-memory.dmp

C:\Users\Admin\csAQYQwo\OWAIMIYU.inf

MD5 4e43c36b8ba579861a6d1b6214386f29
SHA1 d9274949f40a4ba083413c66a69f3b3ff3a96dc6
SHA256 b55e2ef4eb5912b060d56b10b573cc9ed9d47308c6d87f8b70b15b0e8a26f484
SHA512 b0964cb71fb2eedfee438d79f7132ac480e178164314dae01f835a0c525364e2b3d4dc54b4a6a028428e4febb3b6af8973e58d23e2e703fca406a0713394bf8d

C:\Users\Admin\csAQYQwo\OWAIMIYU.inf

MD5 c2e1ea2eb2f8600ca4f6235dede1f64f
SHA1 6dfcdc1f711ceee7e036b28643d913012b017e11
SHA256 e9435924873220a250257b2f999f8411430da42af8d7ce39f5c653d176066443
SHA512 763a8d9a9d057db63e2426a15cdb8e5fb048f0a4c9196eac412ee5dc22e00b3e9ffc827d8b0f79558cecadb7eabe251bd73ed8c127e8ed0b14aa68c0ee741b98

C:\Users\Admin\csAQYQwo\OWAIMIYU.inf

MD5 a0b691ececeb15ae38bb43e2f5c58bb1
SHA1 d2301e4f8ecdf24942bc33d4e2221371c94d0013
SHA256 4ac2559be9b49b96e8b76764bf084de9bb4bd25cec040edd72acf38dfa524329
SHA512 4437601029b5a7306d329e52ba92a7085e78c5629265748c7d4fb811c3a9caacf22a3f75b76a63ae3a7b218b4dc7951303ca5cf2998dc4367448619907748395

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\zogA.exe

MD5 1bb6b5e77085bd823bdf5bfef2ac8023
SHA1 b692a3d3cfcb58ff2a7c0f8a1dddc1ad460b422f
SHA256 9c3c38eefab9017a6f659fbfeaa5f02798a4754b1fe2fc7d30cdc4e80935a447
SHA512 aafbdea92caeb5a282b5a18cea7fbda104bdb7d702ae6049ae53f005ff83ce5c50ade4ccef57dfffcb26d41ff87942a2284de82db408481a147a1966920b75da

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\csAQYQwo\OWAIMIYU.inf

MD5 59143bd5b9597601b0524dcf7d4e0f71
SHA1 b4f6d06b1845b287c65b56b481bf3c81f06e140d
SHA256 806fb9bf201ce9b21d7e832737db2983d7bd9ea304c136c1c28d4e38e81b2524
SHA512 e0804bb1332b2742875582a11416505981311cc6f40f5af24592439682c46d023075c00684fb6cc7066aacaca64bce45f898439fbd9906bf419ac816ac3e0a7a

C:\Users\Admin\csAQYQwo\OWAIMIYU.inf

MD5 df78adce080b118ecbe84a81e716ad6d
SHA1 dc47965c097987daf6a7a96ef201e216c75e4597
SHA256 c3a38f555492af36a99292dc0876c1ea4d86bfa8d85691d3dd35d928c832f51c
SHA512 7f0ec9ca388c2f713159f9aff35d7a88b8e73763a340a9b30f77e9b0916f2f0fd22f38d97fedd08e89b15782145fcc62fcf9336dfa79104f3c99b855ffd154cc

C:\Users\Admin\csAQYQwo\OWAIMIYU.inf

MD5 2bdb89d2c82fc0d9dd9d762f110a6aab
SHA1 73b15a5f464c965826504f85e158e6135f541383
SHA256 99d82802afe8ef33d098de2a820811437a5e6474a6471f668e85d68c317910a3
SHA512 5bb52a434886c9a397318222283e9efbba330e4713766663daf08ebf33115a3070cf7f93bf56cdbdae717197dcb5bc07e3eeb1931201f3820bc4fcb053d3f5b6

C:\Users\Admin\csAQYQwo\OWAIMIYU.inf

MD5 dfba0917d72aa5ca874a73297d20eb61
SHA1 938386c6f5ba8746a2929453f3596a4853355e6f
SHA256 b684767de275bca43a41431e0585f1c70aeb14e0a97a926be2ac39c217ec5da7
SHA512 cd07395bf02980a95f365925945395849f3cbf0fad2ba9045d809fa2997cf76f64866c3464ac57660e3a5f9ac95bbe979d79c708870f0d413a752f96e78c11d1

C:\Users\Admin\csAQYQwo\OWAIMIYU.inf

MD5 c657a2d114424b155b0e84f51e9cdbce
SHA1 83a355717b752b38d2b521f2c5bd4b6e387d5e24
SHA256 b7a128250dbdaad2f981c407c94f0350d5e1e2d121c504b57e325848cda976c0
SHA512 f8f00e5635e76641e2bf34d3592cb30d856ffc375828e6edc9c537933af24b7642babedfc7a8744243d9a7eee42b810bec92fb39c6444f08e65b65739089bacb

C:\Users\Admin\AppData\Local\Temp\joUU.exe

MD5 0c72b6ffa1c61cc82e1fb01cc6681074
SHA1 bd2c31febacde4bc46642a6fc8f5f1e775751e0c
SHA256 f10038923cdd4eb062c533ccf236371d0a69b7b3b242553d8aedde3882d5d499
SHA512 3a0db9076cd794400be8892f76250c23fbffccb2f3191947e58417a56791183f90bd07adb3b7b24b3bc1aae8f8e4bc9969c7813625eaa69f1bb5615bfe86e718

C:\Users\Admin\AppData\Local\Temp\TosE.exe

MD5 b58aec10853bb87f66d8bc43a3d4a6a2
SHA1 03213dc20cfa562fa9beb69bc88dabf606478873
SHA256 b1d1f091e8d8cc11e3f10b3f97873f4c5a52b215b6db1553617b968e625db0b5
SHA512 44b9bee333dbb528718a427d6037993f38fdb1ff8aa510b0826fedcc2335c682d8e6323640ad820447e06dbccdc0db8822ad38507935f24234201232dd3c9e65

C:\Users\Admin\AppData\Local\Temp\zAcg.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\iQAy.exe

MD5 015f229226c1dc2a41d0b1029a11866c
SHA1 1e90a4bd38c63cd158be8b2357f6c6fd1cc4bc66
SHA256 9f01418d0e37461093eb75b498e5c1d3edcdb2ab4cc1fffc5ff29ba2e8dff0b4
SHA512 1bcef5856cbbf5d3d0a091e4f11f5b93e0d52fae159f6d37920578074ad58bbece81f44329c676d6d7eba0314e38e6140d59be21dd8fc0b1b2fbf284072dbd9f

C:\Users\Admin\AppData\Local\Temp\sIcg.exe

MD5 b2c96916db875fdff351bd8c4f0a578e
SHA1 cd5d54a8f4bedac8c5209c7cf966eb6d9444a28e
SHA256 9118cfef6cb0c3b49a75f0449c2317fcde0f77135103554c9aea89d3ee733691
SHA512 df34664fa38226412690e7b0d07102bb891e0e43a21cd3dbffd3735beab6e55d2210480c9a9c07398969e1e3f3bc6c926a51912d8b9a5f8b158af78aee1f3ea8

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 715634771af28d2ef4ead8d6bedb91b8
SHA1 aa5eba8617dc26f1b7796fd120473ef4c179c3a8
SHA256 78b27fafba00b2cfd52b645b46826867aea64e2e8e0b6564c177cd94332d39a2
SHA512 f909f42431c465f0841e9b1c4abf78ce98d14c4ec43c708157eaf217f1839d81222cfd821ba5f1951cb778bad5b2781cc1b6abaac553e19cee414821863e7887

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 f0ea30e1b6e2e481d4a979129e0be3ca
SHA1 17abdaa8a12a8ef318eef691a9235ef242e6eee8
SHA256 1fec189e0a26695d0a06a5074f70448355049a6564328e1a5b979ed139e71568
SHA512 817a73d6e321fea6c612ce192b5e587f4e8dcef8696b1f48b449e54a806dfa1fffe4ff4a80b9ef0e5002d9ae38e1b93a14efd246bf25d334b2447ef3a9c99d06

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 00096c04ab5a381a533f5a17bd329ec5
SHA1 07de3f9fbad3269be14322588a9c205c8d217f4b
SHA256 c8c402f3d6419a871de2ca228c7ff302b8a918558785d14920b9c4297ba449cb
SHA512 889d4dddc8601d76a48008aa15f6fac7be9634a6ce53b85407bdbd086a9a3bfc6c9950c04de996caee30a248c8a0c4c390948edfc21cd53def323d5afef50665

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 4a65020e6d9d87e08858865c335c6d5a
SHA1 b069e7ea7931cd06e7883084f7dd35760dd09d72
SHA256 1d6a058b7a33a77dde72439c2e7dfababdd6b0762f7a7d83ac925a0808590155
SHA512 08ba7664d507a33aa10fc3ae52c3e6f65fd0f2db60fb1f50cf45d6f40e1f209b71b5fbb405c3baceb0586582c0964624f1d441d668d6da0928bb2c82a7601dab

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 56a76e4c64c0c8c0b5825d2bdfc1d8e9
SHA1 0a6e6b82b9c8bd3ef5cad66f1c88197e6cd6710a
SHA256 c9434ec718b226de75d005d6e4b823f8295966bf4afe49898e44445d78325db4
SHA512 e3413aef25a6fb9c0c5e31430b8f7119f2a862e7396aaa0a2be1c191807acb5e3d08b0ab9f650b314e44af326227c3a572cefc2fe3c7186ac261e1f3faa21699

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 c4bbd1a0f271cb3c8751820475fa81e3
SHA1 498a9d083baba75aa4e8b3cef8c976c21f174870
SHA256 829992bff1969d100c21ff51e1bd40206f56251a01e7ed634fdd51d20a41ba92
SHA512 0dddf871b4035527a4b132e95c5b43bc78c6a67314d648f9fbde799c887e80fb489ae022bc98266447aba0aeed4d98f5c87ec866ac9af075553c3881424950c5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 668d5801880982bab6ad1dfc840a7ae0
SHA1 a492a836b277f9e9b645e49e817704719127cc44
SHA256 7301cb737d17825e86cb1151cdba1ce27f61871c054c9cb428e36cc4e18888f9
SHA512 2819b2eb402a2025b5af2f00bc93efd30e82af1d19847fff50803fcebac4872c06cfa6a01341c46dca9ddc61f71999c146d0f0d5afa5fa9b2878880935a8a815

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 933b28d2403a89b92dd7c8ac6b3e79c9
SHA1 5808b11c85848968bdedf2966d3a8a4113383555
SHA256 e2992d33f1cbf8c43c077d48a67aff40d88d7fcc0d805d3cd9cd51263916fe2e
SHA512 23187d82e3f513a8edf4ea0f1d58fa546dad34a63090110a5a2fc285766c20b450062feabc623b3508d6a21a343284b7096bfdbb9eca3af54baa03e7e6211241

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 1b5aa03e9da59ffe06980e9d309f5127
SHA1 4b9d416a2dff2ea491873ff2ca0fd051112dfadb
SHA256 b86d89083efda43361be9eaa1da8ae808a47f068e294d3ae16d92a8d637ddf40
SHA512 e59ad11f5cf3b42a4b5e84c20586a8355fe29734fe7aaa78ca65076d800ccf8b8503a98a98cebbd9fd428651aefc969d13eda6cd2a95338315e3c08254e2c97f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 aadebdffea73a18b1cf347c18a8742da
SHA1 494e8cb0cb728a1debb132375c81c18ef22325b6
SHA256 0d5f3e4e2aea0a15bee6a61100a90387479aba6e09b6e54d7c63decd78cc2d67
SHA512 c92e512c445c270c96265e5fed64497f13fccce275364da6ac242c6e5a41c4fb62e6a5b4386991fa8d476068bf6d5836b623a1f424c1107ddedca0b3beb03bb6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 e0f381f76459b377cf115269785ecc18
SHA1 ff54419a7f080e8042eb27d6b0a10662c45aedb5
SHA256 e93d78128f1d22c6e895f40a0d2aa43abb5f3860a260c32314d451432a76a9b2
SHA512 809d2e1bb3938f263a477772c474b313a5664faac8cc366c6a145d83f3aa27d6fd1b4e2da9aa74b6ad2f01ff8344715036136ae93d51fa58b4ed1cdee0118d81

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 f66fec8b96ae2e8478be67864f7c65b9
SHA1 04709d1f5e4634b6991a737072b6a35a87aeda66
SHA256 a859e241bb9aecec0841734aa0bc96749d4472695b1b453ec2fd6d01c8069af2
SHA512 8c770896572550b8942a1206358162a69281cb0181570b8ba1950a845343abcbb13d1e46f401d20d3a86b0c692e135cf6aed0639ef3947616cb97715399fd7ca

C:\Users\Admin\csAQYQwo\OWAIMIYU.inf

MD5 8e1c7f78edc75a89ed9ed957d3ffa958
SHA1 41ec53ce36b5da49d348954eac2d8353fcd49356
SHA256 cde7bc2b0972cf5f85fafdbe075eafb5e625d35d093b28374880dadce5eaca2c
SHA512 7548195a66e1475abaaf2c4c16a804a955603d7a3eb340432a59098ec5d2d10b10d60e6668d75516ac0013622ed15da7005adddd609c13faa951668dbc0a152a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 728effcb35d6a09b3510145c5af3b8b5
SHA1 5bbd70c2d3ac96937ed66ba07c1b4c508b5d197e
SHA256 b39bbbad3265a514dba239ca29e8e46b3017bf9aa072d9b76ab5f0ec8f530f09
SHA512 80e70a981491299e51303ab055a1f1f399ce09fb05b379aee4f1031cea95bf6e38ce89de338b4e98687011ab8c8fce63ad100e6dfd764dae796de4e44a7f30b5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 976b3ede70441ad4c9b9d4367dc3ea5b
SHA1 c855a9c1a842abea0e8610bd07f38d2cd355cf1c
SHA256 e3c3908ca4bf05006dcb9f08d8915d1367323c8404fc278a70e9643df35b3190
SHA512 622b3d5d9bf0411998b69ab998e5c8b120a524340bcb180fb7f9bd7d3fc89ec954d75e4c4d1c3cfa74754a647b0df2bef7a307d82e450baaf5b908e20f3f64cf

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 dd3f1889bda75107dcf6f8cf3971a2d2
SHA1 c7cfd21db96e532064b3aa0356b4480beb49000c
SHA256 dbc73e7bc1b179f4e85c825e0cf36586e53c47cffac9fe2c53429ce8edd0dac1
SHA512 eefa42f2d63c429b368fd9a2cd248631ca910ea35ca1b87e0b65fbb10188adc72f40f0a74d3d7856464d0d94d522386b936f19d567b3c174b3aab2a237b8020a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 3d468553db437eeb96b9b16ae65713fe
SHA1 39230f67f85507714b2b9641a138f2c202f15517
SHA256 d9c8bc782ac5e1ea8d70456fd14fd6ff848ffe51dee40c9bd0aa9111352d57e5
SHA512 836fddc5dbf0b39ae20487bc588619311f449569e0e6bcdb0c8222cf24939a1bbdfda0f4b42ea8f28a36223bc228e1db80d65c07c1acd33ecfd7da5713994d68

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 cdd6ecd8c991d44b3a48691b94c79719
SHA1 523f8badb1fe6045386e2578a42fd3af09e6bf47
SHA256 2d21bb8e0b48442379d27125728288021831eb9b2ae3c7e2c792443c67246f01
SHA512 128d1693440c6510d64d2cffea1811c687df6827f96db41df374b53f9818b5801f8e426da3ff1546c9a37ab7299e2a5ebcf5c74ecc5b3cdabd809eacb7d3899d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 bfacd48801ea834bd1b21467b91d0572
SHA1 21021e07b18ac18523d172ec7f9ebfbea6b2af89
SHA256 feb52ad2edd9895e707f61adeee07a76e6f896ef2113c1ed3634171550dc1bb9
SHA512 7e5a40c28f7bf78756eb714b9003cce07e21a07897c58eb7c4a872a08367f9286cf3fe03528224ce71e29d1f282a764c369e23978fe396dc12a3c9c4490be662

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 56180d59148ee0cb4cce5f12d58b40d2
SHA1 8d71a28107c263fb47d3ab6e2011528c6e0f7a02
SHA256 2ff3948deff2f13b44f32a2846369d0a2a16088799b7efdb0457b67d17cfab63
SHA512 030482ad7bdcd04e35478fdb3a55a0aadc28402c21bc81dfec3eb28c179a956e1fc64dd62207fec233a692cbdcf6c36ecfe156e0b109ab9e0e478ca250ba762d

C:\Users\Admin\AppData\Local\Temp\JMwS.exe

MD5 bbfa9dee34f4b842f9051f461a146e15
SHA1 3635c735497059dc8ba0570b2a765227ca9de186
SHA256 a1377a474242f22fd0bd7f5fe4ecc21b0efcd67c7c9d723b7166e7715d9c8233
SHA512 1c9809ad732874f5759ff6b989a90da1840f03fd20160b3d974dfd5c9faeb81a325eb4c0d1945d757b8e9290b14cb60c36ec01be0bc5e02243441f09507a155d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 866de2ca5944a18b424a904a55b2b446
SHA1 03241076eb921b62af08be4429a2f0733d03d1d9
SHA256 e1c51309011e356dc536b799273fed866570adb79f5b5e5b24d4003b66ea706d
SHA512 e323b95cfd1797db55fb2f97f0de44c5c3abebcab505ae55113d089dbea78dfa80b15ca36f1e23a45f05cc665e4854778a124b9645f6d3c99278624f98163341

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 8fe51bb8202e10fe6d4db3477e62b422
SHA1 ad42a06c30add71a7c5be5bfc88115a6f7b3d0e1
SHA256 c3a776377883ee1b0f78a7f41560b09ec48b9a26b35f744088cd3f8003be3300
SHA512 f35282e9329be59c3d77bb717ba0f15b48e9079d629be2f3c81679b2cb223fc0f5ff50dfb4811f5209cc45b71327ce20a5111941428eecc802043294c856967d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 637e257d474e8fef72a98a19a48176ab
SHA1 08a7096e6d92068bc8d73100db70932e1f397704
SHA256 500be1cd99e1d9f848a9a4ad503438ef4a143081a3f4a39bb4edc8f42ecb3988
SHA512 8c29dc98f10262a6286afdc126ecf0567251f532c51fe2cd30e3084917180def141255db1bd386548e2d4c16459ac34ef249d9384aede5db44a3283346d4cd76

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 78103dca2abdc2c0af07cfd4513e6507
SHA1 112828719d05149fe7725a9d34181a00be5f073b
SHA256 ae9973af750010a1e59d98b2cc643ca6577c590c7ac6c8135df68a7d550611db
SHA512 8eb52cd2e61dd37e58706b772439d368fad848c522076050231b8aa5e368c7025e43c535e3e41676a78f2f7970b216584987be84d6d2fd6c72d1fead2b43117a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 9943aacd3f1eb540b420151c4cab599d
SHA1 893fdeb0147bcdb5c462ce22e7fabdabdca1d32f
SHA256 90b1087c978dd9cdb5610a2d5b6fa13bbf1389bbbeb53b3cd46f63ff91322864
SHA512 991140a3e75377f5d1be9f114c5eea6362e373e92579e8d45a44c2be646217cf1f848bedd7033749e2b2c612e7bf61463cd463c343a3f73d2e0760ec388bc6c1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 95fcced525022339016eb8f33344278b
SHA1 a3deee0af384b214e9ea5223a18f206db33cf081
SHA256 8c16e5d29b697d77c1caf900dc0434d2e99cdf7ce3ad56dfae6581082412084d
SHA512 5d94be1794bd9ab027ec87512f2dba40a758c6f8123e6f32d1717322d4379947123ec5d9ccf5f813fcb2983fc7890c4d42a269ca3adcf701916a466d3c7204b0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 015ce36374a153e3b5e55ae0d58f72fe
SHA1 9f93782fc5c002e139a0f3c56d0b6cbfa9bd7a99
SHA256 fcaf63315dc1b92829038632d17f5758d464339000cb5d0cf5fcfe092878e5b4
SHA512 402eb08f3c24306e362f96cb83058eafc4162793e05c8bce387d253702281280e69ed7d8101c80e4461be25fe0e0ff93a5d5f776ecbd1d31f47ff045341e3b54

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 df734b4d750a9e693893286ca457db92
SHA1 07e295e2a283d36310f1cf14f5cb50f07d14fa9f
SHA256 c237e2b37681508d85571458ee8c22e0ca48cd1e7fc90ece7d340c731ef7c4c7
SHA512 5b5541c699e3fa49215a908f74f99e1d9d602fe26d75a39afed55006f50d1d21be013b8d1501e9e58d81ef25df450ae807a1aaec529c5fa5ee90039c201f2245

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 039bb70824d4c753a63a7711392b5be5
SHA1 7047f0e84b5ec60899f06ff7971a8d28c42beaaf
SHA256 39b70f2187ce8df028b40cc29ed25f1885307ec513eebe30b063a79f19c0417c
SHA512 60ca25c75b7b8b534eaa045aac2435e9099e4bc42ef7b149bcaa2b5b370c2aa4a8aa6e15915d0a2c6325a88e2954dd1a34da3af3a0c8497d5d5a1671b58cec4d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 b2c49ea8ad9cc77c65ae51c91b34c004
SHA1 2a9492d26048155da2aa48c184e75694570fc9c8
SHA256 e3105b57e0e42c297fcb507b90385628a0fba3de12c6c7c0ad03100ca3ee7659
SHA512 44524d05ef611f78082d3ad9b453c658c926f87ef318110a71974bb772abe90deb190fba858fa738fa2a3618751ac63392b61fd2ef4a52c9e32263055914fbe8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 36165f246dff2e3d4f35654955281b9c
SHA1 ca34a83a76e48dcc904a801db680be50e9b4406d
SHA256 6eeefd85c35d37550358318394e39dd19e0ce0d2b1a8f819a1994ee92e889070
SHA512 4fc5dcf22921760f30aeddd17116bb6003d028b15b3a22fb47972bd0910b3adfcfa03a24fd27722d00ed4d300945877d129b0dda375aac1210d372400d61a12f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 752a60c57d9c31ba037446307d5e7bfa
SHA1 60ef205678552be6a844e456c6501b0ac2d740fd
SHA256 18238081fad06777ee1a3b2b1e9019eaa4b68f04dffec034d023e0e508acbb18
SHA512 928bc65ee5b87af3123d2437799b5216614fb8e1da4720597fc82a301a5d2fbca413fa8522964dfb71e2cae713ba56208083008ad061551d472a148919408463

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 d6af0357aa549f9b570eafb7b312c6ad
SHA1 91b43818c61efeab0beae7c2db761aec4bf631b8
SHA256 78a59072a1fd19a82c178dac497e2aa419231e1c7c4810788ee2dbb0510a0c12
SHA512 222645b7bd6a23dee8c7f45fd6d85202ed9964396691d021fb34713ef809cc9de5e2fb0c5a7ad95a4a38b79e5e72f0d85354ebfd5990152df4fb9c9f0d2b8620

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 bd26f22d379a5aa518f860bbca910c35
SHA1 f229affc5c73759eac4244132f371fe42c783ff7
SHA256 a8d9199af5a91cb35e027a726ec6d3e462bc4dc8af0cb14a7f18b783042b7d22
SHA512 9aab8cb1723325a70b16f717578d792a1ca669f62b46eeb0485bc50bd4d499c71db409dec0947d90590bdf97399bb5413fdb42dcfdd58e1f84ae595f822c11d3

\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 1191ba2a9908ee79c0220221233e850a
SHA1 f2acd26b864b38821ba3637f8f701b8ba19c434f
SHA256 4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d
SHA512 da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

C:\Users\Admin\AppData\Local\Temp\vsMS.exe

MD5 894db6fcfb0fbb506f66ca45d1d6dfba
SHA1 6405bb9f166fab47e707c80190bd701b28628414
SHA256 a6939096c37cfe8fa5b6bd5c57b34a9290cfeb3321b69ca474f990fbf8069a06
SHA512 4402db6f8eeff985f7254027de65f104c2ab9109f567df3fe2d1bb9928278a602b3d6f339145989ea0c418b0a6685d3cd358516247b7ebd6cb2ef11cb71ebab5

\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a9993e4a107abf84e456b796c65a9899
SHA1 5852b1acacd33118bce4c46348ee6c5aa7ad12eb
SHA256 dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc
SHA512 d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

C:\Users\Admin\AppData\Local\Temp\qAgA.exe

MD5 49af831c08e432def0364d218071af35
SHA1 8f36e839c2207f425414df6730aa197106fcdfed
SHA256 852125262ce95daf9a8266a2616e5d1c663bc1834c95397f2c5209ba53030d1f
SHA512 20a693e0853968aeee100570c578a202e1190bd49547e473aa186c59aacd578f4a76ca93fa3a0396e217d853972f9baa3ced2ee7aa30ab60cccf4a979e94dad8

C:\Users\Admin\AppData\Local\Temp\vgIq.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\GwcO.exe

MD5 6a4d2f90d656fa0560a996844677180c
SHA1 d0b25029c599f72fe966bcd44c9674212c5ef883
SHA256 9c3b8fb02d77245170b0d491c59bcac82100e7e7ffd1c7efc9d1656002bc1ee5
SHA512 27aec5f728499f64a23ed37037ef6a822b7fee36114e1f94a700fa15d3381fa24b1b54731f17b9d4dba582a1ab011919125b3599f5dcd5a93086511dae560558

C:\Users\Admin\csAQYQwo\OWAIMIYU.inf

MD5 670b16efaec0aef77742bc7f7468bcb1
SHA1 cc2cd3c98c72e823d46f4146d97bb3581fa3404b
SHA256 d60fe246dc1962dd71df4c8dfe75beb8c0b044e311489ac8620fe0c2ecfe3c63
SHA512 88bf9180fcd577d00b151e841424fa0287c60e9cbe215df359e2138126e737941b04a07f8c1ab7b2ea9777e3668b77d0982ceb37f4143c3c6407104edb3b14a9

C:\Users\Admin\AppData\Local\Temp\nsYI.exe

MD5 3ac97d9ca8641ab956e17cdc8d62da84
SHA1 600d9007cbb256f8559ab7d1b009669bc38efdc1
SHA256 691379e650957116c96f200de97b89cb84bbbd8fa410ed5365cb0d17ba17c4f8
SHA512 099628e4e04c500bf4f486df91d5ed6ed142dc0d9d6b163ec3a2dc1452f7d3b2088ccefce59b29f26804dfe795a84eae6c375724d7ada5715be1b6396e9091bd

\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 6503c081f51457300e9bdef49253b867
SHA1 9313190893fdb4b732a5890845bd2337ea05366e
SHA256 5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA512 4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3cfb3ae4a227ece66ce051e42cc2df00
SHA1 0a2bb202c5ce2aa8f5cda30676aece9a489fd725
SHA256 54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf
SHA512 60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

C:\Users\Admin\AppData\Local\Temp\dIom.exe

MD5 57c58a3c541a465947cda8a4416dafc0
SHA1 023d1ec9a1c4aeb2ff089b0caebb89871c947e4a
SHA256 3ef0311672824ce32e298d4b58836b06daa74ce90e7825afb9bad263ca2a5d34
SHA512 201624150034f84eb7629425e70b7e27f07b6152f187bf8c9810ea762d34a4e3743ad5b3ae6fe1014185e0768760cb00a5abd1ab659caca7a079a07f6b18d97d

C:\Users\Admin\AppData\Local\Temp\ogww.exe

MD5 8a4da71bc580a9c68110dca254c2d917
SHA1 cf49301d97971c38d0efb9d5136c78abea1105fe
SHA256 1260a4f6023f6f03fdf6a95400c0c8a9635306a8ae216fd1c309197140352c4b
SHA512 54b207eea6ab2f29abefab4bb3e5e34f5d5e5b09c189c033bad514075494e87b4bdd92b95b07d93ba646a81e1e0c39dc3dc0f4fe89f25ba911c56c87ba8ee000

\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 e9e67cfb6c0c74912d3743176879fc44
SHA1 c6b6791a900020abf046e0950b12939d5854c988
SHA256 bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c
SHA512 9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 2b48f69517044d82e1ee675b1690c08b
SHA1 83ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256 507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA512 97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

C:\Users\Admin\csAQYQwo\OWAIMIYU.inf

MD5 ba145290a887d0afd347e0e0e99dd3ad
SHA1 803ec6925e1929dbbef653d20c30db0fcea49c08
SHA256 b544d602dd45b5e88fb06181592f7026b25f52a1fc4eb4408d90b6c80d216076
SHA512 af7f4ea1809bb7904867e6b1573a79f7a00bcd36f609137fa296ce023ae220d3ee1f1955c50e9f7e7d101dc440897e0b8fb2f6c73b441156e88f7c9d9143bdcd

C:\ProgramData\KkcMowYs\xEwMMYMw.inf

MD5 f775d5b000b9570eb9164d680e441136
SHA1 4f888ba852413d31039319a49377df6218800bbb
SHA256 fc3d29579b9eed61a5b4cbb914ee0b8a534ab7cc14414ef9ba76dbfb30c01ae4
SHA512 f56916946cd793353e4c1a605781670e023baaf188be563f508a762d6ef055e453496e3c901a4ff279cc6ab64af50fff05fd39bf7b4da790b09e2f08b53fdf10

C:\ProgramData\KkcMowYs\xEwMMYMw.inf

MD5 a14cd4d9429928d23edf8f562276ef65
SHA1 0298d95f914a1f3c94f4197754cd34e517a21068
SHA256 b48042457738b3e60029ebc08c9fbeb8ea73deaa709d386ae2ecc5b706b537fa
SHA512 f3e42056cdd03bb8132c29f61728ddb7cea4d68b38ca829492cdce582ac05887b70f1005a8e0b409d1b46929dbf65fe61538ba94300b1fde8fbb5311a712986b

C:\Users\Admin\AppData\Local\Temp\AYEU.exe

MD5 405d03d2b9f031e9c37131d38ae0e8f7
SHA1 f704ef42d15dc4d7483890455c85e061d749c546
SHA256 65a7e060b5aa55293f69f969e6ccf64872a657a549951bd5e616990f4f5b8b83
SHA512 d55d876944238870bd89319778f5079e1b6dbe24012ce493a9753c0a19b8e820ffe99644af6acee5f34424b651ba20785e428bb829dec365b8e56fc7a38ed64e

C:\Users\Admin\AppData\Local\Temp\oQIM.exe

MD5 c1f4e4ff922309670cbf21b39b7c5cc6
SHA1 ac4358670b802420e9d82e9ee93d092b53bebc76
SHA256 fdbe3d3b96428b2b9450f7aa86210ab5e6f1c999fc62f3551c29ad7143cefd17
SHA512 988a11926bd5d4e7568613174a2f049554bcaff55dfa1495f084daade2d8d4fbdb0b6549a5ca79cef22fa7270529b2521e7e4c24bdbcb09beecf843f2c8fbb70

C:\Users\Admin\AppData\Local\Temp\Lokc.exe

MD5 58217e3050a2454b767d31dd48c41b7d
SHA1 44c2849a24129f7a519999aec8b0ef9b3916061f
SHA256 117c0c2551cde88a04bac94cb020abd7d3834479be0ab2a2b5f95b351bda96e7
SHA512 086272a549579ba844ee525ca73b8379059c7020f894c15b06a724f68a49a8dcb2770e651fb65a108d1021e1a1f962c53e5e641ba8a0baa348eabbd6dd7641ae

C:\Users\Admin\AppData\Local\Temp\VUok.exe

MD5 2ca59063938bd5afe9bee03b1ad5131f
SHA1 0462b5d01e32d509569fd2b4451aefc446a1bf9a
SHA256 009352914201461ea5a1cb4d0ea1551bbb7171f6f4b217c29aa1dabb6ba0b92b
SHA512 6c9dea6b63dfcdf73049af7dd9731fb2db2eb2e5fdb9529576a60b3ca179b177a9cb78cc26f81228d8592f5969e0d7b8a5f9dea17ce409da8aafec33f71b1a36

C:\Users\Admin\AppData\Local\Temp\VwAw.exe

MD5 586a410783ef6d65bc5d701055aa00e0
SHA1 25f0feddf9ffb246484236f7f5e10249d9b41746
SHA256 31cd85c8d2a141214856ec480f051e187ae1bc41f28e641d9bfa5cf0878f8c27
SHA512 719e51ace48ee33c4bb6acdc56c9a300485450477039c2fcd0c98d9e9d20c79117b85636a32f946ff5ad40fb92a32aa81a7fcbf0b0739e553e8bb91b594c2404

C:\Users\Admin\AppData\Local\Temp\xEwg.exe

MD5 3c9625b0425b56192db218a4848f28e2
SHA1 06305bbed23ca696840be844d6b408073d6b6f5a
SHA256 1ac7ec780c1aa59ecf02842b620b46ac087fb09c4d437ff8fb592ad4c8562ba7
SHA512 f353515e80ab0bcfb492f579475b671a9f3f79647274ac7fea453cf80375e84998b63b02e703be911abce5d30eda6830b28dd46eb03064fc89b75650b4372633

C:\Users\Admin\AppData\Local\Temp\Ccsy.exe

MD5 e3e1ab1829e9452bd56921477e69b101
SHA1 2e986ad30d5797347024d7988d905135db1350f2
SHA256 b7027ccc289eb3a11c895467f24ee75488f1ba73450a1d77509037154519549f
SHA512 6f8ba1610066552277f507b96ff1a9121ad0538c304d1055206ef2d482280be8984758fb413833335ff965c0c994e2776f11c4ac22f704b49c1d66c2dfe9d7b9

C:\Users\Admin\AppData\Local\Temp\NEEs.exe

MD5 105cd1045344877a61febed2edffcb70
SHA1 f3955bd34ef89397fb5a362afa5bf6ab22ae9a88
SHA256 e008a37c5a2290c7439382426505004b84fdc1b3107a2c1b27194807c5bd5a81
SHA512 318e36a2be2da15840c470126eabdbf608de6074caba7ea6371e948e4aa4808287bf7ccf10360ff52bcb3ca5a9bda55790f5d0eb142b1e2c38b3730f0091cb9a

C:\Users\Admin\AppData\Local\Temp\LcIe.exe

MD5 fcaaf3ac461bf7513a4d5839e29fef34
SHA1 bb80750be08959f7210cda1e805856396d5276bb
SHA256 48b7262f8bbf04b73851ed17ef3e238b6fb32387c117d7b369c848801f621641
SHA512 9ae15608f27218d2cb4cbeafd3ff8bb34b9a7077e1c43ac54d2c1fe52ff3688a371f9693ef36001fb11a6ce96edffbe34732d2f1a8bf0ad860d9dead35e316ec

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

MD5 1fcdcfbd8256a72e36125b012862dd89
SHA1 0c8ed6c9a6e49a3b0ded4b144051c764dc91a6ae
SHA256 593af1b8d8ba84f3ebb9251b6a9ccbe500ae4bcda8f476b345008448c9dad38b
SHA512 89d930f27ebba0be210ef88901deb82295eeb15ef406296681f81df063fc8234b9ff83923bfc0f92361bf9a975c7c0eeee8994b429de65d666f3a9473596e083

C:\Users\Admin\AppData\Local\Temp\TIIw.exe

MD5 a0d075c55031f651e024b8297b138f47
SHA1 7529a9f3d4395963ca0ae349a387337d6d9e25a2
SHA256 de9da306c99d43757fe628287a643f8e752639a6efffd507fa2e447f77c3fef7
SHA512 c2e45f99f8c3cf859cf9cfe08c26ffadde8c821a2403cf91088dcf6992bca049a074d69d6e82c43d72c6f56ec0c0eed937c8b49fa4d53dbbf88c3a02c428d2ae

C:\Users\Admin\AppData\Local\Temp\FAoy.exe

MD5 bdea4f627c6f3096932c6c867929a2e6
SHA1 c658bdc87bf2dd463a64524b3d6a923aea17b11b
SHA256 cabbf9957155767670598716e5ea4d2ee8c143fee0ed572d2eb7451c3f48719e
SHA512 e596b49c4c2f554a30979bf74d13e71c9173ffeea1caf0d3aa55efe6d4a49c26544e1a7466351afe9ed4fe66d8c4e0ad8f1b8f9e2cb333f78a0f00d9dd2f6c82

C:\Users\Admin\AppData\Local\Temp\XcAO.exe

MD5 8abafb99ac1c87cd9f9f95603f6c69db
SHA1 9220a4877f58f894fe67417d275439eec602582d
SHA256 06e64c1b5b94e2520441a2fae6fd136a24ae8d7d04404d5e878b9bafbde7df14
SHA512 823f99ba9411b6ec19f955f009c6ae59094d2be9ac4a08630f1ee28199a852eeced0c66fbd11886f6826af63558bbc4c77aba166cbb9b3925d3740af1db33afe

C:\Users\Admin\AppData\Local\Temp\XMAI.exe

MD5 b7942afece21f4689145ef279ed51e21
SHA1 03f30a5a0a87128ae354ffd5448c16bbbec6ff2b
SHA256 346fe34d92036828904e632710ef6d35362a6dfcb4e33507dab8ae1bf92ffa9e
SHA512 46ed6fa776efeb0aca23b7e35f4ec5a45b2b3864205e6deb72cc533f3a3d3a0557d7747530dc769d1daa47024eb5d84617ebb8fa808f51241f32704c1a666e84

C:\Users\Admin\AppData\Local\Temp\vEAk.exe

MD5 616ab840bd84fd18c21f87abe04e147e
SHA1 bd014a2116651ac2a6a8be6c3f9be0ae4e84ed85
SHA256 c3369e4317f2e5335ded162fd4226ba89e4a3bed20074040696ccc412d899190
SHA512 4f3abc23f852b7811ecb2be576319dfd9a020aa0333816059360491ce5e1849504c50e9d08b2f517dfc2e85d9d5f8c33b9820b2a14152f9a1b8a7b4fc19b92ca

C:\Users\Admin\AppData\Local\Temp\qUcC.exe

MD5 76fbb6997e20d6c1fdac22d069fb490b
SHA1 115a24da8b3bbdf9ad64bdf17bb5408779690d95
SHA256 97ba44ae094b9cef633d400906991cffb5c1259fe82775bc421c1bd2b9ff69cb
SHA512 1d4f8bfe61e07e096b80d95c96f655da4d8ab2b86021db326290886d279661dbf77c82f4acf6beec958f1f7b8e7e731870d91cd45cc2c31df63ebc412641a904

C:\ProgramData\KkcMowYs\xEwMMYMw.inf

MD5 2839471c9dfc2f8434d6fb11efe689ed
SHA1 511a1acb2110ba7cf301e6dc5c40dd60ae46c0be
SHA256 23abd4e3493fc8de9d8a1ccb79ef53c97d7c23916ef374f828a4f4e0ce690831
SHA512 1cbfa9125e5af25c112828236a93c64e342b48c33eaa7e5dcdf97ed7987964a5069f43a5200d4894686562390d056aab92fbde76f07df428ddb6457b30559425

C:\Users\Admin\AppData\Local\Temp\iQEQ.exe

MD5 354d1e6cb52f40b78743b90edc20da56
SHA1 371887862ab16cd27e358752e3d46ab3a0dfb985
SHA256 9c5533d674fe99bf2a9d7e9cc86e1991dc52dbb8936cb7091ff7254d04e6b633
SHA512 c133bf06868dc6c3bae9024e8f129c8b39dc44ff34bd9cb0f1de3ab31b6c02021764f630187452b89b1e06bb0e9d8bbb185fa5e8f99ada3ca3a4b3e447f07ddc

C:\Users\Admin\AppData\Local\Temp\XAAg.exe

MD5 c88d762f0cc1a37f9cbb3a455e9c1953
SHA1 12696a0390d123750567dc2debf7ca57d393fc62
SHA256 50431dd552692b5a31effe922c65f76e66c7377436898dfafe25fcbb52733814
SHA512 db707a6d3b512c821cedb8394c8b4092d9b3f6b02ee134e7c2cde44408230c7e703b8ed5128840fd2e4e321640d9b7f7f4f83e7b4fa8aeeb0d583852c56abb68

C:\Users\Admin\AppData\Local\Temp\TYIE.exe

MD5 dc72f824cc6140a59048e0187781d7c6
SHA1 df20ca7372f6dfc40b0f45e27834dd65296bae9c
SHA256 b19336c05ffa05f38ad92a6de43b2c7abd7489cf433e44e14a571b770bdc9c01
SHA512 4048ca87a15a7d7b5c60b603412c7a057f60b3ebc23b4f73fc14230bc1f9b52291b89c97e33a5c1e4f9bccb19b49b4d82f566809d185699c6d607f2486253790

C:\Users\Admin\AppData\Local\Temp\iEMg.exe

MD5 a1179f4a83282ccd910a375abe7ed62f
SHA1 4d3fdc4cc8b99f0cea9fc72a8632ecd2706fad2f
SHA256 5d9c0338adb20e804e1e45c1b6e490a9d9f5642ab0307d8ef08192dbc482fa4e
SHA512 a13ca365af2b76ca16979a8a8531a3e18af5ab849db35aac677f122b6dfa919f3eac1766191980664b5a9397f27cf992ecaa16b43a137129386d61ecc1146a30

C:\Users\Admin\AppData\Local\Temp\PYwm.exe

MD5 b96e69ea0012a2674c3df0c88a6e003b
SHA1 7f0aeedcfc20c46a8375ce0e70c9903bed55699e
SHA256 d1bc779bef853634ecd9b76c405d814c2b4b2f461364cb86e1b05915c4b9aad0
SHA512 4ce66760bc098df0feae8413a38f8644990efe9c9f52a4ff512598349b78ac82aa97373fb6fbd462473d0bf3dce78cbdc34c6311cc7e5a74aeff8e7d09d767a6

C:\Users\Admin\AppData\Local\Temp\fogS.exe

MD5 f13c8c77d2f6983935ad8c2bd950a8c1
SHA1 521c3b09810ca75115da66c5a5033583ced55cae
SHA256 d678825ed1366539cba4dfcee0e411d1fbe48fc74e94fdba13fb2c52df67ac38
SHA512 8daffaa0d01dfcb4494ba98d7fc9e37af086e0e24ea31b04ed102d21c032677b17ce0c7f9fb8533bab8403ab1561fb43b01cfb5634f8e93e5d55e5316ce2b9be

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe

MD5 b545197b00d694bce7ef527eaf240817
SHA1 8c9407ca1625407dd3931b81375793f4b8f9bbfb
SHA256 255975fd3cad74971e7b0870ebbcbd166d8fac540263c27de9d8ec2a402854d7
SHA512 4c69297e26a2f331647b72da16d77a98e0cc45ce41f6362b504482291dc7b7662aba7ced576902564ab692143e3e240c5ddef789ce80d7ac68e2f1a909d45cf6

C:\Users\Admin\AppData\Local\Temp\vAoo.exe

MD5 4224d147ecfb21f6f11a8f8adb4c167d
SHA1 4ee67efceb1acd1e822897d51d9e7b08ac40931e
SHA256 73f6b6f342427a7b0262d2186056ccfabce483ce96d3120a0a4ee5124e32398d
SHA512 1faeaa8d1d9c0a18e35c6b9173b24a8a9aace750e0f3324900f38e817f6c098a9b5fee1cdedec812a2b4ba9a6091f7f9d4ad83ef5bab3cd598e706e25813aee2

C:\Users\Admin\AppData\Local\Temp\LcQe.exe

MD5 88f87c70c7353e926366573c99156980
SHA1 58cf1459afd4dc8fe63bce42f36f89823b53fef4
SHA256 16ba1d49d91e5d2e401c63b387b5f735cf6c542c10236431cc4e08f26b16fe8a
SHA512 91fe8f079cdd77b5bd5b6b878cedf0bcf5340344f6c00abbc05fdbfb7a3f3a76ef370a2c058ee8e534be0bfbc903b22a7406f454df360334af2a193330e8e0f8

C:\Users\Admin\AppData\Local\Temp\WIII.exe

MD5 ed7a411dcb3f9a047b5dc8c22011e20f
SHA1 a395309d443dae885107e94072ed9d7e71fb28ed
SHA256 c3a3b8b81a89149e0c42134f0fc2a3e943dec843f7dbaac086bbed8178d50694
SHA512 6125b4c5cab0f7fb57cb5266425ec9354a7aad095530d5b6142044644b0a1a627b1e4af800d292519b2979e8ff3e4e92daa8f82e8eefb1079707a253f011f777

C:\Users\Admin\AppData\Local\Temp\ZkAi.exe

MD5 1d51b628144ac78acd9bf0b9f56aed39
SHA1 77fe3a1e63db2a7beb728742686ec222518bc5e6
SHA256 8cd7b80314ae5203f53046eaa6b16cbf5cd03cf69da61d23ee204c694ec6932b
SHA512 4944ce2460b730ee0a01ccebdfbc56d1a6fedcb415487d50fc93b0eff4e5788812c7463e9ec5553d33b6db55a95b6d161569f7c1ef652e79e92428ec9e94d8b7

C:\Users\Admin\AppData\Local\Temp\XIoU.exe

MD5 5501a890b05eefe50299173c198fe5ba
SHA1 f05d89f95ade60586ef837e2f363dde71c20f6da
SHA256 99aa23a5bad54becdd8528b1841c3b6d3fd07fdca6adff38c1141c5912de98a8
SHA512 fedc261c2bc1c3c55de4e5c3c09e950e8ef21155ced83bfafde2699e1a17c523efc4b46e5ce60af81de333c44da07e6832b2311268544f169b6dde959f5bf68d

C:\Users\Admin\AppData\Local\Temp\zUgm.exe

MD5 e7dfa9494a223b31f3b25c36aab6ed8a
SHA1 996050295ac8c0008caf8adfc7a49e086d735c26
SHA256 172d72e458da07041f0edbb0bc828041e68949c5c08c07ed0f77e5701e32485d
SHA512 9e2a2fcd1c0ecdf13335824505c007819faa8b42f2caa11ad1297f21b88445847cd2b72578cf6dd52386613546183aa531064d95c7bb11825bf469bd9a2db092

C:\ProgramData\KkcMowYs\xEwMMYMw.inf

MD5 2774939f51401b2b39aed5bbd686e335
SHA1 1429dd2ec9ce32998638babc702b543d73d820a9
SHA256 d2adcb26695565849092ce8f6b8490f0b6499ea3e40c2e96d13e0315b62c7a2d
SHA512 df9f4b6330630064c99196fd9ab95ea7a414dc995f29f4eb2a69820b53f693979f58b68d319a9caa841360180ad9badb0cfea85f284d6885f48aa3ae48510aa4

C:\Users\Admin\AppData\Local\Temp\KYUK.exe

MD5 8dd645d6abf6602f8a520ce097afe8a6
SHA1 a1bdd86a276ebfa3ee0303038d2eb2de437d9059
SHA256 4be2ac2ae2db0e2acde7815d7c59b8b8912ceaaa7de15a19e03612bfc8dc2c34
SHA512 0b9acee933dd4b28d6e7a71a92d786a9bd3dc9f5aa1c728187e0dc7bf69bc47fc267423565a4940c5bebac8d02e73362ebf6afef7a2cfd73de6ebed08c2f5ac8

C:\Users\Admin\AppData\Local\Temp\nwAM.exe

MD5 7671da797ac0654a4c19eadba20403b9
SHA1 425d83917384a45f409cdfbd8723ec4db9508e93
SHA256 59c8a93c4460867d4e90f3980a59bc1175cdeb73c0ef414bc481fd3da4c59913
SHA512 e7aa81b153a3c0ea676267c119ae29786a2572789be12066e537e14c8664370399a7e6277db8eb728c7f05e555785f7f1fd324f0e885311f21a7af5b1291d87f

C:\Users\Admin\AppData\Local\Temp\qkIM.exe

MD5 7bca90d2118b7b37258fdb296de07424
SHA1 ede2ec8a4767c51e844fd4ca56a899dda95a3aa2
SHA256 b04cd1c0be7ff4611a87940c12d6dc93c01c14ec9a6e742c68523bf398d5891d
SHA512 20b251d2b54543385a0b0e710ffef1424807dfb2cadb9a0563ee7d19d7184d76bb3fbbcdccd543841edbd69b377fa341831c27bd71ee0cd582b68e85a345d81a

C:\Users\Admin\AppData\Local\Temp\SMse.exe

MD5 e608420a082dcee0b97b622eb9905d2d
SHA1 5f08a149f788838211999bc1ff92883d4cbf3fc5
SHA256 6ca19ea526dce94b4f1fb7ce336eb936acc41db9ce671cd7c5e59b0b0156b0aa
SHA512 d768101ad67b4b1a5e32d142dbdbe29ac546786c27bc5e53a98b94e6fb3994ac21b240e178e47f1fcafc5e46024337d65810d0df80c2d7bf36c5b82600d7bedf

C:\Users\Admin\AppData\Local\Temp\ZYEG.exe

MD5 c166df4a08ca9b1d08dc7249c599c9a3
SHA1 226468ce94d510d6610ab96244e8aa30440356e4
SHA256 81f2370af661e4ededab875fcd02015c6a3c6bae0c604c9e5b3214b10a048a27
SHA512 acb33a6c45c72d408bfe0b809f7cd937686e84afb08eea459efe833d4f0a500f313e29580b34e69c7dbdbc394115a92af28ad4b622ab90a0093f0d42a399e2a7

C:\Users\Admin\AppData\Local\Temp\pwEw.exe

MD5 ae0f738251149d0145c52b70b59ca0d8
SHA1 de571845facf0ab274b460a43933e4a942a90843
SHA256 91fc78819ad87ba08462346f776f9532b29db1f83ba1c3cbbd3c2dfb160811ce
SHA512 741acc3315914e2cdb82445f5430919d26307c902ab2d1638322181b05632a401730e5f302bea7d1b33e57918f01ba9f8f45713cb63667b39585be0680726255

C:\Users\Admin\AppData\Local\Temp\NcsQ.exe

MD5 0487a65b39279689eb9f8827d691d4bc
SHA1 ff8fb2e6383914c5ef5ab6661fc998ba946c3f22
SHA256 b4f93b5f476dee7ce7dcab1b220402fcbf37bec25b7c14706014da27171be4cb
SHA512 3b1ee551788fab4b2350a2b4928128cc64d5de50de60744aa59b7f530f10b9ec8d4e5987b3d7147fb3f6edc9875f5dc6a1184aca00308ab86429e971b7a2c376

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 68c03d089bcc24954de6bafdaba9474c
SHA1 c75fcd0c13f6d4ca8001c4e768e68e067b82901c
SHA256 302e6a45f3b456a1d027fd894ccb73b83f9b6e8932caaaa0378e61d549c8937f
SHA512 d882c70c0a6560271ec2846cf457ce396ef669f54750bdd6029d9df884fee7b0b37c6c4f08352e3e0132989f3ec5822c3e1e6c1762c800a4853c05f45f2577a1

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 ca9acf4f8861fc4b70c876a2813eb204
SHA1 d2c8af5e3c1fbe37913ac589a0cff5d98c4d57f0
SHA256 d9352221ccc781cd78d7633fa8d597a96f4789bc0b9f16508a57db8548458bb5
SHA512 afa87cd416de68f856b01e64d74fa76ab6b99dba0cc9b94023f9ebccee3a36805940fb95539c335a7e4db28c6452555fdcd3c04afb8c11ea1912775a1e0df5b3

C:\Users\Admin\AppData\Local\Temp\vAwu.exe

MD5 7bf31956320a8fb40c57d0cd3aa575d2
SHA1 6693bbf27cd8e7b55793b656011a936f81bdb3f1
SHA256 7480a23bf78bb352ca3495720513bc5038c0bd6ed2231da7d52b4a301ab0cc09
SHA512 763c5549241d98fce5006b2ab5f762a4e327a8f4537859a487ada30ed303f7281f65a68b88380611471ed95c2fc739f5f95031896f1ebdafba296980f048f5e9

C:\Users\Admin\AppData\Local\Temp\JMUs.exe

MD5 381f3094250978fcf4567b7d4aea65fb
SHA1 a2637c355ef1221049eb9d9d769f9eed8c508074
SHA256 839b69b38909c3bbb3bca92a3160674dace943167281c6555d434a97e705e784
SHA512 bf3e4d53e0ddf77e011bf67eeb92a161c6c2b8a25846de9488501ea96207bc32b0c90af47bfaa5645be1e2bd85732eebd581855cc0f0e0f005e189bcde5718fb

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 f0707155759b90034f9f250b0c6558b3
SHA1 94a4c61bd28292f5b2012be4f0be16a93ea4675a
SHA256 855f200dac6c4aaa4b2dac46fcd3942b9916556f40ad2be7a79db3a48e525318
SHA512 ce644368e1556cb84c28bc344e1e2dbf29ea0a7ddccc535b315f6363823906f53a5aaf2437d0a334b67b6bd5bb9bc1a4063068a2529aadd76c6ec59652b68196

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 30b0ff5b85332bba4642bb624ec1492f
SHA1 9d574a506e0d8fc1d3a71d06b16bdf7fbfbcd12a
SHA256 221e7545e70384e99b836ee2555dd574cfc42a322bcf30f5f6ea2cb070ad5e71
SHA512 1dcfca0848929ca3c3ad4e30de827bd1e91956b779a0974a66eabc3bcd9a1f4438ed81460b68ed11de36e57702ac781755038e1f6584186e6ca5b39e6942a2d6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 f80844d3c1e517bfeca09291e8f59e00
SHA1 f3b5d47c77242087e04490fd54b542f7603796a7
SHA256 c5d2518710687aded54a2a0db50e8708ce16bcda76b2614540d62c5d214f0c61
SHA512 abad7c1e679dc26a86e4588318d7aa207bf685040c126f37dea077ca93c42cd400d988542d3853e972e9f9d08c2e3b102c9a715534c87aa1b0e0e81d3428a79d

C:\Users\Admin\AppData\Local\Temp\DkgA.exe

MD5 407a63ec9b1f6817c043bbc7309b7fa0
SHA1 ed9eaeb57c51fd664aac0e7a4ab1c15364bd8b58
SHA256 22fde442cbdc6acac49b56f30373c99f96a4c3326bc646523ada25bd54eaa316
SHA512 169bbb95c1f3b35fd9005a90947c9a4cb20f30233689618b660af2c1660907108fb6b6d3156ef4b808a24ec08c173734b716faebc794ea9846ae245b2d603f3e

C:\ProgramData\KkcMowYs\xEwMMYMw.inf

MD5 a732ed54d0fa4fa595ace0d21cac5a6a
SHA1 d8d6649150522dc829967107c940321012c7e3cf
SHA256 4861e58e639105d137d1c214cc8f4ba235226ff8ceef858dc8748ec42ea3b15b
SHA512 de2f7c8938ebc9a9713b50d5174c76ae7d375d16e5b59d085b331290592865924395147f706277dde63e29170f3acc2b841df244156f18655576c9dc1affac09

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 cf2611cd1155fc03db6301a1327ed20a
SHA1 51806a8d336c5977199e8eb3d5c3acac770537a7
SHA256 950064cf59fd114e5a2b637444e8d5be8133f052f272329031539859f50e420a
SHA512 e5b4addaaf585de4447539fb25561473a22902a8276f1ef14b8d5e9130b4bc92c52bd6754ef1f46f3cdd761a20a7f700ee50bd7c696acc4120b9ffb47719a511

C:\Users\Admin\AppData\Local\Temp\sAom.exe

MD5 6fb8b9281b6f81474331a663d6163f09
SHA1 70406786bf019fb1829d3d6a970353ace0874f0c
SHA256 55417d0ff67dca0fa87fdf36085ee5ca0e8ba313346e9b01cb85ddfd6ede5d53
SHA512 d662816d4bf5922ad1c509f627dea0dc633fbef4624d9b51083588cf1e99e0ad326ebc342199e01dd986f15411c6b740d7fca6155f0304539b830a22c864a3c4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 cbcc4411780eaa6041996341a85841af
SHA1 15708420b9423d3aa0823ba367918cb01f166a1d
SHA256 5e22bbbec41b089d2a3cd57998ca51a6120144e279ec84e451ada6bff9602fe6
SHA512 553de8f469597ae0727eab5c413b3f71490b076521f21bbbba367cd008e046c66c2c07441492123c5f39e2d9b77d74e363dcde0f922a7b22966c4c6b413dc1f2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 b49242b287f75ab0e66d9271c12535da
SHA1 17debde8afc93402c67f4c172f5eb83e77369c0e
SHA256 7a20309c36aa1e554b80da8e9e7a8f7c7f78fd4ea11b74450b79d0e81ab36d62
SHA512 41ef078b02c771ca9160f5c775ee46e16a8611ba9437e785e1c7c7221d07fd48693adf21d5efdbe559cf89d0f5794333f81daa02ebba0df6ef6cd4580e5275ad

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 7b7ee4dccf3b89530b7cab392a6bb76f
SHA1 eb199444a2a4fcd7e0b159fb0d60cf4bc788a1e6
SHA256 949a52093c5a8cf851be4b2a9e9dbecfcc94d7e5ed44727031182c88a4f21ae4
SHA512 a346f1fb78c25d89e093817cbea14fbc4821c0924e17588f1a7952147c03b6c340729f41028c316873a1508982ac7a4e7c97cd541cbabcc2dd41cf9a6392c481

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 5e9ce4edbb113333efa780421d6c5c67
SHA1 dc4e76aa99c3d66c3f82cc195aac884225323a20
SHA256 aeceee39c9246b17db7afe139bb62109a163d2d6ab73ea8ee8378e1169413227
SHA512 11a913db267b15ca1d621003b095b24ae3c853d2ab07e44f503c16bed01e8d0f42b2ad9a4fd9356adc61a4d7b104ba82d60305013d40d99e1b51668a24407498

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 5b8b7aa28602d3f6ddb5e01c2e607186
SHA1 2787927645523b960b7f6366a1520aa2396bd469
SHA256 4a373fb5582deac9e67068248256ccddc18e459614ef88523c55527bf30fdf34
SHA512 f35b05b3ba19abe3a0e4459fb6c24d62146913fb0ec53b82fb0a668af501c347ef0aa93af949502830c18d3808dae576d4e01dc7af803644849316929d1da965

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 55307469cf8e02e87bcb82de3d16b34e
SHA1 fdd5eef3d8f098ce43cf6a3e1d589d31d89f98f8
SHA256 2c0503903ea6da12d5b943ff04440ca843cde520a48b73c8868ca8865f49b9a4
SHA512 75ad3f3935c82c18b7a95f84d6fcd310afc6b31cd9c3c7de0a6b0ce0c086162d03f225f9225fe937a92673a916a626df2ff5d1e90f67f5d379386633d2177b8a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 0625c90e018d9760de3fd465f6f4f270
SHA1 9cbcef34a857052597beb183813b52a1827fe340
SHA256 a6dbc788bf52aca915ebb82ecdaa24d9ff3cfb486e6cea0aea530413fec781a5
SHA512 ebd64d852c6bf86dd40326859eccb9c862193d3ffb5634b80fcddd841249180cb7e4c75e7029328ada86204c39f79602dac65853527b18602c3683272df2d862

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 a57b7acb2348e16b40141426149b9a1b
SHA1 f1e2f1afbf0375e8eecb8b167ba04a68ac4f4b45
SHA256 cb55bee05e057289952353e9c75c34787517211d5fe0797e3c7ff348cfddac24
SHA512 395aed17ea921778702048ed99ae408bff0ff43b0ac826885071926eb3abe5b2b1039460c802b32628d42f95bab41b844eb203a7b8db0a81a8fcc2d513a36a2e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 25635d7f93c2860640ac8fba948a303f
SHA1 57d7e1c8f05fcd0d026fa9d8931ce424332a97cc
SHA256 7150f42c5a4ea04133573b042054ba643b01fdce9b985d850266261301cbddbf
SHA512 d58c11d99e0bd68677a1b64071b3dc7a729d96323825cae46cc68b46f44bf0b49ce83df82142f5ceacc965826bc315893268c84c6d813ccf322fcd88fd5d35ec

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 83c91956dc6605af542442cea39c3f69
SHA1 9cd8ae1970f3096647721b06ba8e3bbf064383de
SHA256 d5c7f8a6a6f27474e73beef6af1c67c3905556975d10049635a2802c142f19b5
SHA512 4849b165707e975876f89386724722e1512a4f1c8f462c085ee37aa8b75c83b5cb7d4d594706e8f65af37e47ecc49870767899ddd5907466864cdbfb4eb0036e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 19d3566d90b77e8f919f2650f49e5ddb
SHA1 025f73ed5f3b9963d246d571f0c20c6749554561
SHA256 832e7028c003bdad4e716f7e0aa1e1cd8504a7889502f43a654e4da84da089a8
SHA512 d9c057a0f92f292fa3ce5c6eaa988d4278b76581ef1706aa9292fbf2ba4489991c92ca90613e6d329fe4e1d380fb47d32ac2056c2c70b0fa3f7df779f6ea2b2f

C:\ProgramData\KkcMowYs\xEwMMYMw.inf

MD5 73ad1e51cbecde62915cf459f1c2f6ed
SHA1 0882f10b2932804003312d9008e83f41b859ceff
SHA256 793eb04af644318c9dab88c1ee7fbc9ef8ae2654da38866b214f2529b3ea4389
SHA512 4912005fb929949dfe245ff45a2fe75235a5f6737fc53fb63e12d50e21bc92efc3a622fa591a20bd1cb3aee5d636c729709588a2c994f375aa965656086ab0f0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 90d9b510ec3de4e47b83ec2c3dd4b8f1
SHA1 8c45642d5965926bea52764b9cd80ae515fd6bcc
SHA256 298cc9c5d74f0c8de2f2dff54471b440def43077d1d097c2d1dfd2ce0b05ffd8
SHA512 3eb950a9c93e49b5a25bbc5da1f86a8f2cf1b1dee4d27a816d1b9a39a71a298b190af0b04fc3984a464a9f71a75aff083f526483d5d5d63947ee8e795372d321

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 8d288ec7291da7c0e066d43e9fc97182
SHA1 e4aa4e23f658fe460e101347f7adfb4e1025751e
SHA256 3c23a74fe8b324f8145fe7109ca4b33359de5ee3a6f15bcbb595b7f1c8b93bdc
SHA512 e235b3c9882caf7cc0990c465646885778293b54b8bd0e2fe555c599ccc7effb5c6498e39f3c9f80b73eba30c012d62aa450a49aa760880bb2948a6717914ff6

C:\Users\Admin\AppData\Local\Temp\vQcO.exe

MD5 f33ae620ac8abeff5816262c966b3d80
SHA1 4d1c8c39c5d3b1f21f38cd581781cccf2d89c976
SHA256 26ada74a2d719f6f1b73ceab6024cf72cbed79c29d9c1624c7cbbeb415273933
SHA512 077663c2c67b310034e37fba3acb33cebd204ac023994a4bff08f695ab5446711f0d206920a80564eeab7d2695ff82ad58197bbb0d52d4d0a8f34a5062f2fe25

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 bbe62794431ad80a148004044fe1e053
SHA1 0f45e41626a839befd65750e15b256815c785bbf
SHA256 534a8845b21b3ca046e743762ec1f1f63daa8b5df9c01127298a3dfc6a9e0cde
SHA512 1a3fce2a59d202800b59784b019f362540e7b9bebbb50683d4cf0b6b1acb1f65ede045b58f0b4f7d4e40b6713d110aa187f9055d672bda2178e7f1080ba9d515

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 d6c476145e0803ac9d92e84c70df824b
SHA1 5d528c56ad1bb7ed997a7e5f44e51db0e2b29b77
SHA256 5c136d3acacb143e4fe41b351f3f2aa497fc1800bb5f7e98ffa342c7ee2df661
SHA512 eb49b87ee8143b5ea67abb36a8ca1a9c80cf7f324ecb4da7376cd0c347adebd18c6add0a83ede87e79d26773cca8f27959bc2baf142eec2dc13e49bef39dc1d7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 cbcb2922f0542bde8db6af8b84eb8503
SHA1 946328fd7aac7d91b21194266f8434f1d5097ae2
SHA256 02baa8977b174d34e00a3d06f656a14fa3153a85825404c70ebbe7c99f7bbecf
SHA512 c3e22d215a29373ba74ac89f689aa92b3a7c92dbafa8de45232467594375514be1ea713a06bbc7b873a556beccd8077d258a9c211213a1e6739fc8874e299a3b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 f1e930fa03e08d4de18e6be6e89c2f6f
SHA1 4e2912c25cb7f5b5f05d2eb2bfd75e65a1345529
SHA256 fec336748b24855ea0a4edea590309d488350ca8fc95ab5781f16d7fdd010188
SHA512 a2d9edf13ba8df76cab75576a1853d57f27896a5c8c7dc0270faea83b4f2223897dc1814d71ff109b182db2fcb0b5421ead9a7bc4c4f44a9fc7f4c99bea3cda2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 e8027046e67406bd81f5666b005eb665
SHA1 bb4b2847fd2dcc8766622cac4d647120800c2aaa
SHA256 cbe262c48a84fdd495af8facb8ba07c50e1f53d9215b4f3d59e38daed972c4a8
SHA512 94ec1ca0b8bc6ca54d8f22fe1bcefff9f627479438bcb7d6a7a23f696e4d71bf6b4a6bb5cee59b0e27611126062e04ddd22ddc42a4e5c2ee1d35403d0d2fbe5e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 5dd9704bbd0c53ea67a68e5bdd5247f5
SHA1 54418f886dbabd6a017c4932f1bbd1571c3711ac
SHA256 7321aafcbab17e5dcc411da2779969e688e443540ec4d8f18c41f57f38623a70
SHA512 9eacce66c98a54a8536de5679e5acf97a351983b489f520e6e793878390f6ee60ecb01b01cd422c0c5d85a1bac9dbda272a6a9356dc3070e15031729a9e95967

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 3ff74855006b28db508f8a9276c6c273
SHA1 7f7fa0e55d9a2cc87b01ac34e35c0d57aac7f0d0
SHA256 42c94dae6b287a648bb664da9f250b5f47ac59576b20293f7b2ad728c5bbbde7
SHA512 40e8a5bdd856ad4e77c7cd597f4476910a86beecc2d29593e17fee3e6e702022edb556c29164e6258d5b64a3e50288579be7f313b6499a43cdb75f5b767183c7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 c8f31f97ed89a5f8be19fe35253168e2
SHA1 58f402e5028e24bac7cbc3fa2eadf99e58467c43
SHA256 5b044d89170429988680dbcf4da3fcd5e2de3342eef1195bcb81c4b8f04243b0
SHA512 d59305cd25a10199397f9c1d533d482162132e8c0abbe69b300d94992499d970515af3bb1ca7e964a2f9416ebf397c0cee260268d944e7dc7728b1d544461749

C:\ProgramData\KkcMowYs\xEwMMYMw.inf

MD5 5cee15f8c69fd5d12484b55c9b182bab
SHA1 213b2123628958d78abcec373527e7f9cb3da97b
SHA256 0156ad9c1f6c23475d7ead9da25799fd1082c7d4510df1ab8bcd8082d7cc0c41
SHA512 b987a6eb46f3e9b743aa52a3eb8d1463564377fb8a7fd8c03291ce9099df7a221e4430c0f7442bd3fde5cce6b44369e98bb2868f5401763ed8a3719fa63cce9d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 bf26c00280654dbb72509c0a12b45d6e
SHA1 bf27ac95d56ec650df3a3934ff915413d9b633df
SHA256 35f95b047d88b7157fa051f1debd49e3eb51743ba1067759c7d773e11b0e03d5
SHA512 37624205fa267b3687bbdd581a6d63ec8a7693b8ceba7e146b5a59a63a763aa2754e3f5a0ac140fb15a6cd1cab03af9731fa672cae432f56c11c54c73c891fe0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 dd1bd770a81d6a445b7c08aef7580204
SHA1 8b01b7fa9e2fa7245c3e03fa3c37d87eafc7f157
SHA256 0c7f8350119c87d981705157786bc598881c745c859559eca52f423fb65cb016
SHA512 ebfb71eaccb72be5a151fb2051091e64e133c1424e049bac4d139e0423cfefccb34b0257e5c56bdb63ec72625978582f22424b4463e30a7cc39907d34f16fed8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 2f60c803c5b9b8ad09ad9572d27dbab5
SHA1 85bcf984c6917da5d5e641af216e3929ddbb4f36
SHA256 7d8a3b6c9c204b7209044783ae1225e467da4e6f59a68a61901770cd0cd5bf9e
SHA512 e53eae484b19dfc85abaa7825abc30544470ba3351a18eac2a0d08e661761ab7116cd51f48f74f99f96d738f5b0bd8e64a169152cfdcacb2a71c3be12063419a

C:\Users\Admin\AppData\Local\Temp\VQsW.exe

MD5 5a3e4c603d92170127fba0863b221de3
SHA1 27add552c831cd6b6a0f13597c99a477d35873e6
SHA256 670edf4639b0c4626841382912c61747d5678d5389b128cd9554487669ef35da
SHA512 20a97524faebc15e1ade06958446f7d252519463ff46c0f192b89daeb0b7b504e0652c1f973ca92e27d931f704d4ce2bb4575cb9295e9e6f402d0ddd22e2210c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 8471955d749430a6959433c0722f93cc
SHA1 b5c5a370df808ed5e072d3a0d878d7b4c1d3d3ee
SHA256 8d250a83ca154e1e032f25b59b31e4f6aef0e8784a01078920d172aef9a129a0
SHA512 7ff7e479a8674ec871c123010ecb6b0eb4555a46c3c2e3f5de7a6c174ee2cff6eecf26c90166a9bade1dda9fa7867f8fb9216e52a07d3b8eb578328b0f1519ef

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 fca4d757a578655cbd04116c09e55913
SHA1 ae6dbb8579c98a249d005aebdca2d93cfa0058a1
SHA256 6b5919ba34acb76dc0d52c4b892881e2df2c9fbfc41005c694e90f228ae42149
SHA512 1e9434fd90d933ac9f8d691c1a8c28a5e4e0d970c4b8de1c2e7ece4a0ce2aeb944e5cab52d828d405a2cd540aa1af45b29f5f2a6920d5513c1f6c07f05da5e86

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 7686f3e50a946f561442ff77e7c18134
SHA1 ff40926294765ae10081170d3c769e5051cbc2a8
SHA256 2c5198fbe7a86582e6c3e333e25a0f74a629cb97a5a2cbed1833f0666c6cfc35
SHA512 d2768eeed1fbcd4fe5b5a28831f23ef285b8dfedc358e0fa36ed9f7cc3be51e743a63525fb13279f2ceb5f4af0e242595729410cfebb4520b6c6170aeb9a3546

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 1ed2a46b491d1da467713c6cd3cbbb2c
SHA1 34f676688f862b0288f2cd1a23c5f64730a5ad22
SHA256 d755dcb73716c50710951bc9ef828b6cf63f1ae76e54eae7efadc5648533ee66
SHA512 ea4b8b0f29a69715833a222851b7ec833dad84b26eacd1208ee3220d636405a62895b80f26d08fb08374cb1cdd5a212588ccad8078e95c1b0ac100beadd46670

C:\Users\Admin\AppData\Local\Temp\uYYg.exe

MD5 92c89d14617b1c78ed352b2c4c482249
SHA1 1f10ea5332e7a9b008cf252b1d542c5bc5010c4d
SHA256 97a7f2820b73e3ba49e74c48b21d9874c1bee37a9a971635eba09555b112b62a
SHA512 6a61fcf697170f0287e3a4fdba06de592d4b5cc3eefc338468575341a308272b75a993edd02731c5124033c4de27a609fcd0ab71b43e27e64b413d1d234bf49f

C:\Users\Admin\AppData\Local\Temp\mYUq.exe

MD5 282d3c25b527d23ffece4fe40079225d
SHA1 24bc5a9a47fdc4422c7936b0b253afaba205def6
SHA256 37e040a49dacce36d42e45d763a9b11890f7d3a5cb81c7a79777fc1f2460de5f
SHA512 9bc338341ba1258ec963ba7b9f010bd7b353408470970a1c49f504bb8f2643b7cdde6fdfc5eb51c1210fb42384f8e618f4136061ab541da5eba83bf774e1d4ce

C:\Users\Admin\AppData\Local\Temp\HcEu.exe

MD5 19fea92caf120346be33db52c41f8f6b
SHA1 f9a421133009a58230ce8fb667e6b68d78fdeb59
SHA256 c2c7aba708d25a1d7e9308a51b5318867de5aa6087e5021745d268d6e4119409
SHA512 2bfe27586f3e6222de55f89d8fddfaa50b7dbba8eb1085f17b10aa738435d7258fad7aee1b72e6b6d75e0b2355ef0d7053e63f29fdbc21f6f02cf2ccdec64cc8

C:\Users\Admin\AppData\Local\Temp\Ikgs.exe

MD5 7ffcdc26d4aa0a2123f4f886513eda48
SHA1 d83ca390700a64f18b35fcf48db124c15b37d74d
SHA256 619b39bb70d34819711437b81557beb64055eabd7a945765058b7bec82275365
SHA512 1c25713b9f7af61f7d5693c6f1aecbfef7e2b23863e81dbf4ef5cbf0c9effd362773df1900b0534ac697479a240fe2b6e5283965b44db753a1ff00f1ce65299c

C:\Users\Admin\AppData\Local\Temp\mgIo.exe

MD5 06ca82ea7b5fec1d44d0930857968aa1
SHA1 6d6ddaf2005faada0b1dba03d978fbcb2b83dfd6
SHA256 de698f51cf8e29e364e0fd2735581032894acb4e2f9efab0460246b5fd846e91
SHA512 ee16d358e5d2550d79ef1e2c8de4f3e321bdfcb5cd72913d0dc851c655e11e9b107b2af791a2a5fd7f5cc752c40281c36eb85dad03cd04384fd03dd6af4b9338

C:\Users\Admin\AppData\Local\Temp\TksS.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\dggC.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.exe

MD5 d931cecad0aace8479360e516587d6bf
SHA1 3cae69875fb362bb424f9fa9d7fe2f6affdeb250
SHA256 28377d0af8ba3056ba18476fd9459c94c313df7ff15a6b7f7c2d44055df9be06
SHA512 2d78527b19eb573f9dbb6890425b4e8bad1dacf575fd496a0067d8a4eaf8842744252679c580660171321e492d77f4092c677a0091145fad26732b6b29fa1766

C:\Users\Admin\AppData\Local\Temp\ecYM.exe

MD5 b54566c9794287e15027d82e52a9cc27
SHA1 9ed998dcdcbd1c9096d919fb399599aa889045a2
SHA256 7d9c6e306a5ea1bbdd85398176efa99075a0c534f67df50ed63eb567abad56f6
SHA512 51ed78f6a67ad04e7acdbeada0dcca66b65e6d7be9467492183827f151a394e84cff39f228bc1779c6af1c7041e8475aea5e08084711dd22003decc3e5c03174

C:\Users\Admin\AppData\Local\Temp\EEcu.exe

MD5 bd555f632c843aa40ca9b6a91537f3ae
SHA1 21272a1db2ee5051ffa55f41f99048c2ad6d25bf
SHA256 fd3e47bcbfb358b2b77320dc303fd55b4e436fb23c4bb2abe0ee3d15c4eff6fa
SHA512 932250840c8b49603ba0bf02adc352c238975efcc793b6ea3843273cd5fa0fe4a344b44e31827114f5a82a5235f8fa32b248a0b7dca892cf5d6fc3fca0df3cae

C:\Users\Admin\AppData\Local\Temp\MEQm.exe

MD5 85d80769b6d2eb6cf7866dd019f51613
SHA1 1b54895188d4734b00c191f83108f27d8a0d883b
SHA256 a48319fd23af16cc67cab5cce0d4540dc529bd7b80ad69bdff1caf6e749c6058
SHA512 730e9b6291d9dcfe334b39e1e35aa767781dff2f60814e2259e2fc9e9797884570aaedf044ed2d40b9543a5b656844b60dcc2213834aad284659ec96d4855fad

C:\Users\Admin\AppData\Local\Temp\wssa.exe

MD5 260550d176194c33b1ecd102b4062585
SHA1 0ebf23c6f4856630f8a02497e548178e150ef213
SHA256 aaffe22e7d864cd1d0af1ee650a3198c4258a7ef15509a20633a7240351103c9
SHA512 50cdc9340e0f717c8f7fd2908347f087ce4f2973837f61a81f5458ea91555f26a15111007589d8b05571892d84d4eeb360feab34865d606a5db9dbb0b3ab5704

C:\Users\Admin\AppData\Local\Temp\fkQc.exe

MD5 1a2d72a1e8fc613ca9ac997606452bb9
SHA1 90fd2a1dc3737af9efb31dca011ac21605036a0b
SHA256 c8c964a4431ef712ae66ed78718a522a771d9d08690c58d56117eff054115cd1
SHA512 a0de1f446c4497430d623eecd0d4ac5a5c2d061b1e520a3c06e2cc91f284acbc8f983092e866da83f64ce7eb02e9ae4c38136cc6a25b200b38094f87fb26b565

C:\Users\Admin\AppData\Local\Temp\fEIU.exe

MD5 82708e49939aec3d8308d757dd4de420
SHA1 2ad2cb3a07bfe3279819ce383cb34a29407f6d7c
SHA256 984c0622f6a1c72249f467a3d029c561057fcff040e119441c82b5c69ea5e189
SHA512 f26f1b78d70a961ac0bb8cf3cb2080da361a2c8f2e8877da449f543826acd8d69724722a05ac3bdbd126e017d34c4b88c1571585d764876860f3a6e9bb3943a9

C:\Users\Admin\AppData\Local\Temp\XgYq.exe

MD5 37367ff9fc4e13d53de2480147e8ac7d
SHA1 8d1cbb1310f3e74c6fb60e93789d454fb5dc4747
SHA256 ae83e51988faa6a22364b4571e1356ae68ba29cd390edca56f0adf956d5984a3
SHA512 3817976a6d50023046c3f535d3cfb66151f1bdd02f4bc73beeb4f95310fa15ad88000650fcfdf04453eacde7e2154f1cdfd59f8fe7c119284a14e3288b59b771

memory/1028-2232-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2628-2235-0x0000000000400000-0x0000000000430000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 21:52

Reported

2024-11-12 21:55

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (81) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\ProgramData\FWgckgMQ\ceAIkUwY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GAQwoUQI.exe = "C:\\Users\\Admin\\wasMsUso\\GAQwoUQI.exe" C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceAIkUwY.exe = "C:\\ProgramData\\FWgckgMQ\\ceAIkUwY.exe" C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GAQwoUQI.exe = "C:\\Users\\Admin\\wasMsUso\\GAQwoUQI.exe" C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceAIkUwY.exe = "C:\\ProgramData\\FWgckgMQ\\ceAIkUwY.exe" C:\ProgramData\FWgckgMQ\ceAIkUwY.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\FWgckgMQ\ceAIkUwY.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A
N/A N/A C:\Users\Admin\wasMsUso\GAQwoUQI.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4328 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Users\Admin\wasMsUso\GAQwoUQI.exe
PID 4328 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Users\Admin\wasMsUso\GAQwoUQI.exe
PID 4328 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Users\Admin\wasMsUso\GAQwoUQI.exe
PID 4328 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\ProgramData\FWgckgMQ\ceAIkUwY.exe
PID 4328 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\ProgramData\FWgckgMQ\ceAIkUwY.exe
PID 4328 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\ProgramData\FWgckgMQ\ceAIkUwY.exe
PID 4328 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\cmd.exe
PID 4328 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\cmd.exe
PID 4328 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\cmd.exe
PID 4328 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 4328 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 4328 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 4328 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 4328 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 4328 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 4328 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 4328 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 4328 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe C:\Windows\SysWOW64\reg.exe
PID 864 wrote to memory of 3572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 864 wrote to memory of 3572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 864 wrote to memory of 3572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe

"C:\Users\Admin\AppData\Local\Temp\4a71801e5bb675860f67e4831692981e9b02709d81a61044085de8be073aeec7.exe"

C:\Users\Admin\wasMsUso\GAQwoUQI.exe

"C:\Users\Admin\wasMsUso\GAQwoUQI.exe"

C:\ProgramData\FWgckgMQ\ceAIkUwY.exe

"C:\ProgramData\FWgckgMQ\ceAIkUwY.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:80 google.com tcp
GB 142.250.200.14:80 google.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4328-0-0x0000000000400000-0x00000000004A3000-memory.dmp

C:\Users\Admin\wasMsUso\GAQwoUQI.exe

MD5 2b798ee6d19db9d95413e92b7050940f
SHA1 39d8624dec2fb1e47de9e85dcfe6fcade9e66a04
SHA256 f07010513f38efc98880003482ead9dc2a4746d75769f5af1c9899c91962f0ba
SHA512 afa813fb28211d2269c754e4b8e5cda5724e1f2f07d9351e01235a410d81884d3d7b2f12240ce186ce81601c2b834848edd8947163e71f368c137412dc6d9ff4

memory/1320-7-0x0000000000400000-0x000000000042F000-memory.dmp

C:\ProgramData\FWgckgMQ\ceAIkUwY.exe

MD5 57949e32353e281a2e6c83e45e12cc0a
SHA1 3a121360cc98e301d539377c5b41b86a2050197d
SHA256 9a552e4c8623a5ce6a32341070115ed5fc8f4720dcdc2ab1ca2fdae50bfbb381
SHA512 7c283e077a69c7187669eba24d28867a5de5db74e58f32bfdef61364b7108ea8d5a143e5706e08385a3218dd01b3258970885b4489841ce2d7db74237cb19ea2

memory/1688-14-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4328-17-0x0000000000400000-0x00000000004A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 96f7cb9f7481a279bd4bc0681a3b993e
SHA1 deaedb5becc6c0bd263d7cf81e0909b912a1afd4
SHA256 d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290
SHA512 694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 c2e1ea2eb2f8600ca4f6235dede1f64f
SHA1 6dfcdc1f711ceee7e036b28643d913012b017e11
SHA256 e9435924873220a250257b2f999f8411430da42af8d7ce39f5c653d176066443
SHA512 763a8d9a9d057db63e2426a15cdb8e5fb048f0a4c9196eac412ee5dc22e00b3e9ffc827d8b0f79558cecadb7eabe251bd73ed8c127e8ed0b14aa68c0ee741b98

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 a0b691ececeb15ae38bb43e2f5c58bb1
SHA1 d2301e4f8ecdf24942bc33d4e2221371c94d0013
SHA256 4ac2559be9b49b96e8b76764bf084de9bb4bd25cec040edd72acf38dfa524329
SHA512 4437601029b5a7306d329e52ba92a7085e78c5629265748c7d4fb811c3a9caacf22a3f75b76a63ae3a7b218b4dc7951303ca5cf2998dc4367448619907748395

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 59143bd5b9597601b0524dcf7d4e0f71
SHA1 b4f6d06b1845b287c65b56b481bf3c81f06e140d
SHA256 806fb9bf201ce9b21d7e832737db2983d7bd9ea304c136c1c28d4e38e81b2524
SHA512 e0804bb1332b2742875582a11416505981311cc6f40f5af24592439682c46d023075c00684fb6cc7066aacaca64bce45f898439fbd9906bf419ac816ac3e0a7a

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 df78adce080b118ecbe84a81e716ad6d
SHA1 dc47965c097987daf6a7a96ef201e216c75e4597
SHA256 c3a38f555492af36a99292dc0876c1ea4d86bfa8d85691d3dd35d928c832f51c
SHA512 7f0ec9ca388c2f713159f9aff35d7a88b8e73763a340a9b30f77e9b0916f2f0fd22f38d97fedd08e89b15782145fcc62fcf9336dfa79104f3c99b855ffd154cc

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 2bdb89d2c82fc0d9dd9d762f110a6aab
SHA1 73b15a5f464c965826504f85e158e6135f541383
SHA256 99d82802afe8ef33d098de2a820811437a5e6474a6471f668e85d68c317910a3
SHA512 5bb52a434886c9a397318222283e9efbba330e4713766663daf08ebf33115a3070cf7f93bf56cdbdae717197dcb5bc07e3eeb1931201f3820bc4fcb053d3f5b6

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 dfba0917d72aa5ca874a73297d20eb61
SHA1 938386c6f5ba8746a2929453f3596a4853355e6f
SHA256 b684767de275bca43a41431e0585f1c70aeb14e0a97a926be2ac39c217ec5da7
SHA512 cd07395bf02980a95f365925945395849f3cbf0fad2ba9045d809fa2997cf76f64866c3464ac57660e3a5f9ac95bbe979d79c708870f0d413a752f96e78c11d1

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 c657a2d114424b155b0e84f51e9cdbce
SHA1 83a355717b752b38d2b521f2c5bd4b6e387d5e24
SHA256 b7a128250dbdaad2f981c407c94f0350d5e1e2d121c504b57e325848cda976c0
SHA512 f8f00e5635e76641e2bf34d3592cb30d856ffc375828e6edc9c537933af24b7642babedfc7a8744243d9a7eee42b810bec92fb39c6444f08e65b65739089bacb

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 8e1c7f78edc75a89ed9ed957d3ffa958
SHA1 41ec53ce36b5da49d348954eac2d8353fcd49356
SHA256 cde7bc2b0972cf5f85fafdbe075eafb5e625d35d093b28374880dadce5eaca2c
SHA512 7548195a66e1475abaaf2c4c16a804a955603d7a3eb340432a59098ec5d2d10b10d60e6668d75516ac0013622ed15da7005adddd609c13faa951668dbc0a152a

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 670b16efaec0aef77742bc7f7468bcb1
SHA1 cc2cd3c98c72e823d46f4146d97bb3581fa3404b
SHA256 d60fe246dc1962dd71df4c8dfe75beb8c0b044e311489ac8620fe0c2ecfe3c63
SHA512 88bf9180fcd577d00b151e841424fa0287c60e9cbe215df359e2138126e737941b04a07f8c1ab7b2ea9777e3668b77d0982ceb37f4143c3c6407104edb3b14a9

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 ba145290a887d0afd347e0e0e99dd3ad
SHA1 803ec6925e1929dbbef653d20c30db0fcea49c08
SHA256 b544d602dd45b5e88fb06181592f7026b25f52a1fc4eb4408d90b6c80d216076
SHA512 af7f4ea1809bb7904867e6b1573a79f7a00bcd36f609137fa296ce023ae220d3ee1f1955c50e9f7e7d101dc440897e0b8fb2f6c73b441156e88f7c9d9143bdcd

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 f775d5b000b9570eb9164d680e441136
SHA1 4f888ba852413d31039319a49377df6218800bbb
SHA256 fc3d29579b9eed61a5b4cbb914ee0b8a534ab7cc14414ef9ba76dbfb30c01ae4
SHA512 f56916946cd793353e4c1a605781670e023baaf188be563f508a762d6ef055e453496e3c901a4ff279cc6ab64af50fff05fd39bf7b4da790b09e2f08b53fdf10

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 a14cd4d9429928d23edf8f562276ef65
SHA1 0298d95f914a1f3c94f4197754cd34e517a21068
SHA256 b48042457738b3e60029ebc08c9fbeb8ea73deaa709d386ae2ecc5b706b537fa
SHA512 f3e42056cdd03bb8132c29f61728ddb7cea4d68b38ca829492cdce582ac05887b70f1005a8e0b409d1b46929dbf65fe61538ba94300b1fde8fbb5311a712986b

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 2839471c9dfc2f8434d6fb11efe689ed
SHA1 511a1acb2110ba7cf301e6dc5c40dd60ae46c0be
SHA256 23abd4e3493fc8de9d8a1ccb79ef53c97d7c23916ef374f828a4f4e0ce690831
SHA512 1cbfa9125e5af25c112828236a93c64e342b48c33eaa7e5dcdf97ed7987964a5069f43a5200d4894686562390d056aab92fbde76f07df428ddb6457b30559425

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 2774939f51401b2b39aed5bbd686e335
SHA1 1429dd2ec9ce32998638babc702b543d73d820a9
SHA256 d2adcb26695565849092ce8f6b8490f0b6499ea3e40c2e96d13e0315b62c7a2d
SHA512 df9f4b6330630064c99196fd9ab95ea7a414dc995f29f4eb2a69820b53f693979f58b68d319a9caa841360180ad9badb0cfea85f284d6885f48aa3ae48510aa4

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 a732ed54d0fa4fa595ace0d21cac5a6a
SHA1 d8d6649150522dc829967107c940321012c7e3cf
SHA256 4861e58e639105d137d1c214cc8f4ba235226ff8ceef858dc8748ec42ea3b15b
SHA512 de2f7c8938ebc9a9713b50d5174c76ae7d375d16e5b59d085b331290592865924395147f706277dde63e29170f3acc2b841df244156f18655576c9dc1affac09

C:\Users\Admin\AppData\Local\Temp\bYok.exe

MD5 947185fb122455798d801944add05780
SHA1 d7c4f0e3437c4ad8faeb6c9bd26767827e2ac333
SHA256 d7c5ce6031bd3fdff596cc3f9cbc540fff20d5fd3c7eb1dc33d10201994e20fd
SHA512 6a49ae75372c40bd30b59d21863e9a5ff2bf06630eda81ea55caaf200690898537faa7a45435b31e624c216f7463d52a435425f31ca56cac2fea2169af3f1292

C:\Users\Admin\AppData\Local\Temp\egkg.exe

MD5 26b7e50277c9af7427a7d3e0ccb6b658
SHA1 b0f317beba34fa54b0d8900da5d378c405cc42c4
SHA256 031cbe0bc694053e494a982d2a1e14ba8938e7d48d4665e8be37ce8b1b4dda50
SHA512 200891f24e50863bd1ed58d449d1fcf2e8e5d08fbdc40b7f6049878e7e762a60440927a0a4d31179e9697b22a16a8bdf70f270bb4cb02c970609345e57d7b439

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 e94e6248f0737e03cc5c2a7099c64c49
SHA1 11dbb20f64d3b480b2eb95d372c93424b17e9566
SHA256 f3503e3017ea9e2eb1b426c09d25f0131f1deb9d42823418127e3218d300ae3d
SHA512 354f79adb21c95553707ae1b8e8181c5428b5be4a37af5c23155970fe0dd6155d8f06fe2446f3490937af34963953c95a35a5f5ac080594e26ac3c6c26908e41

C:\Users\Admin\AppData\Local\Temp\lAQo.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 6bcbfdd926efc4ffa6ce8ec8b43c5e15
SHA1 40a80cb34d26bb2aac68efe900aea187ac683429
SHA256 18b032ca077aa680b81dd9f0fae18942ec9ef6f5bf149f21a410fb73fd1443c3
SHA512 a692121691ca0a9271a52d8523c899021cb1f2aace180e5d0ded30c6215c33014ce19b95264e7d623f03fe391591af2806ebea4de0221e0727d9d74dcc18dff0

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 f391d254f02f0650f8ab651b68fdb318
SHA1 5e1e6190a5930318eaf139ce7f39359e36ea3990
SHA256 6d0a9bde23cc20aba9dd7c7a1892dd025352ec783a5c55bf103fc7469e1a9f31
SHA512 5d8563b983bcaeea95821b99523f9fdb251ffdadb15fe41115fee9ded0e4d90f01f455b54f472b0db52590b88744c6a6c0461d584f172fbf2b54cd55e6f37001

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 f09b7e083311a0d5ea85f4a796ae7cfb
SHA1 5c0ebbb8cee2f461745154d53ec97c04de0b2291
SHA256 5c6025d72da7fa96e320aafa10b5f634033d2a4ce00cdc9321434a2213cd5c9d
SHA512 55d84d16cda37b2693b14ff050ac19345b033f4c8f6c17d63030677ee7fc07aa06054fd484c29112ea20eca38a6be6b97054d7b483a3c2484bac19e483338c42

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 bfd88adf847eeb047330832029e740c6
SHA1 3a33480cc73efb5d7eeed533a59670d77b0b1459
SHA256 42b4ae3d7cc194f9a76fd520eb91b9919f70cb60086e0051e5d022e5aa2a8987
SHA512 c3a4f0de0e31e272b1aa2af5a033da298061de91d2eb2babed58935eb3264eb8eab40db02fa6b3885c98bb41ef7b5bd9e1225a218afcf18bfcabc277e1df30cf

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 73ad1e51cbecde62915cf459f1c2f6ed
SHA1 0882f10b2932804003312d9008e83f41b859ceff
SHA256 793eb04af644318c9dab88c1ee7fbc9ef8ae2654da38866b214f2529b3ea4389
SHA512 4912005fb929949dfe245ff45a2fe75235a5f6737fc53fb63e12d50e21bc92efc3a622fa591a20bd1cb3aee5d636c729709588a2c994f375aa965656086ab0f0

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 1a4740cbdd43f14d3a2196acdc17e0e6
SHA1 02365a981267a28371383b5dd43964317412c3c5
SHA256 67c4ba72aa01e0b03714de9c9019967ba7f54bf96fd6c95815a699e941586bd1
SHA512 06ae3b4b3dc9b67190cef09b3af79356d9bc298ae44f8105b2de017842369984ad06224af7064d58b4751f3ee7d4588a2fa8e3c9945cafdfb1c4f37e967c3fe6

C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe

MD5 e9af1253752af0787ed36c8c007ba175
SHA1 e47c6f5983d13e79d59ffbee63730c4af36fd422
SHA256 3ca09d10ad7634822f82d0edbda3351ebb21ab6f68a928088676cb68c721db3f
SHA512 5238a50e080945e6b87c9b246a2c2eb8986ddb4c0e0168db8b7a1cc197f396523301148e30d9d07c4625760ae1ccda0f8f84e4b8253ab1f43cbf14a70ccca770

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

MD5 73e201424a67424c471835d16a18f489
SHA1 8e93519719af9489c100806e1e864212b9afd9ad
SHA256 aad57d5a3796c7ec99c0889a1b00534f31828a74bea62409cc550d39b05581e6
SHA512 031b38ccce0842fe03758f1c8a34aa060e3e50385235f913437972e8135f78d39cc437a66ca9e3678dbb58d5a3f03ed6753fa3d32e2b72511bcdc6bb4989c4e7

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 d45b96987fcf37d8bfa13f93ca8ead1c
SHA1 5184c86b8ba220545e31777bae991cf88fc8f7ee
SHA256 fc4caf548b0ff7f5b0dd83cf431989f96165ee4881f9f7d529491c1b256e9a5d
SHA512 f0f57bfce8c1ae2359c659fa92e36f39e2b1d68d41ddcea30977eca30285337996719c2114c0799e66315b0b93e1c05078f904496dcc70a32c127f227d112c36

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

MD5 3f77a84dd347c9af4993c2968e906e9e
SHA1 fe596de8829d94f4e634b52c772dbce3771a87be
SHA256 3347ae7a9219a71ba4169bf71ccb63f425721629eff3b005560e6580a228cac2
SHA512 0b845565b5a13e1e347f928d2b7babe7f7f28de2dff1438a65bb66fb1bb2430e3c6892c63afe4363377e84f631cfc894d26897be7ab8e720d0f433ac1cc194c8

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 37ed62b0f61268c5e1cf6d7583efbddd
SHA1 0ec72f26d5dd4fd7a6813dfd57cfd3cba57f8194
SHA256 a1107285502da787c2b0c1a1c535fc9c8725d89c76c5d9c769ac6e08ed4bb0eb
SHA512 d5c9938b58cc2aa9a9dfe6e8e96c672205ca416aa4568293a51a11b8bb98695a01179a55712b5375a2d147a6ea121b9146c3612ba5ad02a4b5f46aa0190d4808

C:\Users\Admin\AppData\Local\Temp\OIsq.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\rYcG.exe

MD5 b04201db1b854e807ea27f0f158e641a
SHA1 73118eb8e3f71f5654bdca195480963685f3de43
SHA256 02aa429793f26b15fd669c68f932006e0b4a9a2b5cb9f8286f4b4b052665fed7
SHA512 a96b8e92fe0186712d1bef394a4c51215f617338e2c9e0b9278a3d16ce630d3386f00bc07b68821697f0bd4f9f045869ff81ffeb0c69f82f1a035a956d602b32

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 f401f0284a0dd3ba320dbb72141e619d
SHA1 1e561a476601e305591ea995ccc68a266ed65723
SHA256 04a4f90cb503d87ae824a856fb3ef61ecd9ec8644b674f44eccae3c25e513833
SHA512 2fa4991e30614fcf15ee1ea80df9e5a9ec14b35a9a13a4da9b0a970cccb5e80267d960645e28b863575ace5a3a55ecc6a66dd33603267a06b61d683a2390618f

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 394f55c8e9809f8b72f53e0bc28bdc72
SHA1 0231f02f32d115467b54442099bd71bae411f62a
SHA256 919e1f2e04eec23ef16e67d3af3fe14bec43ee2050c06b4df24e26935ce7abbb
SHA512 1e879adea8719ebc0a1e5e6f876c8501dc372c005316c6b27373871de7a3898f0d287303a7dfe2d4a58e9c4273afbdef65b2d7f1a5ae48cd7dc96edad93d2cd6

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 aaf3bd0226af0a6b1be69e65baf3e7d6
SHA1 f5f22882e625e023e7c714283f27455f4ef8a482
SHA256 d9e380e14d6464d71559e25bbf24322dfd3890b8d59664ed48bd0749500c910f
SHA512 527002a76619a4892d48081cceae10e070af66dd2ced071b6f500fe4035b6968041f84110aa65ea6129904f43f6aa0c2286f6045e6bb5ff8841dd908708648b2

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 5cee15f8c69fd5d12484b55c9b182bab
SHA1 213b2123628958d78abcec373527e7f9cb3da97b
SHA256 0156ad9c1f6c23475d7ead9da25799fd1082c7d4510df1ab8bcd8082d7cc0c41
SHA512 b987a6eb46f3e9b743aa52a3eb8d1463564377fb8a7fd8c03291ce9099df7a221e4430c0f7442bd3fde5cce6b44369e98bb2868f5401763ed8a3719fa63cce9d

C:\Users\Admin\AppData\Local\Temp\QEcs.exe

MD5 06e0394d1bfa1537409e8fec584835e9
SHA1 5d5a8bb5b529e81d6af169dbd63e6a80c505fc54
SHA256 d9b4c43165ddcff660a0821006be25a7bc159a18e5ec010282ed9633ed58bd29
SHA512 01d3b0ec81f8e5f093ff7e92dfbffa694d3f62e8a9a9d2c1dbd36427bcedc60ba78c787cbf1875914aa117d308924e37ed56af60a5a4f0804c0a20a65d94781d

C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe

MD5 73ee0f2d40be999748f50fd23733904b
SHA1 3576ada4406c52403ec5c2ac9a8b0c3250f05417
SHA256 57c895f90c1b8eea3b6977388170ea795d8150b5d7807b74d06b89c73d130b7e
SHA512 7dc9935ef5e0daecffa8376302ade8ce4c8e9948d8f68a54ec0d1d666586c2addb57f4a96d141e976533bb41d183bea40b49a9769e6e374d86daae4dde0ecb42

C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

MD5 ce77c260d351e90a5c1096337a60eccd
SHA1 968748dbd0c8be934d3b180963e7f1e5ef6589db
SHA256 e53d7e346ad8600a4f72e7adf8368776b073f4115090ee3cadfbc76617c748b5
SHA512 b748f50c98ab9ae4a2f63f3fa3830da44de9cd1a742850e98d58d2800659c16f212c7a8b8d1e1a410ff61cdab5f2369dc0a6cc7650613cf4d95e956640e07698

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 eb867ce337056f604f9ad855f8fc6cf9
SHA1 173e9f573060bdfd10a1daca2883105ab476c6ac
SHA256 402226495eca336eb9863ba7e1183d54f057a07137a709250df31f595f2c3e31
SHA512 cc2cd197f584686fd3577785710c0e8281266f23fc8661e21008ed842365a180112982a27263c9bb4ce733555efd6a87a0e8d3e2a17b7c4f5f282765fd698d82

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 f9a5aaccf73d9aafaf57438c7b1dab8f
SHA1 0835ff76e558022451e857895d4123bb4735947e
SHA256 1e335c2647e40fc26543ad457bc39fc7bc9efb8712b42ed5eae7d47aca06f12c
SHA512 f1ee48a7fac3873cffcab10e4b3a63124bdba168333a5bcfb4f7cf01738265b45e35f7df5a5c9d0e7711cc371dc1d94fa9caee8b359f9369f12c1f474ca9cf75

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 391d2e22b725d840f89d2b6565df5516
SHA1 5617b4f7b216fed3e7a7a33b669b48b3c337e398
SHA256 b2a5141b338e631d056621218a7ffd1a465dc26bc35027669daeb5d0565cdc21
SHA512 607575ceeba44ce3fab7e89d7be780b28f1eed0848b1236727063060f1163314091515a6a73c82c831e2f48e8aa60897d4fa849d02af4a6c303828c71525295c

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 f852d3dc2d72374349db48afabbf088d
SHA1 aff9935db5be2eabf958d71f2bdc4721fa1f63c4
SHA256 6b74bbeca56f3b6dee1e899efa4f9bf9fd6c62c7c071dec93255baf6c395f94a
SHA512 f7a84491efc266fe87201c4faafb7b5c13c02454436ff5b9859870e1a23e7a19b7dcab7471f8802c8b8b8ca1802f403f5a1fcd498e5c588ea94311e1e2c3f43b

C:\Users\Admin\AppData\Local\Temp\pkYO.exe

MD5 90dba19bfb2e74c9b0c73dd483fe6e70
SHA1 a4bc8b3acf9e088222c62cf67146d66ef5d08eac
SHA256 e89b7229f67b5187fa83a667ed89ab42a19c7ac4e0a394f2738eb86604ae6555
SHA512 fe2c642193b359f2190cd29590f05bbcb6d060d8950d91ab606ee9394348331f7c29d99e467d85d4ecd4524bd92bf649db01822505ebf8d105446f029b62e056

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.exe

MD5 3d5d45261e1239e99ba35eee1e905232
SHA1 da2a329cb51a561c97a07ef93abfc3ca852b783f
SHA256 cea3d10d34e8e3863bac6a7f57f052c8e6a01f0149363d5ec90528d985f0abe6
SHA512 dad5c7d99701439f903d7346d664bb2123d9c7310868a170c66b41dfe3a752befa80f99b91e31ba960049f14717a8124a1bb7dd8e7718fc6e1ab932a1d179823

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe

MD5 3e5e160dd08b61d9372bc731f6f9f4c2
SHA1 5488e7f7f8972a841efb009b4a8f2969c22eefb5
SHA256 1e8faea1b02d521de69d5002096bde41882300b89f4d70d5b4e53be04aedd2c2
SHA512 b16633498d91062be66b7c7a788a485e88619586176a7129be9d9c819f83faf681c97e8f8459f480be6654bb779f9eba3db33b1cb25aad6aa0495b67e79d31ae

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

MD5 a9c7d50422cb59fd0ddad6e36317c2a3
SHA1 86080880579e1eca0c4b2369b04eab6a38fde9e6
SHA256 954f65425153d3d1d1fc055c202dd6056903e60f7add73bf64afb89f3992862a
SHA512 12be46487eee5de37eb4d3dc1ab6d3e190b49b7ab87e7060c3ddf21361a17033e801d05bcea87ce94ab6b047ba604eac6081441c21c30b71a05f044b5aa85034

C:\Users\Admin\AppData\Local\Temp\cEIU.exe

MD5 0d2648aab1bed9f59de5c1e6014afed6
SHA1 adb731f12e1139e41dddc227befd5c06e2123092
SHA256 d29c8a015005c4eae8fda77be0d34683b1a53f7ee12457a371525edd03be5b2b
SHA512 2b48e20daca325d59ab20d529cac6247bbc18652ed819c7ebac613545d3e50f8046de79c4d55cd00dcf430590c3873048094cc33272b7444737cc9876ba0b0b7

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 1c6e0e56085ab12d2f831cee41dfc746
SHA1 ff9183fe5fbac46ae115bb4a4032a21f9e1f3b21
SHA256 f6fd6e5e359e06a7766400b0cb6c90ddae6cc772756761ecfb2d8a2f504f7cee
SHA512 18e351846503bb545d7ec589949a7b04b68e71954c36f3a7299699f3704570f18d44ff69030f6d55cfc54d82845df8e35c6ae13fdfc79f29adfea7fab9159364

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

MD5 d01820d984c5a64fb252336e75e9d06e
SHA1 0890c2cad95f482fd3fc4828bf11461105a4a3fd
SHA256 d24f8ecdcdec0676ef7347a2e477c9d2be22efc692beb9e8ff4280b41d449c43
SHA512 03cc632b914b1135f50090da1d714d2fb84ebd542e0550c8c47a8d4702d301b7b587ec3bdb04f15b7a35c721aadad66bd2ff7c480af28578e42bd8d81c644b69

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

MD5 503a94634b30618ba6aa6bd6d127d1cb
SHA1 657703e96ec59b1de9e782b3292e44a09aec0001
SHA256 abbd5127e0bedab9f1511bc75dd399993cac6e3833fd82639779b512e54cd079
SHA512 ed48d132fca597d369433501e597209d4bd7a6b3d43741b1dfb582d0f7d22a56ddf4ccd045b7c216e131b27c4b25f6e80de5969de3d511c967c1d0b0fced417f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe

MD5 2f9dbdaa84eb6a7633e0e0b34ea0b733
SHA1 b556ab5135acc529922e7e9596b5db7d57a24f98
SHA256 57660db42abac4b3f60698fdebffbb962ef38d22b47893262a249e1f86dfa1af
SHA512 4f6008d491e8bbdbcbd3967ab6c073ad08d06a6c5663758fd475ede69dc8f43a040d80d7e6b17ae7c87f1ec2108f3df7f0baf6eb6e51957d038301781e3f605b

C:\Users\Admin\AppData\Local\Temp\vIkS.exe

MD5 be18cf45b1bc35a9be73e96da5d31511
SHA1 24c6dd07b5783c95704848f4ce60a1c84e386f78
SHA256 d2ba0ffffee2bdaa9c318b1095af9eef70b6df306ec6013ee2c45f79d60c4f8d
SHA512 e839d6194afece345db06f69a889f59bd969a7751c6d43cd53fcfbd40f094325ffb573157fca472c2b77e52fdbb9ebbd346b8660156db370875fa2835285cd88

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe

MD5 bd04563bc938efe7d4a548acfec1f0a8
SHA1 6024e8012b1813776c6443e7105543516fd654ab
SHA256 ddb3a1c0ce874748dcdafbf85029a338f713e797792159efd643ccf8b6961d9a
SHA512 72594e0d06301813ad74e8bf6bd964b08a32c34fc56bc20e9895843d8489b34d6fc1631de60d3ddd7363876d036a21b61dd5490c8ddc4250f782a5951fd78caf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe

MD5 8e8514acbba23ee11299de5d48e62256
SHA1 52d7d0860b4f8295604aa03057424db5b7b7f2d7
SHA256 c99372646bbd1aed4aad9f8f8514d97cc490af259ff38263b296021516fd2c15
SHA512 66d2160ecc8ecba96326792ebdb1d83876971097f9bb41a582a69887d017bc467e327150d1a2aa2a830e23f3e81811908ea3c1aad4bdb5ae04746abbf65746b1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

MD5 005a9cb2440af1a83a24f0fe4d24567f
SHA1 352015b3252d089a7991b5224d1a7ff060e05cd5
SHA256 7ef8ba4195c6305ac4328f4d1b5eaf715c2ed67674b80c4645b4d12cd20fdc15
SHA512 9b134a469daae7e2a7c7bf30fd56ce3fe6fd955345e47bd4e4b5eaf57d855eeec08492a619087a90fe49c56b4f609e0475252d69f84f0807159828d0309503d7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

MD5 1e726acba15f771d49a5d5ae34716b26
SHA1 4118f2994b806059b53e1c07cff45fcb3e31f9f9
SHA256 74c777dd36e996ffc2dbae679fb0b8284d895d2ad9aa1f77dafb19fa22413fd6
SHA512 efcf0d477044b1a2d9e51d13092d07eaa13e23521173ecc859c20ad82c48e2fa8a99bb5f06a270b6931920d200e4c3f6a6336fc687bb62f27e7c42693a4cd019

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

MD5 1b2516a9b53e75d3a4b79f8f7f8a61fa
SHA1 b589f4f4925d865e93262dd57eec79ffbe90b389
SHA256 5de5744cd06e2d7a7dfcd54d387884a0881385fb200f6ffa13c570a0841dcaa4
SHA512 d6cc931648cc4ed52cff51f406fe1034936d5a4159dd8b9694203d49d90f29a8e68cbe0d19c99e04d744acae85b7e9c2efb95aee9a284fd77aee829f561575b4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

MD5 505ce3f5a1afb5e4f185fc31d2a5db15
SHA1 3d98e53a48a9c86cf712168bdd4de844f6b439c5
SHA256 a1fe1822600c4bb589b59a37a08869f41944d951929f9d9ffdc37bbc6a88fcd4
SHA512 7c574ba7bfe8677695c95d9115d20bd1468423352349d1478407a52ec21ac40189306f7dd5056ca0fc38ebba961aabb2963029280e371a11327ec59cd97c32d5

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 85f720278578200a84e94ccb2ea4ece0
SHA1 f3d6bcc96ed13ff9a22af674a242e5a33fa2608b
SHA256 f9d00eb17f35cbfecf15c6b14c9b641440d4c1afb236e808065e930e985fdfde
SHA512 21690ff1db4e22cf1b78bef37ae3cbf5a4c8e2ac381699d5a5137e709cb6af01f1c6f1d4b644d3b1c8761fe058a0d1e4ead444c75907726366524f34de34cb75

C:\Users\Admin\AppData\Local\Temp\gYoo.exe

MD5 1f73660a481d67158239b523eea03a63
SHA1 76b9755c00c769dd6ffcb2c2ae4c0efc8cec53e9
SHA256 d30a2b964a9d856d11f3827b43d97fab6c37fb9004129aff241a9785fe89065a
SHA512 837e044a9e8bc02ff6dcc94193bb8e89207bd8a1228a8a9bd18ef207ffff3da78621b568b24aaaf203c38d727e0e4ccc4d82a1fa98dcdf002b72d0e1a77252a0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

MD5 079dffda0ce65a975e926b97205aa2aa
SHA1 10602a762b92efcf9609644e20a994782be9be1f
SHA256 d261d990479daec337ad82ada7f0eed43cff1f28c180e68d577fb599ede3d5ee
SHA512 a25a00ece5d02af59a04fa3c60f1e694ecb7deef78fafbcca8e0035154552dbea13a535f602efc69c9e9c48b60a4da40a76286b05d8834a4dd996fd69860af6c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

MD5 6dfe9741e24d2c136b90c5a2b71a1662
SHA1 469771c0549be24fbaff84fbbb06b42e32479833
SHA256 559bb6621715fcada84afeea2a523d1b20241d2f70a141f8c3c1b380b733fde9
SHA512 c8ee3614696e17f8c0080a83499e49327e541d10642d6e884f57f96271b12ffc876fb62318e1818dc94257ecbb767128fc0507733ae5b6dc5926edf04416c2a2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

MD5 906be91a14e41bd814e2e4336a5b5d6e
SHA1 03c244d4f200065d5ec33de3bba83df8e461d4b7
SHA256 2dab65561e26847db8be87e730b9b17b94bbe5b27ff0b1dbc4edc1c5fe205559
SHA512 b4059a57c187a98f435c9e201d67447806f1290cc5cae33d4b54cebc59cec363e1532e7a213ea0b6535642547a6458f1e0243e9d9c0a7e809496c637ad660c6e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

MD5 ea6ec5951cb5d4a93dd77057997b19a1
SHA1 5ab6dd82bd55cff0b6d379c610d14ee3280ae3bd
SHA256 7e2045c5c3b2153c502c8bf1e919c983feda1c1d71e9c3477f6b5eb7854e50b8
SHA512 b886626f97de73c95a6300fa432cef8be5628165172ad85cb0f6bd044588fd0cfe49915c44c31b6e5ee37ff5940b98b3a7e2dd6b95e4556436b856140f941800

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

MD5 3f270d4f226d54138519204ad5159517
SHA1 4cb803ad9d37e57cb7d25b98b8d00f65165b4930
SHA256 f6428e18f26b4c82b9667d3405c908b997b1bc582072258dd7be4d183b5c2879
SHA512 a8de3360007a097197d45d6124b0af2d440130dccbe969d18bb3059cc682f31dbede29989cbcfacae4b5072a33d3180805ac3d1357bfacafce378e6e227afda4

C:\Users\Admin\AppData\Local\Temp\vQQW.exe

MD5 44cf82081e099e44814b26d5a81f255e
SHA1 adca477c1bc0221447b48caa3969daa338819b27
SHA256 cdd37de78404366ca7f8f69f11f6fc23091712b42fb5c6444fb1e771d5adb890
SHA512 16a94eb6ec31a5e84cc3f7f1bffda88510c7285b04c61d6d4600e365dd4d71dee2ddb86883dbf50a6d94850e4e274e8af1ef08b205c0b57599445be9bd767b75

C:\Users\Admin\AppData\Local\Temp\GYwa.exe

MD5 11fff7cd5036fce81961481a76ed189b
SHA1 7130e27a49360fcaf40f5f94cae77edd1c2f5cdc
SHA256 779dd85f557179fa700ab0cbb96c661f905259d3356427b8afd91ec242a94cec
SHA512 87d1e13b17537e63fa5435e1fe4ab416bf989af8c5643796f592882ae49371838fbab77330d69b6270cfaa6a25115f8cd92f1ccd698201a071a8f2cb89e7ef6b

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 644b1990395b2191320da9401e0825ef
SHA1 a0abe76660e52fa4c701051f2496abfc9f8d7de9
SHA256 39adb19c9ffe2ef8cdeb8fed4572c48ed3ef5d5f40a3e197fa91cca53d3cf6a7
SHA512 fef526a33c3139143dfb928921b68b8c41ecbb523ef7b830dfebb55b7359cff57fa28133db16f2c6381a4b20f9e9fe14da51de38a657c1cda85426f79ba752db

C:\Users\Admin\AppData\Local\Temp\Dogk.exe

MD5 d87626a6d785bea662ceb92809525eed
SHA1 a194d556e4075e06c1b90df2ebd80173da62b57e
SHA256 2897877bac7b3a7b5a4e0dd77dde7bc9c201f8e09bd6feb5c7acb5b6a60ff527
SHA512 f9468022fb3aed441347194dd1eb4633a5c3a8a49b1bd499212da9bce352a040fece2454dfbe1290cc119f1abae075d0523f0c9ac646ff78c0295f957c0d84c0

C:\Users\Admin\AppData\Local\Temp\ZkYE.exe

MD5 dbd896852d289d5c1b1432cdcc21078a
SHA1 42840ae1fc49ad776389c58207d7c3b75611a0b9
SHA256 a51db4ba0d432aa69863786ba6554e6a4e5eead0bb1efee31293571afc6f86ac
SHA512 718018550f988340b18bcfe1264f4fce56ad6cc67b311986e66c0a7301459cdbd753cb7a32deb898ce2c1a402ec0327f9ed9a78761a3a74c0bab541476724877

C:\Users\Admin\AppData\Local\Temp\dgsQ.exe

MD5 9c23c4007d1d0c333faa173dcc4aafe2
SHA1 0bee23a8b80011e87054213df8ba297538fafa8f
SHA256 16f9450a90814915e0bcbb93fbcf9bb5cfae9f6339084d480ad0f2e99827aeab
SHA512 01524179537dda0035e9fefbd89f064493818150f2553a0e87a39c5ac7c80f7e693f7bf5b2b58ae576bd0cf9fdb783da743c6fdef3d9dcbcb87d66514b4cba71

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe

MD5 b5bf460c1ed808f4d8345f39e6d81ce3
SHA1 4eabe7c29b272774db0049aafa2615e90d22ac0d
SHA256 4889f94fbc4b6c4df9445d994d343141fd4ead66de7e6a694dabc74d8b08ef7b
SHA512 13f7ecdd9c35dbbf04653c4820ac94de077fa9cb320769c22e5edde95543ad875eae4ece428edbf3d5a100829aec0ad981dc7a2ff809b945e301e2d7b51e9fdb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe

MD5 72a90ec68240f5341ec25bdbe33209a7
SHA1 b6e4fdbd30e3d4a6ec8ff34daf048b0460c84189
SHA256 1a6d0a97e08e9e6053a92cde5389dae5ded3781bf675ddad2375194911f98195
SHA512 edf93e3759bce47c0b1ed6fe66c370a4d87998c7baa0e48e85eb55d676b673843342329fdedadb4ef945988baa030724316093ed2c0e03b98c54c4302e2e2d39

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

MD5 5767aa7a73943073a6ab388c8967eaea
SHA1 e8d19adb9bd90d7834ceb11cfb0547572fa3b781
SHA256 621db6c25d6bff64c4761d017529de98461c30a42be5ab0c851b4ed3e17e2652
SHA512 e032767f2713f319164dbbf1c17adebe83db93c9bcad4fd30736180be2305502b9c999b6debdddce03bad701c10bc0c99839d37e39e54a37fe80170c11b06407

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

MD5 feaf7755d4d13565f48588d107a56346
SHA1 799888c34c5ab423fd06e5c7c1ecec1c1566de61
SHA256 d1298db1632102d9f29e4c6193cf5f4b8d1d9b46c3f4656f519a544813c672d7
SHA512 6eef5d521f6504f44b9c4513a941c72b886708d0ea3c4fc849885a54a0eb16b7578508146eb64bac858cd57e07e48ab57f24a996015522df8fa1ad425258e855

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 1b6be6ca6b03f0716ea5fed14ae66e06
SHA1 3f2b429675a286d9f2395d5b4abc6ac8936d02ea
SHA256 237a3a9903a7fe5da4bac0b368b4a1a387511095f992d4e28bfdb494c7d97da8
SHA512 a080f1c34c8157b3e4f24f1b2051fc17773318de88cadd73c3f814f09bf54afe70cc2b37824474d699d7bc59049f5d9dfe99285940001c4d6350965edab085f2

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

MD5 773898bf4c4affcd4458353d1d0fe617
SHA1 8158384d08dbbfd9d9a00d1b64e2eaa8a2ea7dc9
SHA256 24338b87ac3f32e731ae1724421f6ec0f92056b0331ff03e9d1e0951f6435c95
SHA512 0882f13efa4c18f5ea8d90cf5e7820a0f5de48cd29bb43fe9d15852b26be75b3ee47851b40cf819a96e285d7658d5f82f26da15071574528c5e70c5685b85033

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

MD5 f38488c3ec259b2ca7864764291d3eeb
SHA1 4709f3aec47102b5f7241a0a314e38a43e18bd86
SHA256 34497e541c487ad3a3c4fa49a3e248c1d056575bec1ac2e2e94948ee28859469
SHA512 88f08acaf9e15e31039f079721f6638b66fc0e0cf09f6532963b469c382fda00c824deb54bac155a70e3a3a2601820ac887314ecaca644bc91ca8d80f5957e18

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

MD5 c5b4dddf14e79c118c55556fb18b69ad
SHA1 6f28c8e42e8596986579409f11341cca6fc354cd
SHA256 f5a43cc0c89429e9f36794621600661939bcb86a2b53903c159397619fbd24fd
SHA512 49044e02e21bc81eb44445f57946e86dc01953adb0ee6a3ac4ab4931d83ecab3ad227904bd978954bfc5a87ffef4c11e79f39a63760c58342f4e8fb0f67c958f

C:\Users\Admin\AppData\Local\Temp\kwMq.exe

MD5 b7f4e62d72e5882a0863b207b20b4a33
SHA1 3d91e956b6732667b15cbbb7d78a1cbd10358fc6
SHA256 bd0260ca12c40da2ac4300137fb585d3099d03fedea8512ddaaf66d0451a7e17
SHA512 edce958b8e869b171fb6997f0d270e6ba3dabc84ba5d7bc2648d1a6f75604744b38ad0092b63abbcc7d1c300b3bec9eb1cf906c7133a76199b2da46d551d358c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

MD5 1741e8f6bd683aa45d286c40a2455e50
SHA1 1efd1ec5c750f725273ccb3b0e5f6ff8261f4536
SHA256 f5b6c8e503eaf92159941376dae41b73731c910c8592bc5588454d8aeffd30b6
SHA512 83b7df1d8076807878468a845e0112641d038e36fad638c7d58fba6a19f67f860eef7f38b521df7da4c55e003da3292954423099e68b1ada7a201708d24205d5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 a5bceeb16cdbe6b26e697977fccbe764
SHA1 cc05e3b1552572ea296afd743f1b4e3571b0b11c
SHA256 f876e9e46db9cdc349fe94660fcede88084178883085e805a2077b57ca451d9b
SHA512 a68c84d54ac0273ac0bff528a35375381e475b9fc81d2bd31d0ecf3bcbd1c3cde5f1639938b1b9f75032748f99fe4f6e6105dc0d8b247d89a0ca7c03d720b1ef

C:\Users\Admin\AppData\Local\Temp\bQMg.exe

MD5 2f321642f309c8d4a3fb57d1a5395e28
SHA1 79e660c99157c9fb4010becb741ae6a50b38e65f
SHA256 93734d5f18cc3f52ecfc77c7bf6d9418b498590706bb018bc0defe5b82107055
SHA512 5938561ea8dd5f1e2a057c1a0838d1404e6d53803b87dfe56c365886d5a6be04ef56ec4e987ff6f44ab6388578b70cc7d87022fe9bd0f33079cd7d50cc2d14b6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

MD5 41c3fb1eb4698b1ad898190ec3b90196
SHA1 5b49212aef480d7c16408399a5ee2794b2b545bb
SHA256 2a3318ade2b6d687c079eef88881f13f325a8be6c27df81bd35e1209c18bed84
SHA512 02357bc2ad54a8af9bb8421e870e702ae4834a306c9a087064c170de789e9c7650b00b2f9cf710539c5c2913a03fe8e08cb87fa63e6723b3511d60e58187bae9

C:\Users\Admin\AppData\Local\Temp\UAMG.exe

MD5 f265488d585adb6bcb2a4ccb94fbafa8
SHA1 acd513082578d1d8f04601e8589d59b1c2485c2c
SHA256 0df4a3a84f2672eac31e12d0d2ade59f9660dc363d75b1567c361b74b7d39849
SHA512 8c5b0e62788ef6a3fe5b4c12d6bf09c8904bc53034c2aa1200473d0bd153a34ccee6ceaa0a796ec0288baaf5adbc1a32f9003764506c655f5c27e681f6a18115

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 8970da8d47d91bfacbda21f346f7c6c9
SHA1 a1db40ff402a2abeec8f06456846fd796b3dea99
SHA256 5d8cd5bbe3163d0365023bf6c635ab20d561b8905a8e67895edd146b21602ca2
SHA512 ed28d9d7e06abed16e9b33a29b494e9202e42766a4873e562c449bfdaa5a8459e1c2158d275daa73d9e38d09ee1e9362fe7e6c6abdd9b438a73645f45930cc19

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

MD5 56811ca994d6b401cc0cd63dc955efec
SHA1 bac7f368bb740e95766dcec4d91b298655d5c8f4
SHA256 f2af8ba786b1c08033b7beaa4f9829fa476082736f180e7d83c5d727bec065c9
SHA512 e53f9e3b6f49f1603d84de078cba4220dbf52747721fa7ac5f71bc30429f1de96d6d452ef50fe8dc0b0f0254ea58c90edca0c01c0c9f5cc3d1973e57895d7c72

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 f58fe6d50ee4f5fd8938b9cd7ffc1f26
SHA1 155f6d8952f8f055b6d705e84ddd1ecba1bb4250
SHA256 244b8eb055cd91c247474febb83ef8814dc119d2fada75ce3220dac710e9830c
SHA512 124393fb82085b2f923d430596d5fa3970a60c187a4a7cd7e18c88eabc16679c21450308b4e3571d11e42d3185111e5e7725754cfb4c418babb0b3128defb6b0

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

MD5 ddfefcd9769d01f8855a49dfb72024a6
SHA1 d02c51fae8113c3d8bf0389ac1e7bbf491d85d07
SHA256 7c358d58af950930dbff1e1c1c8dbfdea3800752d3879ef63044bd1f660a045f
SHA512 3124685a2443a024a2870d0f38d3a8fbd2b5167546ac950253d777481495ad40d0008b45653c093cf38264bef51859613b6a4122f39858b46e881409d619564a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

MD5 3b2ac9bb4dd40886ef6891e978a2c634
SHA1 e3cd28e1e3a2cd72c93b6d6e3d060bbbfd5fb383
SHA256 66d6469e10b64f4961b1f84e5dc231232e7b54ff8228f81e289700452e7087d8
SHA512 6a784f49af44475d402df39a9bb130ba031342aad1e553cb720db6e257b5105dffb215cadd05ddbd690fce4f120a769b094a7c3d647572f548e734589b20a5d0

C:\Users\Admin\AppData\Local\Temp\gIwu.exe

MD5 34461f01444fd86f1ea81ed40436677d
SHA1 a303e51aa0e9f8b984e1198d20a3dd6d680f723a
SHA256 2a53417e90d0bbf7d0f643979a7905891a32bdd35cb6340d6bf19eb559902e73
SHA512 f05fbb371ba6559ca4d74b89b49322dfc6f63ae4c629204724737c26f41dec9cea02c503c232930a63968ea1969a0c4ac48ffc274bc6bea4afa987df15662138

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

MD5 5fcbeaae4f9b5d5aeeb32d90b5b16c3b
SHA1 9b1d33efcc475498ac1cb89a332abf36f30168e7
SHA256 39a8993c14a25c4fb6fdb0b8b46886b8326e14d0189bed8359549e241d039111
SHA512 e73a9fe83f494d0fdd49b3424d33e447744fffe479f93cda1373c2e4dfb084c58a1385d74343d14feff014a149cbf887c9ff6e5806fc84d126e07cc12020ada2

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

MD5 6dbd5b9a2f2891626f641f99db3d6d22
SHA1 1a0a05fee812cfc66814c4c4c660f4b45ae4fcf4
SHA256 874ce77893ce2989dcaf2c0cb45c644f4c8c81ed5f2760fa769a3c3b5f057189
SHA512 3025ba3e4dfec07a20b74fa3224c5a360a328b5aec57a257cd5ccc21f5b0a00f3e24bc8732cb174bdc4c5ac904021a5ad0b0c477786f758c94a1934c48c75594

C:\Users\Admin\AppData\Local\Temp\CYQE.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

MD5 b6dd855c7450a92c1fde3933196963e5
SHA1 64076e2446c800905a9c576d8367cb783751a153
SHA256 4aed9c91fef3ffe190bc031737474b0348dcf8304b34825fde438392c0951fe5
SHA512 b370b03becc7999e66d1a06df3c766441853d5fbe27ad969252cf3e1f758fc90c5099edd01d679ce10bea11ded6aadc14ff35bf07e8afad4b2f0815b48dbd77e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

MD5 f0097df425c404bf63d97369d1be12a7
SHA1 17b982174d0440461d32cba63a49e7fe35d6b6b5
SHA256 448e89f76932462afe96a53da95321423dbaec413c1e088cfd81b22ecca53650
SHA512 c877f2079bbaccff0b186771b830a3d5fd64d57e5e0500c3b3aa71e4d779696967cd8d7fd497917c5a17fdb6d179de01e6e6ba42a5d1880e3260400fb2c46aba

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 8f787f89cdc5d4f7f5ce09b1819c548f
SHA1 6355b88b7990c4a885c49645081f56acfb42d89d
SHA256 dc9f639a48a726123a4bfeaba2b110438a3c8a77059ccfcf0c50078ff31e234b
SHA512 b1ce7fde1bf29b7f7b91f2455d89a1279ebb1f85e217f150c22fb3acd21de0ecf59a0f10d8738ec19bc020afa5b01ec45c6790b156ed0eb1c73fb60cdd4a628a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

MD5 8d9c703f4f283eaa31af6e8848787f2e
SHA1 b493c77cb7302d21726088257f9634bef8cb759b
SHA256 b54c5be3b9bb34dddd8c7119abdf74dcb94f10cc1edba14480bcb43869cff2d9
SHA512 0e4485a0cc92916464f69b19b1d446d0ef4c6088dfb53214c0c370f7295488a572ef950da77577276d43af72ea03111de47032c393dfa7bdb2b3d85b1b17145e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 4a195c205bc88b4f0f3a2fdf1b60941a
SHA1 8f896ed584cfa80d27d82ef4f43ffcbd15de3291
SHA256 a3c576a3ffcd135f6a683f5f23422a5eb06187d5ae976ee355f43fc60e26ff30
SHA512 bf5ff7e2944635aff4db782f78b0d070fdf2ad3c5aa6cf56e8ebc96f8f88f707e2d3082aecf84837193be0b4dea8c5961937ed71eeab3156733030dc52fc5a56

C:\Users\Admin\AppData\Local\Temp\xAcS.exe

MD5 e2a1987a304c4450ddb1524770a4366b
SHA1 0cb0b9a71ea026ee97e3ae6e328158e575b993c5
SHA256 9bcec17c4626a4bb6d006a5ea3b0515a046e668059a44a76dc41a17569f5cae6
SHA512 b78620ca32143a7d6bba885b998f6deaf4a2da0ff2fcad4f5903682e11af7ac6871113b093877a0098aad23d7b7fb5d81c343496ecb12d1d24b4ba7272e99e63

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 bd0dffa6ba5c1cfc6eb8b48b80410e12
SHA1 77d740a79bd4af897c8313602cfe34d0e6ad9c54
SHA256 9853c58bbc622b2aaf1cfe00431cfaf93767e449b0d94827d929f075b41f13ca
SHA512 bebebee21bb39c2f727627e7241c929a561145fa75938efed36b2c4c37e5b5e7c9ce4f22e6fc2b30b342157f24754507a918be43feea3c678b2211933540e5e5

C:\Users\Admin\AppData\Local\Temp\Fgom.exe

MD5 c92ac3d9068a8cf809586b4729b6bcea
SHA1 6e4428f0f36583d5e09a0b74bdcb4c3ec18bf316
SHA256 625d48ba02ab1bcfbc80752ae642fb1c95f632c836bcf51d4ca29c06ff4df705
SHA512 5d99d57382ddc6c107140badedda291e5b5398e9295c98e1af240c63bf948ba900709e007d9e0e8ac3d5f703f6189c2abdfb17f352548714c8c781aa2c522e3b

C:\Users\Admin\AppData\Local\Temp\hQom.exe

MD5 07bd7a45223f59cc797f09ddb82fcdc2
SHA1 6bd65e726765a981799661732c275b95ec4dd566
SHA256 af46d05517acf3f8f0944bfbdd110f7a479ee7da4c4d7bc85e50cad1371b319a
SHA512 1e169de8c650ea135003dcaeb209c5c54d07b079f7da5a7f60562051735c24b63be66cfc5a4484512443a8aedacef63c20141f93919ce22dc658c99a0964e06d

C:\Users\Admin\AppData\Local\Temp\gwYa.exe

MD5 47f51cf71b60585404ddce468b1d3987
SHA1 1d9a5d4e4201234d5ab87a0412f47d8f128d8318
SHA256 c24189674d34ce908e5ed17670f35dce5499bc1040d545bd02b4bde9f2165253
SHA512 dbccc18600029fc767ee4dc52b0ff68de50b7ade154995561892a1235d44e2e61dd0915f19291bf8a2dc56adb9de62d9fabede621d48b73b4f599f559f840ac8

C:\Users\Admin\AppData\Local\Temp\gskm.exe

MD5 3ee011a715e498358836be83e4f0e89d
SHA1 6203312aa76c249f404c42f162f30f8cf0cc7b40
SHA256 6f9bb1baaf57be13081aede96b25212d18be7ac2ac97c34515729b25f3adef64
SHA512 54b104af2d449e47123343dc33d723e272e8bc123fa85c78c45d7ea3451793bf4e6ee21422296995a0de6390d1c615a866fdf9d35795a0aac25d9f43afe63b75

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

MD5 b3a32f6232e9f4473ea52d59c2b45b7e
SHA1 6e79950ab339a1e1521814df765d1fb275dcb022
SHA256 87b2bbff3178f83d349ece7b15e73f6eb8168c375eb6b08307d8eabf7ea4beeb
SHA512 c00f9ff3c2458355c20e133c75856af10b7a18fe4324f97ed13b3e884a9daff1be91ac10b241c472a2d8c3808169f8dc5d66de88b57774dcf11c8d9a4ff8fe2a

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 b600c008941b4dcf6ecd7d029cc92c64
SHA1 8642556c117426eea78f17c1020ef18467920258
SHA256 391da6f89bc5fbe7fadcc233b9c76adcea7ba8ed8e6a2e4d62f43a44df594332
SHA512 de5da93034e7a394ee9007d5d07580d6c86f87ed1b424e06bb11ee390852aaf6291b7a7055b202789ac46b42dba7471492a42e1e772d130a68e6a2d55ce97eb6

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 5e165cf95a029732e218f8c9f4894fd3
SHA1 b7fdae513f2eff6f13d40b471fe7182306cfd6ee
SHA256 4f673022e0424146b1371c1cf3b8d6f83b756c3f62c9fb939572de4a1efa1b6c
SHA512 181221b509954206ae694b5cb233f0d22f2853161b382bf713ff6377fab9d3f08b6e59f061314b37777ed7ac6841883f213e2bab92f5cfe599f58205d71d9496

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

MD5 89eca6c1b1f014d6d1c3e9db7519b3ba
SHA1 faa3d5d6b388f0b46d1d2d7994ee0990476e61e2
SHA256 a6b87766d9aceed3264890a2fe76508991fe77bce55d19f5fa7015a64edc575f
SHA512 9a4d3c0c0944316fd6fead80b27087da8d26632b257b8eefa677760f2d13435572816ec4fd7ff52c54507bb7db36a61d1a24aa5730be01fc989e2a9c7de0422e

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

MD5 9727c2641134cdf462411c89bff916a6
SHA1 9ac9b48c435c095180febb506168aaf0a7b375d6
SHA256 8238832cd3a658960a50f91cd6316da3f15a77023826deb96f6d9fdc0018e212
SHA512 8643942e0f86d409686b55a4eade3c06b1e4ba554f02c033e796db76ccfb6656686071db93d2abcd495baffa08383c28dde2f609f2150d46beaa03178781c616

C:\Users\Admin\AppData\Local\Temp\YUUU.exe

MD5 01d1659689d0af9c835b6d9175654ccf
SHA1 5473dd5933916e7e86050090bc46f53688baa5e9
SHA256 da7b792f51030ab164f6eb2b5fad40a0a659ad3cf5973b7db1bbdce7e537d525
SHA512 1fb2b8acd6512bd0281e2536fff273c3cd2e5d5b429fa5511bc55ae476902820117a9845daedfd389cf39e8cc759b0a611897ea3a8bf598602c7784bea9bd63f

C:\Users\Admin\AppData\Roaming\SubmitGet.gif.exe

MD5 027848b160b176939ad007a5890015b0
SHA1 b26f3ac981f08a3c1021e3e890185b1241239594
SHA256 c5f5d251a41c5dc8baac19ee5034a00b9dd165e4492fd877a057f4c970dc0a2f
SHA512 879909c1e2fbaf1470445f62dd1a324e8a98adcc9ade94ef8954dbe77781fe8de80281ca46ddb9d1f25a843e50b6b1345fb25d9ce2473bfae45eae1aca2fb4f9

C:\Windows\SysWOW64\shell32.dll.exe

MD5 99058f46846cb4c96ad2df5c13728390
SHA1 71efd0dcaca0a3b525802833de59800cc79ba4ba
SHA256 08c381f58feadae96ae0c797e4ddc744e383e1089239fd6b5491052c4f01eb56
SHA512 e069b9f59e1cc2f5aa8618facb0fd83e3019b0480e8ec29ec0d9cc4b0ce1bafa32fd20b9d6965c2db0a02b243c09438e6e2ec5978e9d103562124486d151b62a

C:\ProgramData\FWgckgMQ\ceAIkUwY.inf

MD5 32153abcf94277c0a8097d85570eee6d
SHA1 af64a0e1b1b06375711280627a3569f007111945
SHA256 c84604cb80370d74a417c6275b72788e4362cf8088f99ce06c3b724c4ffb275d
SHA512 633bd6c687f66c72aef7aca555505806494542fd60e61290e0e439dc10fcd1e4e81061a89efdca2016be69eded23233c65330eafb6d6a0246676a26783e1104e

C:\Windows\SysWOW64\shell32.dll.exe

MD5 40438b5a448c8a6ed05ece45e56e3e1b
SHA1 9ee79364ada554987261ef12e0dc80745ca29d63
SHA256 cee64a81b1b57f9a0aa253a1eb20794ab7b73614c4755f5f4d3c5445fac8f210
SHA512 25451d389453c1e6542c17dec826c2d0175239492acb9f835a60608bfa27ed0bf4967f5eaeb210404f3aac1940ef8c152c14ce0d7d1ab398058674d486af09d6

C:\Users\Admin\Documents\UnlockRead.xls.exe

MD5 cea7946aa433893621329d50efa3a6ea
SHA1 39ef5b35bf7cea7017a57c6de7d733374d29cbb1
SHA256 9c5cf43cc1b5ae9bdd24f2bbb40ca4ba1491538b6e448ebc763aecaf143a7851
SHA512 ab4f600680ea7c7577fa4f7b9919f7ea04e4de50692e7408d8900a5be9a48a5a404eb1b118db45b49600f93679fe2ac218ec74be3ca9e31fc5b348cd2f86589d

C:\Users\Admin\Downloads\ExportEnable.wma.exe

MD5 0aca00f883aaa447c2e65840252db8bc
SHA1 35659729d9f659b62614bdcbb53caf7635f87365
SHA256 3743ff6bbb7f09391d0362a458e79cc04c66d9716485f43b8f85eef749eb410e
SHA512 c4f90a18a230c29361e6c410dfdf84cfb6f450b6f13c03a94dba24fbe4490b541ff02bb7b14b2287ffb6a42c695b143d2194fdc9f3d2a0666afdd8d378764f2e

C:\Users\Admin\AppData\Local\Temp\nUcG.exe

MD5 554b9b8ec94560938ac9269fe3f69074
SHA1 3a04b1d423e26a0fe412956bbcfe6e09483d4026
SHA256 bbedcdf1fab5da9d1d543569e8466ebc83633b6a3cd54bcb98a02f400d62461d
SHA512 e39c9f8ebc7184563fa5f26673fc57832050ab8ed90999d02476c1b03a9ff995f6cc9962fb0a4614f4322a01ba6ee02789645da0282157299b43069b24de3ec0

C:\Users\Admin\AppData\Local\Temp\eMoo.exe

MD5 033c4dca804c618f0bdf3fa79b4cbb87
SHA1 4114117ff3fd99529f1cf872ef3fa6d142aea485
SHA256 6080ad0808e092250ebd79dafa5dbd983996f056426889cf5feda96c853ae159
SHA512 decf14d4c764fde7c4dcee214883dfe42fa413449918ffc04088f27c05992a791e6788d2c98cfd4679bf173fe6d574b78118ab9cf2f759ae2105e294888cb777

C:\Users\Admin\AppData\Local\Temp\uswM.exe

MD5 42bace9ed32de2be945ec40d1897912e
SHA1 a2de7760719ec8b57bb025c57472a2bbe1d7e8e6
SHA256 34ff8bebf4906bdae38f98475f29c104ec8065bed8dd68d89b10791fedd6d4be
SHA512 0bd86a83e09952bf57150ec1bb17a0989a200d0dfe51aef8a11549166f3de3e84bddfae0f5d33f499f97460e0ab8ed65aa89ad156347c9323e597f3760effd16

C:\Users\Admin\AppData\Local\Temp\JIAw.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\qQAc.exe

MD5 04916566b55bd082f3690ff6f7fb8a30
SHA1 a9443c4da2673859ea0bf042e0aa2847432537c3
SHA256 6d91ded3ea52d4004136505b37d444629bda4ca69b8becf440efa55066dca103
SHA512 40f7dcd94a6d6b8dccea9037d63f39370ef6fefbd318dbf129a08088655b7d0344553fd4224b6d814421bbdbd16e8b34fc78716a20a35b23dbef85e132dc0b3c

C:\Users\Admin\AppData\Local\Temp\cEQU.exe

MD5 0255039e19ef04c9786126b12f9b6bcd
SHA1 3512793774f393b378b0baebd719386619fcce48
SHA256 48d8940567778ddcec454b26ba50e5585194a66a268a992118624f2b02c17a36
SHA512 63b4a42aa77f9dc0fca4b40ce0b72b978be58d220a1664f3cf086dc5e72000c2dfb929cea3f08bbd514e2efc7ac37ffdc7fb4ca2fd0f9d839fc74718aa2797a0

C:\Users\Admin\AppData\Local\Temp\LkoU.exe

MD5 2cb707d7f668d25d9bd5a4f6ddf1fc5a
SHA1 c6100ce30941acfa095a4a51f696e5377284a41a
SHA256 9ce5b44b22d9684c37949943106f15a6c1a184a6ac841222a4939bde6a697fab
SHA512 eac33e6d62ac5e584236caaa6a67db557adc658c505119131b474ecc7a4522083213d77f7a2e46bbdc4208ee609b0341500850d69868d2b885bc4fcd644bbb4c

C:\Users\Admin\AppData\Local\Temp\LoMs.exe

MD5 8f6fe87fe5de350bf21e14e9db6c2e4c
SHA1 380c564011cb5216d33c3ad1951d961f06924cb0
SHA256 7b796b5d451269693483bd7509d31315c7a4a522806d6558b82782d39d2d0e3e
SHA512 cc850ce34a3e0fe4e3fe40623a73b8f0972fb488c630a0493bb7bdfdc4ecb35f178f55ed4b9a2e9ce6ef45b0d862703f476a3c65300e80fec802b804f4087e8c

C:\Users\Admin\AppData\Local\Temp\DYog.exe

MD5 1e2507f9ec619b4d6f99cd144730624e
SHA1 d187810b6797288be153a94012093f5c2111a1f5
SHA256 8453c99e9ee55bb85eabcaf5226258a718172536242b8d732a9e7f119c1244e9
SHA512 fbf41b68e0cc609d401994cf1ac058859b216d7c67dc5621c5ce934f6cd9d692799cca5b1eab8e743a31ce6d367b5cb36f2417ae3ca74beddb8f78e98c216335

C:\Users\Admin\AppData\Local\Temp\tAwG.exe

MD5 1e8a0e47916820240ff9c0630735ad94
SHA1 76cabd8762d782a8783f47b25dac6046f3b24ec7
SHA256 a057fbe106383836115259ea142576218906e463ea49bf80e02f9c4421cbe182
SHA512 f2415bcbe18a2f15e22c2cdc6767c89e982ac337c3c1a985964f0de8a0fb23623f872c539db42d3f23344e4d52f3c4d5667c50c6f2cd0debaef6e582c1817d77

C:\Users\Admin\Pictures\ExpandDismount.bmp.exe

MD5 b2bbd9378337af868b046dc4d7d5b254
SHA1 28875fc900333b11749eefd1b7e49a0be650fdcf
SHA256 bae295a1809e3901864b59befd7a3ed4dd53e3f379795d5323def8972200c01e
SHA512 b2d5c85ea92dbcc606f5e39b9544274330f3dd25f13666437b48bf2fc4b8712a76d805fb66977caa13765814c04b20a063098365ccd950face63faa930b5c6b9

C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

MD5 3f66e82a031bb9fffb05f15127b1b2b9
SHA1 96d86329cb51b160e3a7101a76c534c07a52b0f8
SHA256 eba7a9a0abda7f7e0a0f6dc9add103d8a75ef12647682b997314dbc5f9400bc7
SHA512 c8e9bf6b82dcc2ef3851cf899928fb082f6aa8c252b1e208669bcebf8856221615de41ee246d8a9e7991bdd49d8e843ef2d7fdd698aec3da36a69e1ba72324aa

C:\Users\Admin\Pictures\ResetNew.bmp.exe

MD5 8b578d0082f6b970bf420c392d2710d9
SHA1 04c53b6f7892679ed9319dd9b0834a999bc6994f
SHA256 53faf43ac229d2391fbd4cf146c61e86ed94734a811f8651e00a85b01f66472b
SHA512 6acd7c2fc21ba498df76ae8b9976e9af2fb313b7260638e858b56a1f13f49dedae133f3e8ebfc8ff5adc0a45fef5edc6ab3921cd5d758583488a5e861314b56d

C:\Users\Admin\AppData\Local\Temp\HcAM.exe

MD5 9d727938e106394d5ef2b923f2cb4515
SHA1 ffbe65efd968957affb56019565a334ccb14f518
SHA256 9954f6c19c34a2313d1d8e9efabc6dcc80d3da064ea354461862ea35ff96b388
SHA512 0c36f222631f63ebb2d2b87100740af75ff5c60f16f1a5978b2548d6ff2acc016305cee1574a1e3176863ddecb8e0e8b78ba6c624f0c4794d10ab1d76d2952c8

C:\Users\Admin\AppData\Local\Temp\hIgC.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\Pictures\UnlockFormat.jpg.exe

MD5 97eb780771878f6e71647b533aaaaf56
SHA1 aa4b8138e8520f2b61b0646767d100094461b9c1
SHA256 c4357edea11aa992160eb75546e2a0fa1ce82172cf7036f6faa953902d2f8e38
SHA512 a478a8226faf058c12db4871574fb3f4192be4943a776414a436e0cda349a88038e1e3fa7ceeaeba7bf8ef89f9cfecc38afcb2ff8798326fb772a84079278a4b

C:\Users\Admin\AppData\Local\Temp\oQok.exe

MD5 ffabe782ac0c78275d5a0beee552cfd3
SHA1 a0a9c2af73a276261442fc806508b06d49a486c0
SHA256 9c155e6fb7b23f157bd77d4d189785a83f9921dd3673dd8313d095ff81092e04
SHA512 8f259c4f87b012b0d42b75fce986b042b2f3aca040b2eef67cbe637e3b2743ab72d8446ec39ae4cd37f72ab2c7b1b7b20765a8fe0918141d808f1f7a10c25a9f

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 e444b2f9194f1c2da0ceb3754530ae84
SHA1 5d7920c823c0183b48898a170c5594c377594af8
SHA256 4e92cb4cc6c54d20fa8aa707afccca525acbdab0730a4263a476493d275d3213
SHA512 9d17668a07a6ffac323f871dbccfacbc6bd8a15c4f9856184f4f5905e81029bfdeedebacf1fc09684758a8cf5e05a82f88e9429e961b35726d6e087596140cb1

C:\Users\Admin\AppData\Local\Temp\KgYG.exe

MD5 31c869a7a7e33721c8cc7021f1482e7b
SHA1 0b606ff3eb656ab0bc608277e3f192ba47072b9d
SHA256 04c5e9a233753112d642fd819c0a64a7bc40281f3b58baca2dead64f8ddbb844
SHA512 4e666e47650fc098a6c00936fb5cff6a6b1d0353ccce09742dcd9c7089659d857d0edadd16aa420de1833a1bdbfcf9c24a3cb849fa30e61fbcd4f9929b5e5df2

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 355a0c78bfbd2c64f6566b247a7be92f
SHA1 4d93bc53f5d396b32b31e3cd8f26e7f03a9959de
SHA256 3349c9d43e7700848a9651ff141e2ba35313960bfc1d1d39a109cfd911204aae
SHA512 fbd61cb141a74afa1b8d3e9813b30d3f53f82754d84f415fac825bc2cd73bdbfaf7242927ec0425a91f62ad41889c03dbc55dbe3b0db8cc74e02c5f29b2bdb82

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 aadf390b430a5545498781e8a844340d
SHA1 88ed5462b04c082f23f5a3b1adcbe9e585cb9d86
SHA256 99e2cd6c7e0742d20b12a96f8ff47051b6b9c684f1d297652304602f296c022d
SHA512 613d50336142e41c4c3d22fb3bcc3d2841478e2cf134f9db4e38d6aba26ed44c6c967948e2b46421d2707086082e580fb66a3ac10005cad745835dfbabcaeaaf

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 de4492937b263c7af0a9051d0c5e9e37
SHA1 430f1b08b60c862149693ba467df19e8bebf8d4d
SHA256 b2b21bbe80d48346747bd712f5adf6a940ed07bc63f221fdb5d99ff3ef439d81
SHA512 45cc889d5e39096591845f68cd09555ecfe5e0942557f4e3410b37ca7126139432c003d8dfe673c8f03e0e85a9f73ba93c5c24e1dc53a92191e629c25d81b1f0

memory/1320-1771-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1688-1774-0x0000000000400000-0x0000000000434000-memory.dmp