Malware Analysis Report

2024-12-07 09:57

Sample ID 241114-gjm13avjev
Target e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe
SHA256 e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c

Threat Level: Known bad

The file e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (87) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 05:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 05:50

Reported

2024-11-14 05:52

Platform

win7-20240903-en

Max time kernel

120s

Max time network

66s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\bmgQskcw\rIwkgwYo.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\rIwkgwYo.exe = "C:\\Users\\Admin\\bmgQskcw\\rIwkgwYo.exe" C:\Users\Admin\bmgQskcw\rIwkgwYo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\rIwkgwYo.exe = "C:\\Users\\Admin\\bmgQskcw\\rIwkgwYo.exe" C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vsEcAskM.exe = "C:\\ProgramData\\qmMEQkgU\\vsEcAskM.exe" C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vsEcAskM.exe = "C:\\ProgramData\\qmMEQkgU\\vsEcAskM.exe" C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\bmgQskcw\rIwkgwYo.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\bmgQskcw\rIwkgwYo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A
N/A N/A C:\ProgramData\qmMEQkgU\vsEcAskM.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Users\Admin\bmgQskcw\rIwkgwYo.exe
PID 2664 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Users\Admin\bmgQskcw\rIwkgwYo.exe
PID 2664 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Users\Admin\bmgQskcw\rIwkgwYo.exe
PID 2664 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Users\Admin\bmgQskcw\rIwkgwYo.exe
PID 2664 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\ProgramData\qmMEQkgU\vsEcAskM.exe
PID 2664 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\ProgramData\qmMEQkgU\vsEcAskM.exe
PID 2664 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\ProgramData\qmMEQkgU\vsEcAskM.exe
PID 2664 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\ProgramData\qmMEQkgU\vsEcAskM.exe
PID 2664 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2892 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2892 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2892 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2892 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2892 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2892 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe

"C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe"

C:\Users\Admin\bmgQskcw\rIwkgwYo.exe

"C:\Users\Admin\bmgQskcw\rIwkgwYo.exe"

C:\ProgramData\qmMEQkgU\vsEcAskM.exe

"C:\ProgramData\qmMEQkgU\vsEcAskM.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.187.238:80 google.com tcp
GB 142.250.187.238:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2664-0-0x0000000000400000-0x0000000000490000-memory.dmp

C:\Users\Admin\bmgQskcw\rIwkgwYo.exe

MD5 0bd626e12e2a3da44558e6bca37a2146
SHA1 8086f01e0a417071b8eb36af0e1821cb7dad7bfd
SHA256 799705fe943c794b70817bf97e6e55bf75a1db630511ebdd8b5b217f1a73ba7f
SHA512 c0499a5452e7cce59234824b88329eb944dd4fc105ad9c0686e4c657904b0d1d9eda9ec45cb04ac6250f0a63232219cb7a2f80f0668340c67411db44d71a15df

memory/2756-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2664-13-0x00000000003E0000-0x00000000003FD000-memory.dmp

memory/2664-12-0x00000000003E0000-0x00000000003FD000-memory.dmp

\ProgramData\qmMEQkgU\vsEcAskM.exe

MD5 9ede5652adad181be3067d1b6d88aac4
SHA1 46f7495426912f3099b3508af7abc9e1d1926498
SHA256 3788cb341099cba72b8d59589b70e00418568c6db51d272eceb56f41fddc0143
SHA512 0996509c793f563b85f2ae3425fa5c42ce7fe1259c2bebf09d250fd58f0e9d92f99d4713632c6f9725add504c7042bea8a928edd8d96c80e176bc477cb6102d5

memory/2068-31-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2664-30-0x00000000003E0000-0x00000000003FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fYwgEYAA.bat

MD5 5e61e7152a7c2c823717d1f3994abc11
SHA1 155a7beb2023c27141b138686fbe79c1226a89c6
SHA256 946f83a14b22047781739aeba5aa597eb86247fc85956e104c637cb512152ddc
SHA512 af45138a34035966562070c7905d8022d240b861ae079b673ff57972cedb0d8aeed6665f040b060e039acc4b358cd55240949e069c3b5c044be1e739be87dc4c

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 96f7cb9f7481a279bd4bc0681a3b993e
SHA1 deaedb5becc6c0bd263d7cf81e0909b912a1afd4
SHA256 d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290
SHA512 694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

memory/2664-35-0x0000000000400000-0x0000000000490000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\GMkM.exe

MD5 93f9c7c155ba460180e246ade57ed4e9
SHA1 c884a5c4bdbff4a0015201816e29bb447fe5927a
SHA256 3cf25e8d19391cc9fcea4324fe66fbd5c5ed73ec3017434051cfad72c8e74f5f
SHA512 8ab4a2801b609199608a9f7c334d738476b13d70f987771ce821e4d3fa589c44b91f66539544e9813c5f4e454e4653a21a742a65a4b988bb872a9ac95d3e6aa9

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\AQUa.exe

MD5 1dd70f67b76bba91ebfd2147ac9b905c
SHA1 9485764f067ab83f81dac83206c39e7f58fe5a81
SHA256 d935e17f58f934528c9f6aaa69fb3514b452cc9504bca8ee72161c9d7c1bd891
SHA512 cae509ac6bb9dab502d6f7e0bf2cb3053b1d3dd4e1522e452911283503097ab14a95eeff846d5ef1c97935c45a843873827995512facbb822a8a4b4a19d8959d

C:\Users\Admin\AppData\Local\Temp\swsC.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 765af4ddbd13051fa389a07ef6d088fe
SHA1 a3b8eb512fb39d459421021e2042a92604f10385
SHA256 eb7633156d801cccdd2e707a7923dfce24bf3537c2dde056c54a5b0de979f1ce
SHA512 63e6760f6f0e503696366f4c76c1f983e2933600102c6f2840529610ce23258ab026b4e5605209c354766ba474bf3d6f2ff7b09287bbc8114a7003f7c8fce885

C:\Users\Admin\AppData\Local\Temp\mwgQ.exe

MD5 0efc54bcfa3f6636160ef0e64de30b9b
SHA1 55eea3b9404f6e4d67b2e38cd5e5e8ba8ad47cdb
SHA256 e2c0df36677a6958d7b083cf44e49a0d0122dc1a9dfe9312fa156bbb1956767a
SHA512 a064311d3f42fc17220a3d56c1f60171dc81c38d969fb25ae8714d2310a9a7c26ec3765e54fceda9de0f19beb79497675e004bbd56edc9ef006e5b9e05e7602f

C:\Users\Admin\AppData\Local\Temp\swke.exe

MD5 28eba8763b21a88740b1ee2c40032efa
SHA1 5b3a613bae61936b6f7f69c1b8a80cd16765c09e
SHA256 94e7934be6212cc85b5e6ecb85f76a268d432759589476181c08e6eed77db386
SHA512 47a851e5fb5d4e3fe88e8e890fb92632af2720a8dfc991809bf6af4bac0e76813fe787c06cb3bfe2386d59ce282d057c11167d2c35b2bc618b31a4e87f8e96a1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 17040b6faf3934b48787b88a696b10e5
SHA1 798ba43a585c5b72aa31953122208549fb5f8e97
SHA256 6ce39906ce0d0ba475075b8da9b64aafae44d41f81e37c12a8d7e5193cc160a5
SHA512 2f914a83be13f5ef6e2ea34e73fc44feb6ca7a4c17ae30e17d354a37383c23c35f654054d90ce6d30b0501a239be5edc8b3f2f1e0a73df4c79f9dfe4aa4e523b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 16f798b095bee085329646b66b67ab55
SHA1 e27984efeaadf728d894dd40ab5a422a163e465b
SHA256 0a15455603c57e48807c62884a5b373f7c90eac2a40af78d590b4a6cb50a66b4
SHA512 6351a9c979781048da9255112b4654a5aad2cc6c7b2b4bc2be5336ab7529c85fa952594840ac68212fbd7bb6a078413202194ccc0a6d8ce3892fee12ea816d77

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 9abe12170e5c0a9a4cadf0228cfc7b7f
SHA1 90fb1dd01a4d6827a6137c09907128c39c90e0bf
SHA256 444b3195ea92886e17d6d23cfe83e90a50afca7e9a40a3a2703fef1d8cb68bd2
SHA512 db8dff2a2ffbd32f131b5009fd2de470f3f41bcc04424d592bebb4edd482e44f2290256293b189460c010fc351f2678db40953e311d1f9d81e8d56aa7578a883

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 bc23b8539a1a92a69ad3adb8f4785852
SHA1 a42d9653293e9b7358eb24bc53c809f8dd99b271
SHA256 415268780aee8fb1475773d3ef4fae7870f0aae3196e5f007f6cb12e76e7dda3
SHA512 652d1f2c526df7ea723c45931367ee15ddf30fc4a12dd03e0e78e4dc6ea78748100b9b8de6c22e285dfca51a0798dc35e2f9fc6551284520ae9214ad31381636

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 a83c4d3703927511194adc3c718e5527
SHA1 4ed547eec99798c84e9f5891cd904eb25297bf35
SHA256 cdd5fcfd80a885e5b0da39b6f178bd8e1a399da20a94a48398b9a5afb18f67d9
SHA512 ab50e5eea7d650e51b2668f24de9f6db04d901a0bd8810b422375a838a6613c550293d2f813d913efa7ecb5c0d294026a530b9b0e94b18480e655c879ba4bff7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 9d59a32b34e63e8b235f9860ab6ecdc7
SHA1 392832196297b999d5377b71864ca807087a313f
SHA256 40db17d48303119f7270debc450deba20e36eb9e9c03a7b932796dbdff45c2bc
SHA512 b462787adba83e7be0e766eea5c50d5d719c9b56e9353d13db8d1d2e4d28e67f6713689f45d23f1c1290ec60510e8599257afcdb454a12ad58a3421bdf3a691e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 e5fb54eae0055848ed36c803b89273e5
SHA1 3c3cbba5f819c35b721eee43e411f001c1887162
SHA256 d611c4cdb795f3182e13d1445221b6c3bc3fac10f781612e32bef94f415840e8
SHA512 f0797fd1f030fc2dac408f892a6b1ab8990ec741c1a780755bb989caadd3f7b957c9c90be0cf6582ea2c4ee7fe5f05a4bc264d5af6824b50d93f0de0f9949d22

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 3dc5e1d8be2d0718b7c6ff155b8b7da3
SHA1 9fba3159f28af6edd6714162ded4bd64ec45b6cf
SHA256 092b9f851a6c92657b36a473c376fddeb76bc462b49d44e97c7d32b3e85d59e8
SHA512 662c44c35dfbf4627debe57b3c804eeb08fec6ab49fec3291b8899c97ec96e1c1aef69f6a3582d57f7996dd4b01668027c311dabfba596b376e1b38714826de8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 98c451f7d13bb1eb61604ab1b2c9b477
SHA1 10b3e20d0e2ea5bb49c72e8e71e152675cfa9155
SHA256 bf3403d254edaa0268b5113eebcefbdcfe485bf44a7260a49c186c993cefc60e
SHA512 10d44e1b05dc415bb99e4b2a3cd5987331dcc9a588ff8f5318cad99c821245dfa95920de57272f65716be85db739c8f5ed5256e8f6bc919ca06246c0d6abd59b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 a8c5eec36aba93ef2ebe23db04540d02
SHA1 799bb48328cc4fbaf6b8ecda1adff8f0364550c2
SHA256 a899c876aaaffccf12b40d0040a177501da7fe52fb57770a915c7eae11b01bf9
SHA512 6bc4e8d14c2f8bc73cca44d0e8e3030e2357a87b5d8de32cc0daf7fa0337b52cbf62f4fcb3ac4ade62bebdbbd6539176609b4673cdfeacdb127f9fbfe6c64b70

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 68c5b8467204981707ddc43f444ac3a9
SHA1 cf788b5048e3868308d55921aae1aa7e25bbf551
SHA256 486db55652d04f6969354d90793a044ce829657fac633a08d90b361e2b90f1e1
SHA512 0f3a4bb0907fdfa59ee7d3da10deb7070a9a7b3d29b1d8f7de64631c7928ca629a2797ef734b56c47d19acb574bdd0706f8a3a86e3ac97204b88fae5265df68b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 f38147d2eb59e329cefba66428f094e0
SHA1 ce8bed7c7a12e0a53ec48cb06f697d3441682dcd
SHA256 86f0253d6e5b6d7d158f7a1de66dee0cefaed29daec529177e1f352295457a0e
SHA512 2a0ab530ad72f7cd04f4889258ef0924e30fd14330ff92259373589914a381fe539a88f4b1c0eb39fd237271e7daafb304bc578d036373daaa83abf26c3531dd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 b6400a34cf92fbe45b6176cf60535626
SHA1 3f8397f5121ca1c12b5fd5824cf33e3fb665d172
SHA256 50edab827aac37ec4024f61d6969993b860a67bbd44352de104d4e3c6f64bcd9
SHA512 e52fc0b6a0860eaca23227a60d2aae2eb0cd3b2179cfed2630cf55401f56d0ae9a875b4f4a5cf7c9702e391eafa924d56327d7c1be0a3b75dbdadce7b3a4a528

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 c2bfd4d4a521d533e3af46a3df3e34e5
SHA1 48a50432b1b9e4e2accb7fe4917a17ba16e303ea
SHA256 0e90a849e928561754e57043308db815045eb3b2ee5290119a4b4f49de88ec0b
SHA512 e88f506fc4507fa09fbfceb199cf843c51abebfd21cd7391686b8acdcdd7081c9710b6dd4a2d0e36d24f62c7db5c8ed272c3bc58471aae6021152d8fe93b4093

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 ec45b1207487ae9ada52bce996fd7b8d
SHA1 9333e36951d0e02b28a2e313c60c9c3ea0b24f84
SHA256 65155d9705b45250175efbe38e56f2dd216b885d95ff9492b95552de105b8f47
SHA512 670d162c5d53ff1da0dcbc9f166722a04308e60b9901cdc1786905556f099a0d0ba4d7b06f61acdcbbbcd02cb729901d8c963e3a205953c832c1965285ca7397

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 3fa9fe773255f07a0aa3a6dde88ad8ee
SHA1 00252ce1699b5840192fbf8fe5bc7b1cbed79ae5
SHA256 cf041e9efd721e2d3e9f5143e8618e686d8de0e4dbab6f151fbd8f02fb8ab772
SHA512 e8f32befe22a3b5f6ab144e539b49fba842cd5aa4488e8f5eeb5c1c440d840fc07961c3a0e7f70cb29227fd68c16b538fd9732d3a6118ef9ef8a4cc484241821

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 c1efec039a1f436c76d6667565e4f715
SHA1 f485578a0989cac1da6b91d98fd42fe165e31d80
SHA256 b0c4f55a48d187fff44526ed2414a56d3f2d930c85354db43a49e59c5536e3a6
SHA512 88df7b6b4621590f8ac44c1a18ba4efe77a4d88181e00e6d284e8e4fd481bda8fec387121bc8333672c4b0db0e7a3621f9df56f4d2243445c7d358535aabb49a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 44c96a71291a602138f5511ca07eeb90
SHA1 c3acee712760bdb6baf9c1f5e884ec9014d247c1
SHA256 929e639b1b853a804fc33755a5b0a4ba8238172310b8a5f564d8ac498025d88e
SHA512 f8d8708dc2b9185431606beefa94a2f50503eebf1e34168e54725cb236e808e52c402ed9e88e99b6df3738dba7c436ddfee0aea742615592962d46983022a778

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 eaa0c42a34f3f33295f94dfb1f9ca1c0
SHA1 43b6c8b62dd6c1f6c5523fe7d626ed45517d2199
SHA256 df0a911e620948a304564b72556dd27940c7defb8966fa6c08e549d05732b2f3
SHA512 f7eecf5239adeff7269ba15e34ef653fcd4f7e394e3fb526805ac5a94b91050eaf60cec1d38bd160af8969904b314e07c170922afcdef2173844eb16bdf616a2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 1a908ee7546a1d098b78a5c0215b5f11
SHA1 2ac590578e0ba2a25eeecfc46896aab5b0e4f0e0
SHA256 529d452f50cad43ae7a1bc78ca208f04fe46a95cfcf8eb7964e7a2c56ecd20f8
SHA512 4aa64ac95f61fbc97c1b6fd529dc6f85403cfe0c54b506e42b52a2bb04541a44874a97c77e10048078ee153904329bfddd9a2308b0bcb526add4ffa45e5a19e6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 46eb1b46232c455f6e6bc92888839f66
SHA1 c78087d5857cc1b2d3e0b71094343a624aa0fd81
SHA256 590483445ad6cca7d4bea43850aedf56b9a5953b4149068afaff3d528ec106b2
SHA512 4690fbc15a7c9493f05cd2d33c0633e3636cda227239b0e65bb0ddbff847c7d5830f19f2a8fdb861d9714e9ee79b1a246350006a4b01c2a9cb440b48efc9dccd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 d13c7488026b6c07788eea6103bf3f59
SHA1 808035a580cdf679adf82f9408452faa0f9f34b0
SHA256 bad7eb3e8fd463bc85b1d9ff11e3bc11be949066622e2ff746982e30356414bd
SHA512 d24c5e0e715117f3fd5a71beb47bef390a373e73b1d4e73ea7901ceff6795a5b1bee6bd0bb8e87cf2660581d057ecb71a48a67e593b7781915773484bcf97075

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 dbf04c8fdcf7c7e03f8edf20025de9bf
SHA1 e7f8a5842c20b448ec9af28bcbd98015e64b0459
SHA256 39889f1876443cffdd1bf0d77b437a1b0b8d0900fdb3a1628f9d1883da6c6bb1
SHA512 eb1fa9c601b5972c24616750f1b284894be3d212cc4c5989afd7fd47c6b69d4e0f2fd78c867dad70135269f8b585da59dd443d83bf726a1a6276ae93de80cd62

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 0c490f42102fab47289ebf06861b6146
SHA1 fc72e713d9b76d6ec4886cdb00974b4c936406ac
SHA256 be35c28779e941f794f7fa7e778979fc490e226157167ee3886cd9cdc62650d6
SHA512 bddccec4995881c4fc7b25a62a89ed03b5fbf1802e307829a7e75e378cd7c6410bade724fd7cdfc6057ad0b72a2da11ad51778e1e4777517d56df56830d3e727

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 9194426a7f5928adee82790e8e27fa7d
SHA1 8f9db539287dc3e12f4a597f81755b2a636caa1e
SHA256 c3b83d1a97803a5507ff7acfa3c6ea3df960bcb0d0565e90f13ad6e657cf84ba
SHA512 6369b3a3303c801656f29df43e553592447ff6279f7e91c76ec89da28494757c585a50832c6c3879953215a03c0d35aa0f7d98db6fdbc5cbbfd8211c4997c81c

C:\Users\Admin\AppData\Local\Temp\Ccci.exe

MD5 962bdb6b6e3ac702d2378bd4a8bf011f
SHA1 2ea0d4c2d7d1e7cf918f0cec8bd429d31f7a3dc8
SHA256 060effbc0e10aa3f7bb4bc4dd74d047c60931e03b01143d715c76a9e59c67801
SHA512 49df177e66706b1ede4487a43f3a4deb7d6953af16446229cb17676024031b67e05033a3e6924ccf447303abdb3ed1e58c8243b792186293d73b459b6f16144b

\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 1191ba2a9908ee79c0220221233e850a
SHA1 f2acd26b864b38821ba3637f8f701b8ba19c434f
SHA256 4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d
SHA512 da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a9993e4a107abf84e456b796c65a9899
SHA1 5852b1acacd33118bce4c46348ee6c5aa7ad12eb
SHA256 dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc
SHA512 d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 d9e5534fbb1c7c5b4e9a6c6528cfc5b1
SHA1 626a871976f00c43306daf6ee05c8bc37d8f33bb
SHA256 8addcff989597f886f4d716d26b1c2955eff86063ca1222a09900de884a9a6ec
SHA512 575eaa74797ce8c4921794bd355e23f495cc95cd96eae6c723a02b613a73ea9c3da3c3e76e841ea2911fb6ce6f63c4b276bf11914726946fe14edc84c3b3f0e2

\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3cfb3ae4a227ece66ce051e42cc2df00
SHA1 0a2bb202c5ce2aa8f5cda30676aece9a489fd725
SHA256 54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf
SHA512 60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

C:\Users\Admin\AppData\Local\Temp\woIi.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 0082353659bb316897592f2d2acb5c06
SHA1 c1d25b5f2de95f8ae4cb076b596105259f24644d
SHA256 2608ce1f7a8660f1dc31cc85ef85fabceea080c1169d84628d9284e945dd212b
SHA512 c25903794324d8e58c561927995e2d178a232b106cb9859d866950892d73a9f134009df72c00ab2b86d56dcb3ed73cbe7afc80ce0b053abca8f3171d5261646d

\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 6503c081f51457300e9bdef49253b867
SHA1 9313190893fdb4b732a5890845bd2337ea05366e
SHA256 5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA512 4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 137da6c6a9495d176e40e8a6cc4fb4b5
SHA1 c5835fc36e52c6da771e48639659b2410b1bb590
SHA256 20af555131ee1133bf35a170190771fa2f6983d4f0bd3b33772fff17851b0e7e
SHA512 8568b3325f0d0aff334bae343c2788c2fb17919aafebed924a68efc99c74d6284ea19e4af874f6a7cbbe31ce474a46bce7f51d0765e3a5205ff82131691ead44

\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 2b48f69517044d82e1ee675b1690c08b
SHA1 83ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256 507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA512 97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 e9e67cfb6c0c74912d3743176879fc44
SHA1 c6b6791a900020abf046e0950b12939d5854c988
SHA256 bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c
SHA512 9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

C:\Users\Admin\AppData\Roaming\DebugSelect.exe

MD5 bcf20e144e4e0513d679fe22bdb4dd74
SHA1 a6529f284d0a9cc87a1aef2a34a649232f243fb6
SHA256 da5ddd01cd2d2be1410d9151bcf11f2ff36cfde23c2ef2c515a25b968123c331
SHA512 ecfda0fd05baa268d6841091f9d5ae5509abd9c54c9fb9da572f8108799ea7c3ff4b6cf8769d1ead75e30806b6bd30adfe4e2695f0b79eb4d6d874f9bdab671b

C:\Users\Admin\AppData\Local\Temp\QYsi.exe

MD5 5e9ffe608ba7a0daed0ae4e549682fa8
SHA1 eeaa2e22dbe7268de5be3721cdb339d3935cb4e0
SHA256 fe2a784f87a9a91fab4b3e024af1dd551b6bf1fa074052dce690e8726451239c
SHA512 2fe771164914c19cc0002141fde5457db5893090a256580a6ad4d591a9c0a60d00b048f207909735d2c05d52f564580a834256751c92e05ffdc2307e2e910107

C:\Users\Admin\AppData\Local\Temp\OQkK.exe

MD5 c55ae371d3ca3b6042c889f9d04e28ec
SHA1 ae8517d65eaf990ff5f691faf17f6da2cdbb3659
SHA256 72ff93255e001b7baaf9fc205841b8ead7bb043722e330c911742eef3cf25a0b
SHA512 981e46b592782567beee86d9280a4eb90dc39297ac773512b5c030e405381efd79685d86308e1cb5d92d91a2f04c352bf3d7c9f2c263571df6406aae1ea82108

C:\Users\Admin\AppData\Local\Temp\mEYC.exe

MD5 02049cf04857adb9729f574a3037c3aa
SHA1 93c9d0fe7f7e9b735e85d3f2052a9810d5fefa60
SHA256 547952a7a97e2315133bf99cdc6081dc29ee41c6ad71266a2fb1affa086528da
SHA512 784d1d70fb578512af19f173eb7d645052be8f1ff3fbb64918eeb20e036fe5626ec86a8b3293303190d43356045fb5478ad8965348e0b7da611a141367898f66

C:\Users\Admin\AppData\Local\Temp\UEwk.exe

MD5 6b726f30cd7dd7a50b18eda023dd1853
SHA1 898c6d52284852194b67d0da44e3b1cd742ac2c4
SHA256 2af61b9a1179e41d1531e4beadaaae5481179a925c108e55e059e254a435a766
SHA512 41f660b4f850d7663c3bc3aac44e294aa0074b60229f34af5fe3aab216220bacceeda6274c1077c4f0b32985fabe12445277fc3a79bdda7937ae9a6fcf4519a9

C:\Users\Admin\AppData\Local\Temp\uUkG.exe

MD5 d34bc933aa58a4e4d3091198d8deabd7
SHA1 742c8d768b7e00582055740aadc21fc6fcc3ac10
SHA256 eaf0cb2f8eacf4c5c74aef2be92f50a164e5515cdde03d40669e127c11065b25
SHA512 a7a694ba116451b5d209509034823b0178304d754534d8e12f1ae352e09fcf625e521c602de4957c739209276c032fc75e33f59ece71283b9cca7dde896597b7

C:\Users\Admin\Documents\RenameUnpublish.ppt.exe

MD5 7de8cc7719e457b90113bc6325188e45
SHA1 6211f114ab4337f01d8f3d5eb356452df13e0d75
SHA256 f1112698d162c6e620dfce9f50a59f80681effc175df21a443279811c17cedee
SHA512 258b9902c492292093ec28a83f1754137e449cd3e228d49d08e87d610856d5185862e6d050fa75a9c7803aa5b2b72dab4c74ba2a85e2365c57ca76c59156251d

C:\Users\Admin\AppData\Local\Temp\Qcos.exe

MD5 2cafad39b217f26bd77a04c4c9eccee1
SHA1 ec024751f2989dffa3ca6db2e3831e86a1bf13fb
SHA256 021b6176506d9336d66684f4df99ed5bc438b9107507df820f6f805b3646cfc0
SHA512 87838bbfe0a757716f046fb612f5921c331ceb9137c104e5180582cf4aba0812112022ee93707384f5679b3c5638f4f4f42b6667ce8e145bdb3bcec47aa638b8

C:\Users\Admin\AppData\Local\Temp\WIsK.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\GsAs.ico

MD5 0e6408f4ba9fb33f0506d55e083428c7
SHA1 48f17bb29dcd3b6855bf37e946ffad862ee39053
SHA256 fee2d2cfa0013626366a5377cb0741f28e6ec7ac15ef5d1fc7e286b755907a67
SHA512 e4da25f709807b037a8d5fb1ae7d1d57dfaf221379545b29d2074210052ef912733c6c3597a2843d47a6bf0b5c6eb5619d3b15bc221f04ec761a284cc2551914

C:\Users\Admin\Music\NewDeny.png.exe

MD5 39573d3cfc60a7f709a62cf5346304ce
SHA1 6629c858743fb711f186ef22dd046c1813826196
SHA256 d31edd05abb76d93307a6f3695c1410877f19b5a368153bb3565bade1e4c1929
SHA512 fb1f8adc992f408c20745bf80544f4a11e69f431aa98671451f92a49ab9a9fabb1d5b0f0196c5473d190ab76fb62814e3b738ee763fbe2ea5153c2f8618264cf

C:\Users\Admin\AppData\Local\Temp\EAgg.exe

MD5 ec68aa2d2c37a6e3807545f525c11af9
SHA1 81d40009a355b4948975328ebc5b46f7c40930db
SHA256 53c63756104efb4726bca6beb03a7fdfb145bac3af6553e3684a1a5c4e78812f
SHA512 782484d1eed8379d9f77f01a9355157ed5b89e85474409e42814f8ee03408654090042f2bec3f945b6bd09f1631bbae73812b6b21670eaa5410e21102bb40bf8

C:\Users\Admin\Pictures\FindUnlock.bmp.exe

MD5 be27141c1b49ba16a0061d5eec1a0e40
SHA1 2ce0020a9e4bdae1be649fd73386cf5c5a49e542
SHA256 a4899fcf6bd0eb23790d824084f9dcbaf329892b34a67b88ea2fc6b896bc1f95
SHA512 d2994e123149dbfa74960b4de9455d098bcace08ea2528ae56dcc9472e8e9504d9a8d37188a0472df060c27e1aa9237c283c7f559c67196f9eacf004818c6f5c

C:\Users\Admin\Pictures\InstallSubmit.gif.exe

MD5 1c5846cc42636f14566a79856977e151
SHA1 14a7121e3d41a1c9bb82f799f2da46242d898801
SHA256 192c1bbbeb99e44fdb4b7afb39438fb56becbecab5473b5c524ed642eab40065
SHA512 04e9c2360f2c2d39683ca8089ba0dc81e4c18ea25e0001fc86655c85ce756509c1966fc3e125cb037d49271731c2cdd96080c348af60e49afb0cde92dd465e8c

C:\Users\Admin\Pictures\MergeSubmit.jpg.exe

MD5 ca58b00cf4536fedb7f3c436ecf8d359
SHA1 d86434eafdce2fa93fc881648bd7bb7d4289dbcb
SHA256 f843da1883838a86ce68dc05091a4a0c556cae86cc1cfcebd29ada115b2d8a8c
SHA512 ae3249c03851cd0a7153213578ef0d22f05076a6d9a1b873ad65969dc5bd6ba7facb64a9b27b74eea9bfeaaab8ff4300a36f6de82f039f390c761a7ce6c855a1

C:\Users\Admin\AppData\Local\Temp\mkMO.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

MD5 943c3a3ab9d970dd453c322c7f15e2fa
SHA1 12fdf4feb3ea8b31317d7f447ee48492811b304c
SHA256 b543b0233b962f6ec6668cd914bfb13ccf31f83a36cdce55c37af0b4a12ffca3
SHA512 03a34eceb57de70a652a7c43858dbc721372010c3e6b3b26819bbcbdca8dede08267e195e8b9402074b03ff7aea9f9d48834dc27c310b0b290588ddf0744701d

C:\Users\Admin\Pictures\RemoveFormat.jpg.exe

MD5 f5dfb449e70a0be4f31a3bb3eb3083fe
SHA1 dd4488f50c12ec7968f11ed93112f811fc5fc554
SHA256 4a05f72707c77e6da03a403bf89c650a9da3584a4aaf49575e5fcbcdada01a94
SHA512 67905d3fe014b6dccdca8ca2f8bf8894bc8f44a0b82c721fcdaea6303be4c3aee3c0dff417d6a717ade6d27fc3f1766cb102ecef0cce5d657bfd1c18e6eb14bc

C:\Users\Admin\Pictures\SwitchBlock.png.exe

MD5 0456d4f3346806202bad62ff9f275215
SHA1 b5c45b3002c08d38a252ed71a7f1f0e203a9ce2f
SHA256 7d31b629a99d81c6838e67a1d74af03ce4a430510bc7611ef7c55b8c1f2f278b
SHA512 c021d6318516f168a18903a006f899dca4821d0ab70bea15cdb695c9b2de4295f0c75d526ffdf9c758157862a8ee91bfa1a68b64510205f729ec22b07eb76dd3

C:\Users\Admin\AppData\Local\Temp\uMIG.exe

MD5 26109605052f584172de770c9ee5c471
SHA1 e5bacea2c784f78a0bb1be3b3086f450a63fc4af
SHA256 71ef90298cf15c3888f878184939beefe7775d1e0326d483c91b5a1614a69df9
SHA512 e1772b5fb280f4536a7a94b3ff9a95219c7d9a80b5e0f4e0efd6271cb4051a533deaf533e8a3d9f7756657246951172cfb7b44c0b4078f77b68291d1f7c2b003

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 d46ea26b3458ff2ca1136ba49f6d2770
SHA1 ca7c7b1070a3358aaa6802b6fdf98d60d26a9501
SHA256 ab37d7b8234dce42c5b85d45ab5a38f91e937e50e0cbe240545c14d2701cd6ad
SHA512 e9d70ee4ed2892f177a9d7c62598d83f527f48a78171b35c806f60ba6bf840378d9c154ae6db1494c566c73d423868b6dcd363ca041981c79709434d40e0ee7f

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 b4a772c7e8382092774658b035916e80
SHA1 97344149dd3f0a2321a433065f866a50d346ee08
SHA256 c264ef1f94fdcbaa055dc189b42c77b45ab640c7692215a06c0db0fdec81f345
SHA512 e429e1a7074bd9b30f213aa731cb58ff00177290e91aae07c5e515802c1c777177ee0fecfd40b680fa071ebb57fdc74178bf1c6b0818c9cd268e16948338a54a

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 41998c2929c615b224eb694d1473a5b1
SHA1 d3789b46cd701979c55b5d9ef6d98d6015da4efb
SHA256 b6a26c33185c934b03ffc7a6ea222d9d05e342edd74a0e9bc260c0a35ec04080
SHA512 eb4ca5328fc15f093ce0cf4e48f63081661086c384369ebe024f4f8d0b31f8d81a2e38d41e275a727ca8e30823f6d897a2f507bf24683d564645aef8b254bc1a

C:\Users\Admin\AppData\Local\Temp\AAQC.exe

MD5 8598487481788455efcd4a230ea59287
SHA1 40a7eba3428ea9fd6d9bb3e082251b6fe41e6e6f
SHA256 471e659bc5720f465f0542322c1b1af33e8d86514af00afd8fbb6f54735cedc3
SHA512 6aea9e13d5271d7a82ac21449d8ef7f88f4f422fcc59626b698c13cd3546dab0840ac47ff43ce1fca619c41ec7c1bea21e9ff57720a15072baf9e4dfa992ad31

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 2d78b156d113b08c3c1eca8d206d1e6b
SHA1 d3ec2d58fd81de83f0e0afefaaca0527661ed68c
SHA256 ccf43a74ef46a82cfc77a7b93c1a8a9861a26ff7fb15986d2dadafad012871eb
SHA512 234a131385c49763d2177775df6952e16219bffbf87f2b49529338cc01c15ebc4db6bf24ce871e0a4b3c62e7f9cd92ff61be636285e1050cfd44c466f4303a08

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 90c62a78372216ef6e08c143de0fb2a2
SHA1 ba928984ce9aff546cda47485a5afaac8ef088ad
SHA256 d9ea1d6cb6bdc085cc4c77d740990d8f527fddeb1ae9477d8dadbf4dcb51ac9b
SHA512 f24534d24397df338e222a7bde7f09199a806fdbb935487c7b62c5a484e805aaf2181a9ceb064eb79262e918b5fa9af491cc90a55633f13b8bb7cb8d30c5f585

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 2b6d47baa6070817c41e8e2d3a6e01c8
SHA1 839e2080e69daa6786d280ee7c15d20321549f14
SHA256 cdf7e22d4c708c70668a4819884597b7e08be064ec96b2df30b565c3afe0b3e9
SHA512 18b696f5fee0dd42de62c24713485c278664d9ecbeb77323195a890cbdbf1ce2ca4e9d91380fc7a8092dbc599a9ea76137e90778dbe5290873e12377eb56b300

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 9075e7d701b9d7377b47e3d75b31eaae
SHA1 f8f1c1cc0fda286e0533f077e247d1428b882f74
SHA256 36a70e5aed3454087170f45af169ac96aa40014a440c580cf4bb6e92993c8a82
SHA512 f2e564a2e1199812e542ac8435ad2b3168033165605a4ab2f7d250ca7b98854bf8920f67161f194e433430aabc4fa0c25d28382ecbd15c9bd73ce8fb5c8fb9b1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 81881efaa04c35645b55ff18bb26b3e1
SHA1 9a9cf5c91bc755207f47d5ecfb8650684c8fa9ee
SHA256 b37cc35cd566a3c9b5f0dc58d21cc752b7b5241a821a2a48197013a9c5020b5f
SHA512 d88c43d921fbad1dc965f76724d106a2f92d84ce4b67e4d987f0adbf31b73c248cec06dcd983b9e6fda65c2dd8ba39df17a271180236df12f6a46f848aa05603

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 7be2beb26a69c2db7628f81f00782a6b
SHA1 9c1bb6dbcda87449899bfd651d16a985b12ac3eb
SHA256 9b08e26460f80215d66f08f80150ed0951012dfda763f06fa2874b0cc71dc6c5
SHA512 2890953bb8a4e4c763ee799422d997c2960a3eb0227febe3e3d54692f1fac72b123757aca5d74b11c11ca7e4fa8079444135bf234b712d322f0a27b25f9ca985

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 39c72c2b252da94ac0bae9dad2320026
SHA1 a72c91f08c0324bc746356d811ecb74fe4f9f58b
SHA256 b4623b98dd65780e1560c099d9f222ea0d441c914991fd3408f8dddbc4842263
SHA512 99ce426a233a38bb9718bbf001a4636f3380674b02c4aedd786f3dba1a4a17410702d0ca5c5bcf0f0f4769cb5d734875e4c9d11634f6a6ea29436e88a9e1c821

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 4472172ab66229cf4d05af7295a797c4
SHA1 7326b2c95c8af6f53bf74df1e90ae784091941df
SHA256 80599c0def2498accef9ad9d5374f8201e3cf05a74f3b229720b41d36ba26736
SHA512 d2ce58f6bc7eff52f7d603118c1be412087d8b34ee67feed30f7f900f25e9462cac877025ccf0315bf07608e8f58923a7649479ca98b049747f13367f443e130

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 8f4f2c9dfc266ac78e33fbb3ae99f2c1
SHA1 af6ff162fa17cbb83b197ae6d4eca4aadf0dbe59
SHA256 8e96b6986fba335c3c3703c80f9116907f7e32948a68051458687e098fcc3f9c
SHA512 05399f4aab2169dc1a639b95f32bc924f7c93e2ddd209002367e879f7dcee8402aadabacfbc403c312d3288f92733d01cb477c7568d236b8c8df2422a7aff995

C:\Users\Admin\AppData\Local\Temp\KYAy.exe

MD5 d5f3934c16cdcf07f666e14723055a19
SHA1 8073a10789151704928c75fc6606cf5cbb4a1d69
SHA256 50be7089941b18fad0a181c393550a637be87a2db8875814de75e6bf2b845e99
SHA512 2f94846700b53b136a1cc25a083910c7da963fd2ca9f592d7f1262eaf0bd4d28b6908e2e8679790a9a938cc35bec34d26e9265519b848d6f00393b1b47d351af

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 db71a535ccab0cac1a518853693c9a92
SHA1 7f8d0552fd89cbb3c833c06df817e0ed43ded1cf
SHA256 5e7019dec68a040b54899974a427dd678f884256d4ed493957c266c721f4c43d
SHA512 b1045ff16ccbdc414633b4baf4156777f621b2769b3718243761fe3494acca8e7c88f2839aff09c352decaaea3ba3dc6d9c7cd1370315b008c4065cd545f1c7e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 59af35e8f5f8d06cfee38603f2553925
SHA1 43cb97a7f8e746c38eecb7796322551ffcb630cd
SHA256 7bb5f29bf348fcfa8bbd09e877f8d6f23916e42c6f01f5fc8d94e6d9e5d94244
SHA512 287233a963cdb11b7f9d972af93e4a0e92fa0e66de1d5b497842670b5082c81c8aac16dbf74cb0e57fc60149781e06fff039140575b66ee9818751adb3d0ce35

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 4560257c7a8ed1a81c8a4963f4731e91
SHA1 4f0880a6e5aa9c68690f8306a87ed67e3f84daca
SHA256 5e9a6fc80aea976d232b533d877c0a5427bc5bd715ca3545f92fa555e9716bb0
SHA512 94dfa1402f45a61561ddb9822d509aa87b5d3564c49ed6556dcfc834b20a23c1304488c3a3352e6410a6c020d98b61434f3db30839fed0b2daf494a96de5fe13

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 1497bdb4847abfc2fab020760f663d21
SHA1 83ec63a58286a353f0c2bc9d26b02e5be9513057
SHA256 d99a393a7af219e7a9655d63a893ba8514a469f79f720644900d44f2d617e665
SHA512 688970496900d3d3eca125675d5482c09150f6c029326d3cdf25cd91f6bd8962e9ffc116a29c01e1f0b5e56e7f8a493a377d217352bd04758fee37899dd9640e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 a2e15404d28f00435faf7869544fb03f
SHA1 ca9b9bff47cf0baf06f837ad49188bf34d1fa583
SHA256 d45801692f1dcd29efee999aea1023b129588d145284278bd38b8a6d7c29961b
SHA512 658ecb857713c5256f319e0e7dc301a5d7ea0fc12e6e5e06ffde06719a0e040207d4ee35e0fea3a52436abdf4ad9cb98a7731857a1e2b0e292a992ba64256d66

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 7b09411700796f72a71056a7824975eb
SHA1 a03e82588ef85d23456a04609a81c50c0f75a775
SHA256 b7eb71592348be68de96a7cdd01a7aa316f09afb808ad296f504e28d3110f33d
SHA512 e4b6abaa58caf7dfbf29efa6546e54f03116d966f49bbee6cff986cbf6b7712eab313c782ce873db20d6b17686201135a01f64734272f8b8ad4e09a390b1eba8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 30672d889846f275858c255f418bc9e2
SHA1 633978860acd530622463fb11093866454e58bcd
SHA256 dae2b46971cfe05a73c9d71847d2ac7360b4151b0de13c0a8dfddb2b2fbca886
SHA512 c0514e4a5fbf84a75ab301c16d380b820ab7d1e45007754871a651aab4e0b1e9fa5a44a87786905538a0e0f998ee0e3f4e75c2ad4b5ead8e173eec2a3a7fa49a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 dbc8593a5116b0ebe2f9895049291822
SHA1 053f1456c434c1d994f36cdd53ec96a15eeda2f8
SHA256 247b1149a6ee34acb058d72aab2849e30c277885ba9729ad9771233562f17d97
SHA512 170b609f94417e54884c670e7bc570c00101cc17e2a1905161c00f4a539b2c3ad46da14518af12d8a33ae2242607fdd5e80f2534550c3cb9e78e4fbae64268ea

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 520a36d1b3e293cd640a58500e9999fa
SHA1 4d82838b6fcda51af5d70d5ca1a833555990092a
SHA256 04acb8dbeed69da27fd95a462bcaa57ea8b045cf2a079f0bf2bb98139c3d79aa
SHA512 6104b7cdc1b247fc823b3878924c828f52ee7d1ec8be79168c155baca635884646dbdbcf729920720dee0b27c1b5121604f9281471120e1c81f65351abe18e2b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 cd7b15676f6468bb48160c3b6903cfc6
SHA1 bf80ed23fdd600c77e4b10c127b2202ae0ac6729
SHA256 c3b3d5554cd5cdb6c07b7b7919f9c9d5c6d8d1060483adbd6fde09242573c980
SHA512 3e039d3ca5bc1e2308be77832caa36ca7074b7b176cdfc5988d130edf8728a7a946bac026dc5b34392fb839f4a057c54df226c7d58ad3b03f92dea44ccbf5651

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 480fd197c5d9b723e9f2ab1f89fa9da5
SHA1 04d4b30fadd6308197b9d4712344edf71f186825
SHA256 09dbb6244f79a6ead38c0e4b6a6cfe6ba490a171df3c035971125bb6e4486d7f
SHA512 b29029b836b9ae35218e16653824d8288c17a9b1a780bba95bb6f2421d038e9c2a8ad000e374c863cbad3e26e47e5117d3486808760952cf57ee629feb836508

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 169481a3ea12a36bc16ab96d980f820c
SHA1 3c873dc00c962f2a65634c685c6e7b007fb5c44d
SHA256 4fb033d38eb1981afae8197cac68ac93a1596af442690d30cd8fd3de6e185248
SHA512 ff1a713d6c2bd443b2ea523e9c30a733ecd8ace6565733c82233639bc572b08e5e8a29feaccde30932cd6d93e60fee31e184a66889fb77bd98ac18f554e9782b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 f299825155012c21a109cdd9f51b43f5
SHA1 16471761aab706abf93f7dfb81f4710167942304
SHA256 fda0e320ddec19da3c8fe947e17edc42342e8ce0bd937553e1593a59a1e4be4c
SHA512 61ff5bd100ed591c8f4498c99030b0501d6f09201337393d363b0a762d0513c96d2271d28eddf090340cab1314b6ef80752fe0add51536dc3fff9428ec12b2d9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 c058637cedbd5d260ec10ec67a8359ee
SHA1 de44ef91eea46e8886864e726be5fda377cdc948
SHA256 526187ecafb97ead19f04544dc94621f67346aa3007be0e8d4b4bec96ec832d2
SHA512 5121023c5386ff3a06161ad2cd99873f8999bae48851420a898dc252ce57a84c97ed21e3c15aff2a7d5cae1063ac23b0c315c45dfcf57b8cf6d2580bf76c7da8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 d1357b838182334631ee151788a8ccc8
SHA1 db3a3bf1adff7218372cefbab72aeb027afc8869
SHA256 213159a8fe776db3a7cbf2917b9e659b77f589d1db323a22321b95d377b94df8
SHA512 58280abed384ef522d2eaee3a3557c0cd4014eab4a58fab36011eba699a03b729069ebcfbb8e9d981a7b3700754c066b07cd6b7b2860034917ea49cf3d682c0b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 517de722dbf8de67fe76fb5f8111750d
SHA1 53e65841b623184c29a7f6c8d9e6af94b7bbda86
SHA256 bb65abce19f0bbf8fc9f4866e0bbd710f5e4684a53c0e357838bd6f148919a90
SHA512 9de2609ab32e2e009049f3f06f5ca0be9742d4fa527540825381faa72279c5bcddd3d2ff026e1d08a7e218afc3b9185a1de407d09bc4ea6bdcf128ffa737b36a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 7c811217e4cea32628304ac54ff67bd7
SHA1 9f4f14225355c42acab22d8bc2f2d499dacad6a2
SHA256 e05961a18200e8319047a61c168c0aa9455da94c721691a3672f4e9a8398f4f4
SHA512 942002bd405f7548cafe44a19d5b1c4b9969a5c81cb8c69741f240af74dc2aeb95fff26446efa6516e96725aabdb761efa11f39c62cc7e7d14e0586bd213c8ca

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 102590803c17dcf5cbef9374645d17fd
SHA1 0f2375d3bdda7433f0457c50a9554d4882409c20
SHA256 535c01872a263131de569989f9b5193f21b6d158838317b125863b031de35bfa
SHA512 d115359a6a56b7b493630e73be620af5246e743c014cd50755b4116476832090cc10d95cd8dfa423f8113f9a31b09be5ef336ce03617da1b806de771b7481b13

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 15fc4e415dd013690c931173a6c5d574
SHA1 186813ecd98174295733cf1d2474385802a4a909
SHA256 5d635976aaba686b42037030ec7fee33c07f4222205ae0e65c666a1daf31cd48
SHA512 11f2108fd881a4f4baa31faf8e7337f5e35eb6c7510e8a82fed4a66f5e205206cc4f457d65a7c3fa8e48a60cd7818d81609c8fbb981b05ff5bc2aa915c0188bd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 0a4650834e46a211898cf777eb7a0dab
SHA1 173161949d4a8fd28fd45a833532bd59c9f3d7d0
SHA256 8167e7fc29e4fde5aec3b6824b62172748640110e26d6da981d407eeed57c5e6
SHA512 c1ef30dc97d25bf83d1d37693f1b7ff1387c31b890fdc11ab442c1b9ef111ebcdefcc572f3a04128272d3481b1b473b4e45ebf8f31e141cd40cb4c3d0743cd3d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 e43f7688c4d89ee7b88c21188673f658
SHA1 29e009e8a79ec27d20069f58f837c7e14bea11aa
SHA256 d3a6ede2d31b6ea0f7303b62b38a52794adcac71fabd6c4e3bf8b507ae9561b4
SHA512 851e57eed25fa048d5b7fcfc53e315a24f15f82fa849caae8f3aedc5d236e85287cd12713cc246c2ddb64238a3789b803fdf8e54a5ddec0955795eb5bc5da1ea

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 eac91922a0d822f19c747aeddf41d468
SHA1 f1503411389bc308007bc74e243bf256b2b8d64e
SHA256 916201a0e333958028989149a01ee588fcdf78d8371e2af5fcf5a8dddf98e0fb
SHA512 e47081907835d05f35be29e2287bb37e375c604055b46073c9b98a0b5f6140a58e635dbc91e266c63a52777819224cdf01f7b8bf567896f991477daf4349d53c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 bb6117d2c8e6446182f2fc02493d4bed
SHA1 fad7f0a7d02ae922b1c12ec42c343559b8aa753a
SHA256 c7584105be68fd72c6c63fbedcaae9bdd45bd0d4466d17546aa4051798518056
SHA512 6994c64d53090fcd070a9f530dff70151512954e15b2eba69a6b1ffe8cefbcc629ec4ab94b88b8872ac8610cf529092b7d09d851f6d306a3741820836c1f60a6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 1dbfcc898d4fde9a6a6868d5a2cc245a
SHA1 de7daca6be2374004509b66a412db2f87e3a5f84
SHA256 dcb3001785a7b0849fec5b9ba7248d6383343cdc53b101725ed95bb7547e2b18
SHA512 b22a76f397c8d11b4c85e215f1e7ab4d1a7b3a25e1635a061e3c2d9b614c032940ff14185b112a8b2ac48d170214d0cac8df4f5c0dc8bc45ba79431998807c6e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 95b42c156ecbcad9ecc698c37aa3ed39
SHA1 14fdbade7ef6e3040752f225508eaf3935964fd6
SHA256 be8975290306a0745028ec1385e27be0cc639b9055676937e1cff25874c633fd
SHA512 1c0078f971aad1d07d00cb970245255d9ace72962ea5e6a59fa3c82c3c8abc501c7ae2631ee0845e60ca0b7aa1d2e7acd9c5a7bc60cedede2c5702b98d283cbb

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 bcb81c659ce8e3488e031b541146624e
SHA1 35530dea6b8c353cc8699587f22ebe5377a246f2
SHA256 046b01413b2c43ce5bb024a92f0ded3e82de0df85681e210af2582db388aa626
SHA512 fca5481b5120e834637303522cc26d0fb5a11d3fb3f48594b08cf2456da53837a7c3bd6aa1163d2d521387c217efdd7801bd91337e97473caaec6d2e18b96889

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 e2ab512c4ef11750fc8ae91e0838e374
SHA1 185b53ea28cb82c69dc0a4a12372f27b335e5e72
SHA256 af3a0c44d5d0601fdf6265fbdd80cc72e4617980c7c951d538ae37983c9025c8
SHA512 6faf9875fcb416e7b0d370d47617602a9bb4cbee6737cb15d5f045612f19c61105c12ab38a4bb89c08b7f4723842a64153b777562e0e62021311f6583384f710

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 7831c510a90be36e248dbfef5675d8f5
SHA1 1f104b6c65418c48febfb770d2c5b558ebc3debc
SHA256 158ffa4cab32faa402ba3fb7fbe8d383296c8aa5d8a8bbc9b9080f4512854516
SHA512 b5b56ac2127816ae4200b7d7043cfd7e67a3df0f998ab34592e0e0f96c5629988fddbd3c3447165ba757a711bb15dd6b5acbcdbe3de3aa39b4be7065f71baa03

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 1a16cde67d7675665bcfc8bb49d79ade
SHA1 b5d0c0b21f021e55bff93c57e398954361c06dda
SHA256 3be5a947b104e6ee48df5108cc92c0c5f82f1e1fe48f929f1f4c60d6653ee88c
SHA512 c78a4da16d93875fc7de71e4cac3b51c35c9c0199d79c96c8bc5e0730d42fea813b6acb869a57ef46b33ee023195ba512046d8bb8e98fc7439b081844188763c

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 98722018f3d93d12b7736d82833d135b
SHA1 8cd878187e65fef072c066004d8d84b4db266e6f
SHA256 c6970e26c13bd4aa45124c3ea17718c59344b2ea76c1ba97d78867a041c76b86
SHA512 bba2f2f95056ee719cd7f70c89226e5bc9c496ad713328098b13cf095b998e9fa0dae238711ef98cdc3005c2b49fc27d1ffdc267fbe77ed528306d7fd765aab1

C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe

MD5 88458d9d7440c4240768cdd8776462aa
SHA1 3ae03f8b156ea72bff3704f839f152630a6e158f
SHA256 72b1815c78deb8c5d29e7ea597a6c92a4ac1888fe67ca9fc39c8e35eacf7a586
SHA512 d02f5bff654681efe96d009fa9aaf67f8d7b49fac9e02ea7ebed839c01e59e6e767fca250224bca669b781dc548703f07bdd73cbc6698eef28027159d430ee2f

C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe

MD5 7d1420f740ac60cfbd0a5e830447756f
SHA1 6f5f68608cc104133283ac6b287827ad1d7eeeb3
SHA256 abf6559735610ad1839f3ae71a0bd0c734d61fcf6c34109726deed062ba64069
SHA512 7830c09aea4c28b181488599a5f0ce883b97987265195c363b449664a85828fd637d26e14b0a1f754ad15d8556e38a8e04568d8d2efc26bdd8d471c85d3080df

C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.exe

MD5 90a889bcf9089d16dc0138fb5169f31e
SHA1 8909b9f7c1ab3a06b0c969a2eec274a6b88dbce0
SHA256 57e3347fb469479046ccc3b39f7f98d286538d07cefcc6f15c8fdd11283bb611
SHA512 41e0dcffc80e39f170fa1faa2ca095a1ed015be3a4f9a0d602ea2c2e46696a6a85332c6a46279e8b31fcc8a8c7a5a79f9c578e4198f91a3fa8c2fda79eb082bf

C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.exe

MD5 2033b7e3e7548276adbbf22a0da8193f
SHA1 eb46a1e49ad8cb0d5fd03fb0baef32955076de55
SHA256 96949090608bb16fae8987f0e2a611927ef7562b2aa9b2729c224acc8e2b7e06
SHA512 e119a29a3757bc43bae7a0988d53fcc2b291901ddff99522898c0441d6acdcb3abbb621cf134518f0acea8202480680f5a7c27aea8ec8a5dc1a768952105a231

C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.exe

MD5 71edf2fa19ac40cf7d56465a27184c98
SHA1 616f4832cbbb267a6a1f1a238910efae1de449c7
SHA256 40bf60aab07da8de8ac88cc24e80da2bcbb31cba25137a7e01d7ae3bd4b75782
SHA512 5aa47b13d1e2b925d6d96d258758e7a78e981c7f82ba086bac818fc3871bfa267a656c371f9fd3188a8562deea4c7376646e9885e47cbaac74dde20255b78421

C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.exe

MD5 e16760abf2c33bb3510bf03a8b415fca
SHA1 7b867f766f04c3942a53c7e4a06a03e91cfddb93
SHA256 2cf8bd26c551102871930c3db524701e4a958a00863a149dd690e4433314d19b
SHA512 385c952ffb3c014e1eb40e42464192644c3fd1efe538cd287b4986e3267be04d4a4172472eb948ec076c738db5793342745fd9cfee7aca0733f8400de3b5a4df

C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.exe

MD5 81abae72cc7f025916df319311b06e4e
SHA1 093ea0557423a7fae52e1e63917a9669a5866f11
SHA256 d3de03f223da4f854bf87448d26f75dea6e10a83a53dff6539e87c7e2826e30d
SHA512 c8b816d0b0ce687de0615cf1cc13bc2150fad925bc7134506ba06be391f0592b2a3953a89a38ce11c0b2f898511c60c367b15e52287cb361ad6f397ebd8a7508

memory/2756-1766-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2068-1767-0x0000000000400000-0x000000000041D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 05:50

Reported

2024-11-14 05:52

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (87) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\ProgramData\CygQgIkQ\TMYsAEsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TMYsAEsw.exe = "C:\\ProgramData\\CygQgIkQ\\TMYsAEsw.exe" C:\ProgramData\CygQgIkQ\TMYsAEsw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yeMQgMgw.exe = "C:\\Users\\Admin\\xWEAsQgo\\yeMQgMgw.exe" C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TMYsAEsw.exe = "C:\\ProgramData\\CygQgIkQ\\TMYsAEsw.exe" C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yeMQgMgw.exe = "C:\\Users\\Admin\\xWEAsQgo\\yeMQgMgw.exe" C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\CygQgIkQ\TMYsAEsw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A
N/A N/A C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe
PID 1692 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe
PID 1692 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe
PID 1692 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\ProgramData\CygQgIkQ\TMYsAEsw.exe
PID 1692 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\ProgramData\CygQgIkQ\TMYsAEsw.exe
PID 1692 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\ProgramData\CygQgIkQ\TMYsAEsw.exe
PID 1692 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 1692 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 1692 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 1692 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 1692 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 1692 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 1692 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 1692 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 1692 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1268 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1268 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe

"C:\Users\Admin\AppData\Local\Temp\e1f11d75538ac4b05b82ca85e0ab212bdaca12f7b350ff5baa9cd606663f905c.exe"

C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe

"C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe"

C:\ProgramData\CygQgIkQ\TMYsAEsw.exe

"C:\ProgramData\CygQgIkQ\TMYsAEsw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.187.238:80 google.com tcp
GB 142.250.187.238:80 google.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/1692-0-0x0000000000400000-0x0000000000490000-memory.dmp

C:\Users\Admin\xWEAsQgo\yeMQgMgw.exe

MD5 7dc983b9c8835a8ff77361b122ec659e
SHA1 e8496747f0b07d6a65621d228aac88ba18eb8866
SHA256 e61567cc85215daf823cb5ecff568d2653b2dde4bca84d9c0e7d262ed2e62fcd
SHA512 1d77be206b292b919816d4097f131cefd59c863ec6e75fff564b36a889b6b78332e862206a8c4f3bde1b2f96a79c72e64da12a44c8d30534356a5fecea29a7d0

memory/400-12-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\CygQgIkQ\TMYsAEsw.exe

MD5 bc25aae9ab41ba34e8b6bc0090980563
SHA1 ccefcf3356bd656172037b37dd95b02072218325
SHA256 a6d4b817262eccca9258d2451458a3207eb673f4644248da5e51aaef54f5f2bb
SHA512 6b49601db07748c04c3b753353a359c1bf06a8625f3ab42f8d51ecb57df7585770d7bd9787033239c6578a52728ff91594ecbb52c55769d87fd0b3f417dfb76e

memory/4024-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1692-18-0x0000000000400000-0x0000000000490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 96f7cb9f7481a279bd4bc0681a3b993e
SHA1 deaedb5becc6c0bd263d7cf81e0909b912a1afd4
SHA256 d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290
SHA512 694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 fe7447baa663e0fdda4d5e88f22a6037
SHA1 af8a12bc7c8d9380304bf5f0b5e793242e5b933e
SHA256 955dd0e85fcff296a23f49d803aad03c8c9e6adaf13b125a1980953e6dc32a2c
SHA512 dea27a70e1759e6e2c4aa67e3c879c7735c2410b56b2933327bdb72ad220f538c5089460770cd42fe121e53f14d429222471d628c44383504282feef36dc8506

C:\Users\Admin\AppData\Local\Temp\gcgM.exe

MD5 5721af4e6210180485a492388b606241
SHA1 7ec212aa3280bfa89a2e2b9843bfd51ec5db8154
SHA256 10de02e0e728be2fa1b3e7360e584c9a6b4c2294f0e5d92e28f353860ef4f603
SHA512 723262c00c165a4327fd5f14432a0fe939716cab75990954b4576c4d121711e15e9cbdb5a4cf648c3435237962bfddc2bc6d542b13ceb2b85513e3712b49b32d

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 24d7510567969435db8334b3a364da77
SHA1 203b35e08ced0776e29944ca3245bb8b1a74e945
SHA256 4a570f2696f73374cc547fff4a79cc8cd9159f25e5a3e29d99d9d6cb1c77887a
SHA512 8aa09ed281d57543ce66dac278d9acba84da7735d6bb51cda14da9a185d474181f51a99b8606b06e3d571947d7ac602bff82d77a7c37dbeec62de8631ffc5605

C:\Users\Admin\AppData\Local\Temp\OAke.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 4165d219178d860e2c9eeb251f3bea57
SHA1 a1e43ac5cee90cab8a6f126c75f8199cb952e51a
SHA256 0add17259202dcb2a8b28df16d0f468e9d8efd99fe6e81c0f81146a2cc4bde25
SHA512 8ac16b088252b6ead0e565403f67be56ece06f85f2b911a315b18ab286dbf5b6a65e6a538b9962c8e28979979f9db99f8c5baf90759bf4e627b7cdb28dfdec94

C:\Users\Admin\AppData\Local\Temp\QQEm.exe

MD5 8c51d0287c78665b7d8c23d9e50bef69
SHA1 85b754a479c2f38d211fd7aef2b84082bfd80902
SHA256 4c01917244f288f1c795625627f80e3cc69fb959e4e8d9696ea969dfe88133c1
SHA512 aeca3d7abd1dc469d11df03e3852043b5ad6dd39a536b45ad33fe3e65b996c544d18ebc2c6755cd087edbd641276f5abbce273b7895939866b6b7239b4679ac9

C:\Users\Admin\AppData\Local\Temp\Ykoq.exe

MD5 2db4124dfc35fd4c039f9765d6b448ac
SHA1 6348fb9fddb974ec78c4a4a9a110f8a8076f7b08
SHA256 5f84bf8b0febd1e7e7fe2560e8848f09a0c82136448eba2ad31727aeb2c0e55d
SHA512 40d7a3ef7c04f25352f4eecbc971f959a25383c5da0e0f5717daf4b51ebaeb63397b413f9e1dfd1e1c26cb53deef54f4c72401368e33d412883bd302b551270c

C:\Users\Admin\AppData\Local\Temp\Gwww.exe

MD5 02769f10bf17f71335ce3deb78544bb8
SHA1 9870134dfd74134c4c2ba5067ae37214453e46e5
SHA256 044b177d6aa4c438b309fedbc6ca739947225b448f8b81ac905d1bce8c713956
SHA512 0d24c572dda1d0ee67b56b388a9b7809f020999d3f23bae61b1602c5a864cc77d217a73f35571c3b112381a84439e7b1463904a97cb3627c6aa6ac211d9a0edd

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 3de765becc15a726e65073dfaab3e4a0
SHA1 3a1edfd876c8266f92d9ec6d2b2111d400c2796f
SHA256 7c05a2108d5d47bdbda50a140d68923ca7ae0db02dca8be4b3eb02a0a3f70e55
SHA512 80579626024b573766eb197034c84f1f8e7f8af3d4303051c89be17ac11276e9340ced4f5f6324d0ed012e65e02e6e9c6bc1980d2e658f4b7b7706feadca14d7

C:\Users\Admin\AppData\Local\Temp\UYsm.exe

MD5 82376e08a535766b7c72885f5ff4b787
SHA1 acb245883c8fa6d3e003ccfa8d45889d2e91356b
SHA256 7d1f6b5c84c401d20e2b16c4f926ab4997222f29b9dd69dc8b86a4d3ab84a74d
SHA512 b0de9157eb24d89d6389e9cdab6146bbd50220e0d6eb2ccb5f631125152c6a40318826cbff842208d268c0aaec1bc42de368ecad074d421041aa375ad6a9b62c

C:\Users\Admin\AppData\Local\Temp\kQoA.exe

MD5 c801e0f86de343191cc694c77ac1f4f5
SHA1 65fba1764fd5af70c6f554b9e01a0e51b2bafd87
SHA256 508c63d036a4c63af4c1993061c8f2f76243db3fb380e666fcd61e110320b000
SHA512 9fbd5d8223af31fdb73a8b786e2839eb874e89806da9d9dea00a16bf203143e3f06d76448b8b6dbbcd24100dec921addb62594f58c7e08891733e9baa6617aca

C:\Users\Admin\AppData\Local\Temp\cYMU.exe

MD5 ddffc64fe89701238019ea4733b2676f
SHA1 74fe8acc15506d585f11723b9cf906105020cf43
SHA256 cda84a6a4f29494bee290e1df54461182b013b377e0c1c9ec51a5fc845d36463
SHA512 79b0836ea53898065aa24fc6c07489506b59a61e06c879614fcbfd05de5d10ed6e8e805d62262e6abec1b54b7a6621abf6558a7d73ebac54421b0a2731cb9bc1

C:\ProgramData\Microsoft\User Account Pictures\user-40.png.exe

MD5 812cc62aaf1194e599caa90bc77e0bff
SHA1 143c993eef0337ed129b2df11196ec215c8cf6d6
SHA256 a6070a4d92b9dc29f73b94dc2d7e68a6961753e2329155399e8870f99913f135
SHA512 6c8c9b08d4ffef0c5ce3dcc792a96f0259b239ae0c337f33e164978ee0bb371c7170730750b4ab4795d0e48ca69fc17309fc1c75c23457ae7c0f9ea2dfdf161d

C:\Users\Admin\AppData\Local\Temp\AYcm.exe

MD5 8e6f75a20a4ccf2c9640c927a7432443
SHA1 3406e95cf386e798bbbf61b0213107fa547a1c04
SHA256 8af624c0118769f79c7bac1e9a446c53a6a87f91cabd51644bbfd4cd7273eb77
SHA512 9af2107b3c1473de7280431be6abd21ed8d62ae5921d97c3a513d8789086cd0bf3fceebb07c4a79cd0611607e478764726e69b8d147d6663e9f432b055519198

C:\Users\Admin\AppData\Local\Temp\Qsce.exe

MD5 1fdf9c9e4911ca70fae8f663126d2067
SHA1 6f0f721464e97dc0b09c3cd2353ee1914ac7c756
SHA256 72bd3c4b53c207932ed56ae3de63bccfbea3bd46bd99b61ab4f6e384302956f0
SHA512 0bdbacdae5cabf13b64f337ce56c47311373253d2207bb61d602d125650dc45e9be096debfac9287b2f2c8841e41f2fca10da933204e50285bf2a8076b8804ae

C:\Users\Admin\AppData\Local\Temp\wEQK.exe

MD5 c74a3776ecaf670f0efc66b295c65c7b
SHA1 2d813980c9827df64247ed86928482b7f5020422
SHA256 3a733c0ff83a4fe1f5f3dc51ae46eb8a26ff9d0c08733c5a67ab99a2fb5f9bb4
SHA512 041426ac610d14631938479f7ae061f61afe2871b8691e96356fc09ca829343356fd54897fafd16aed257c0e6bd7cd7d29336b7eed960f86ef95e8efde1a57eb

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 4ba2f7aed674ba8c967539a20c76f8b9
SHA1 0b6f4171d903dfba53dd136dc08bd3e1744c9b7c
SHA256 5eed92e2b34f6bfc87a0f4c36bdbe680e7b5b4f5fa1b32d6c9f277c031f18409
SHA512 148c5d274e69f159c90c9045658e1db7669b44ec0be03b9e7d92a98250b6fe9ae5ad609a0713c3782b45a8cffdbbcc2209301b692bcbc8c094a08acca98283ab

C:\Users\Admin\AppData\Local\Temp\qoIG.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 f51c6b67cae39be25e8e2357c554bb1c
SHA1 2c762056af05da4b02d2fd58cb72fe4d389f2c55
SHA256 9c339907fdcfc4c2f7423094abe554c0fae5e8d0682c9a3279478522c94f9caf
SHA512 4f471edf21382488b5d06159ec0bfeecb9566a9b07e1e0a22ffa631557c0f0960bfb00f976e4fe64ed81394d87ccb5276c57b64e01f42b866a76aa7021096e32

C:\Users\Admin\AppData\Local\Temp\sYgK.exe

MD5 f20a17fdd4d2d278c2a70e6bd7c353e4
SHA1 1671a4e3d3462581190eea11f4266844c8dbeddb
SHA256 2851fbe4a609290a46256ab33babf7e922d25d52c92a7966cf795a664ed4eb06
SHA512 4353412eb10eaaebbd7c523bb6c43db4d3ff5abb8084a4ae130e9c60a9ab35e7cbdf05ef59f9bb42f115f79349c770d61db9dc8898c2539a3bd449faefcfc778

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 962e6c6d8bbe8f458a52084dc516724b
SHA1 d266c542efff225c76f81570ecf9e6f1a71c5277
SHA256 b620c07d8c04699a61fe7bcef6619d5a27365554ec0cc7f512691a30e45d34f6
SHA512 98adeed6cd08edee2deaf31aaf749e8ca81852f008d8bf23c52ce407689c77c2df854d2c09aa6b4ce5a40a7a431e52cc05497c595ca3fc570058a33eb3758bee

C:\Users\Admin\AppData\Local\Temp\QsMU.exe

MD5 31efbec3d3ddd92ebf233bc4c1f6e805
SHA1 1ed8c96752811705313bd8eee6e5916a2c5184bf
SHA256 e007927fa0fb808b1fd3f018e366ba2f110a07eb227d4139982b23485d0c2a65
SHA512 7728c82ac1f27c8187d474720f118eeac743f460e49fc86737115166083f4161231d0a5e2272e971b4bf586af778d4c1c5bdf8bcda4500a0e2cf768643f37435

C:\Users\Admin\AppData\Local\Temp\OgUY.exe

MD5 0954eb9a048659584aec7d70b6718347
SHA1 4c1c659bc9d88ec453fea9e289798a3c60c6d203
SHA256 93e45da0ba1d685db5f5e0259925089ba970177259660c34cce086a08410036a
SHA512 a4811cffcb2c2227d80590bd14dd6bb03942965b6ed6923df9a54cf0c802ee352e352122abf9ffa2348c42a45adf41df6c5b730387e65a6dc62cd516f6fe4b8d

C:\Users\Admin\AppData\Local\Temp\UAAq.exe

MD5 d46671108e7263a040afe6a07c2ed5eb
SHA1 a9f12e0f76431b8ced3502044625453b5c5ae9af
SHA256 2b214f3b9c1bc7b7b425046ab26fed627ca41ed591944dcf6b8bfdfd5588884c
SHA512 42e25149a7eaf868085053e028f1e980040a43e3fefe388d5f6b686bc124e360f468d6f2e45401a3c8ecebdb23c0cac8c011aa7910817b2bbe41eb0edc74d087

C:\Users\Admin\AppData\Local\Temp\OsMg.exe

MD5 8fbc215dfc3e311d9caa48e0146da866
SHA1 031a05427ba612a7febdeaeedb2edbf43b80aeb6
SHA256 a82ad0ffb834d003d648af2d24d96ae631c4e2c83a16a316eb0e80f209401eae
SHA512 4294f9e0ef1039a0a6e1076848fb009a89a7e1803c7538e24dacff8eb61d8ae680beab5a20cf2fe62f0e64871abbf92cf9f9b51c70a3855082bdf48858e8e03d

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 bdc52a835b08cde3bb053282ccd2408c
SHA1 f8cd1faf51539359c70bb6c58f8e0de6101cb45f
SHA256 43e90a9e31be46961f7ac8ca102edac5a958fead064dcc5cd5a4c88c14e35bb2
SHA512 ab701d1618cae66241f01b46751755058098907a3addb420ee7fefb998bf6257c303895bc6c20338e81b9e39b03bcd8504058b6fda7293a887ee82099a577e78

C:\Users\Admin\AppData\Local\Temp\wAkW.exe

MD5 72c2cb39e5af6636fac1f8526c0c3aaa
SHA1 f3ce24e823a04e557a4bd13e2315709fcd6685b2
SHA256 b984b524648d1ac3dc5a37b792c00a019c5121af587e650efe001bf9667823ba
SHA512 5671bf84659cb6ed69f52d67e5884863a20e208159ff942d3fbe2d4c3fff208de98a2978ff86861565f86cab2f7b25041d97642e7c76ca7c3c3bd733e229c9e2

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png.exe

MD5 e73b6cb9a464717a77b854858c9caf7c
SHA1 0ec6a3e55725186334ff242d7ebf57e1019f0a89
SHA256 d6fdbd4d024b2dff5235d904b3f0fab25a4cc0c9295c851c1449dd49f5fbb16b
SHA512 678600b4d970e8d832198d67c62a9636bc892c58c824c7416d8cd2a063419faa64ff5a1a6bd869c3ab8a193b4d9a4a55cc838846f40a4c4137426d51ac2b6052

C:\Users\Admin\AppData\Local\Temp\eEgM.exe

MD5 01004ecace3c0b66c869a7088fb4fb64
SHA1 540c425bb4caecd94bae3969ee28c41e4ff3b38b
SHA256 49d1b596dfe1aa693b65261cce93fd8db1af078a1bbc8be40f305be2e8b4fa5b
SHA512 72f8e306044df0d9fc614c5dea26ffd83dd0730f3aa03a64f7e78191abd13821b6972bb22158795402ee3547ba2fd9a5a9705eb9fa08175059747c9222236ab9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

MD5 2d2643e100e1d829346ebe4f65dce2fd
SHA1 ff772ecfec1236fa81ba7ea581f617dfbd0bce80
SHA256 ee62926db554bce9b25f5b689905e4d22bee45f97bfd8412e36d4a5be4b4ccbc
SHA512 99eeb151abec9a0361abdcaf713013c25a79cc4c867e67b7772bdbf64e59a162b340a865fe6f51144e770c7e5ed454eb078a96bca3ad7b9d906a2cdd99dad76d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

MD5 37e09111c54e05f0845c0e3fd14ac733
SHA1 9c7621c223e24453b15c3abf8cd319d26f2c35ea
SHA256 3910988ab72b970cfb0c094dbe6b56c26c047c4a28282aa05782b585b68d40b5
SHA512 c239ae747237fcd9e635dd229b44bcbdf44b1a2729aa2c4c6446da5ac7a9c9dad154920930621c569db145d241b12cb87042bfb8887d2281ad6f5a1cf84484de

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

MD5 30d534c066a1a97ed1c2bc595731893a
SHA1 51c220a6d08f6a1c015997cbce564f6559546e6d
SHA256 79b38fa8f28b964dca95fb0be3b9170717063a5a4b13f1cd178be473946f0210
SHA512 2ea70e34814f6e35a29322da45cb841c7a2f864ceadfe5127d798ec5953a19eb9eadca5a9ba33230aebf541775d9dc12332de5678e328b704212669b2bf902b0

C:\Users\Admin\AppData\Local\Temp\gkgy.exe

MD5 7de84400b2a7ecbacb72271faba433b8
SHA1 01a335b3d8c8241bc7d4e9a96c74c38fa5f6830b
SHA256 f4d86d3622baf398d865b2768deef8995a109d3316208c52eba8e26ea24e32e6
SHA512 3e3ad8574d76090bc300991c65d7199b2c89071e018b44b3f56669487561ea4b15372bf5aabc2cf055256afebf1db08cba01df5a6b4b7c7acd2adb414ea6387a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 91416ba6430d7094490924b9e54276f3
SHA1 7da2ff72c5ab99d11f75fa4eb73ea718bddebac6
SHA256 6c9f8afae833e739aad8ab400d5c63dd1d793292c05ef66c57b2b44b10838018
SHA512 57f298268575c436228343f9d90acda6c1417e222d7d7888d00caf82b669b49587238b9ba9d8b568148230af447a67c9ee981916ce8e862adc474368641a1547

C:\Users\Admin\AppData\Local\Temp\EkUO.exe

MD5 784287b61d9f223f6b864584a26ed447
SHA1 cea645c7af9dd14ee4feeb58dc94e219ef6a7c5c
SHA256 982d58cfd3fdb1b2d9a590d32f0024d6a96a2ebb957efa9d9c0523cc7b3b5283
SHA512 58225515df2f9b40c7a3ba360a75a9ea643cd84c7f54c2b257de8da3518ad78e95fe6e7cb3dfa86f3620e936c4a09129624deefe4dfa99901432f554540ce8f7

C:\Users\Admin\AppData\Local\Temp\oIYy.exe

MD5 0f024c671d3631e54c25413822073813
SHA1 dcc71d58ab57012033ef9f1a66914d074522a1bc
SHA256 d55ea62ff4b899f5074eb3be02264cfd786bbc4dd428822a2a18fe396facba82
SHA512 db2b3c2a0379ed0746e213acc941463e78d40a7535e83f69f201de2bfdd6241702e48d08bec66022541fd9d16f6f0d24f8b1567b4ce5564851341afe3b62142e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

MD5 6ebea9808530083646de4119fcf2b779
SHA1 644800ffcdb6c48ad8a6f0ded720667c819aa1b2
SHA256 f6224f3c685efc97b7322a2f8ca92bb6625a604e1ea66d9b2cf0e1459243d8af
SHA512 041b74985d3c32b27dd214757c40c46d164694003380a790d981b9baf7986ac7cd6291a0e4afa9f19eabe2c58d7a0bfccb870d6aa70ef3da03daa3ea791b27ca

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe

MD5 3e4098faa76604e2b483330ed6fa28f5
SHA1 5ccadbfdc2b95cd41350c989f9c55ef04e37725f
SHA256 30d3a482e65134f410cf7c6f51b426d0b3f5bb11570d245ce8451b2eb82594b3
SHA512 5740e51a2130d9a19a7b1b90e20e997d816a7faa9f40b8082524bf78edef4e97a55313fea1f84ff7df7c11cff54dc2098d75d0cf2c1363a3aa32c790b17bba36

C:\Users\Admin\AppData\Local\Temp\yAAm.exe

MD5 8f13bcc18432fa8b639db6b83a0a41a8
SHA1 60b4b6f35a43518bcd8aa258f7ea63f1d453cd6a
SHA256 c83094b7829e1d73ff46e140bb7d754d30b95542204f1044a958d6a4d1f4104c
SHA512 f96375b393947548d81f2af2bee87d862c8d4748b5bb0847fc210f6bca607d7772c63024feadf305e4c855c68e72ca23eb20ad0d731610bad4861427384cae56

C:\Users\Admin\AppData\Local\Temp\qUse.exe

MD5 0ef3d8a3526f9493fb030afd3af7a57c
SHA1 483272968fef13f1874c72f97be7730ab4f45dd1
SHA256 c495cfb8d02a998e741c17c9164cd7b013c2705fa9a9746bb2d711bbc9c6ce6f
SHA512 29f8e0adc95ad211c274f3d5cd5f7b8f23696733bbecebfa1105389c780488457f8d2c22b382997def1a78f2e71b5d6ec3b8d69c321b93b307958cd9ad474564

C:\Users\Admin\AppData\Local\Temp\SkQK.exe

MD5 8ffd8d681c5fe72452a7178a9c63a2ef
SHA1 14cc8776bf1f1bae146c71ed8065bb18c7a0df56
SHA256 b35a4dcc09ed0149b69d956454b5cb1859ff45a29ed598bb02cc5934c0e344f3
SHA512 5b174f004e59ecc312782a25156409bd663403eb590600df9139f8064ca2d8e773e970d527d46614375a2b1ebce7b9c841770ca7575863a06cdf903311d436b3

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

MD5 6e1f3b0969df1b378c5a0fac67502c8d
SHA1 69c9c7562a56ea406a439354967574d6cefefb1d
SHA256 eef557431a70e66b507a2048787242328205a9a85c958be0283d82818e06fd81
SHA512 31de328e7ebf72bdee4a83e21b304f3c30ce62c703f3c9e02ba2daa86324bd53f008860744b56948b7d492681a3e499efdb2d70fe18f7c31afae328c398386d6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

MD5 52579e1a0895e0e2e298da85bc675f25
SHA1 d269a3850d1e395dcabb657363266ba84ef2e209
SHA256 261454b5d5b4b836ad29f8cc06b3fdd67674eb1becac3124f28bac7da5bde76a
SHA512 bcbeadea6fbf2183488ae3acea93f90866596e85e4cbf12e8fab155e15facc05fc928c107d8feadf65f5ef998556d381872d2247cebf84e0215a7277082da332

C:\Users\Admin\AppData\Local\Temp\cAgW.exe

MD5 4866af42dd0d019267bc14d13adfd905
SHA1 47fa75635efe31d58f67c947682503a75838c27d
SHA256 e055a70f89615f0905ad1f63e762be6d2ac934f2d4196a8f2b20474320c2b62a
SHA512 3942e9ef49bf6d0ba1743cb97a9b09e465c75b7947bf37dc22cc394232addcdbef8c976c6b4ab1f0cb36423d86dfbde354059a616179ae567cf047ba28de2262

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

MD5 99e1abf86d48c917276f24b49aa4e389
SHA1 f8aa4cb2b2ba4e85f01bc0e9e5082788978fe6f0
SHA256 8df107b19ebb47258a2a33755cfd30f68df5dd3c38be2cfba33ea25a5fe4c3c2
SHA512 59d1b515ffeebd2806e515e0585529328e51be71d8d061dc4b4cafae36f879532c9a59a72a6ea0fd91d594e02caa993e9cf3542ec73e50bfee191465ec4c4138

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

MD5 fe190d6d6ab46c794c7080fbf9fc2cff
SHA1 265eb69c74e6e771ae748f77c2cca3d13bc34578
SHA256 c707c897ef83703517ce03c283537bd17489d6863e420ce91cc437ec22cd8df2
SHA512 bb0c3aeda78cebac5357f388ac51c11585b0511d2082c5915c2352f3642f0e43b460d0461887bdefc27ef4a307f75dc0808a7e5dd3f6a68fc2e135491b688e10

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

MD5 dd1500489eca051272fcd85b250e8f13
SHA1 c1270d9a11071ea1af533cbf02d0307b60fe55b4
SHA256 6965e251bc2f327edc5d7f858fc434d6251cc6b34fff57be55a8ccf4a5316584
SHA512 67031b574d92799251f1a4407ce0b86fe02cc5c27dfa3ed120983dbcdd215961dc4ae5becdf60eb1d2ded0d2631f2dca85c7f1e4dc3405419279295b44e5ab8e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png.exe

MD5 58035650f119c45b28e7c82fb289da24
SHA1 d48a64d00ebb80642baddf93ea5af34181afe94a
SHA256 6afbb15fbbda0dc55924cfe2bc1653fa8bf1da3c8cbd2d8913bfaa6da5259a20
SHA512 e119473a79f4895b30262ec35e597fb9fdf0ab2d9adf022c53983676f8c63d27fbb5b923632e62b726b67a9c6fcf97474a6e3b0049a6bc96ab8dd935ca5c8615

C:\Users\Admin\AppData\Local\Temp\AgsM.exe

MD5 7237f306cde3b5df99800cf25c34d532
SHA1 d686bff23899f000013c5c87895ea411bea101d1
SHA256 399626f1f8528fbb0780b372906bef65952aca8f27e5acf5b8edee1245913752
SHA512 3669942d32c77db2eace9dc7dc5d96de9686e7e96a31d0c86fc49f335dce0b7cf6b1e9f5f078242695a3bb74f94775c5ae24897e3dca70a78dffa7796103f0f9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe

MD5 4b90b733dde876897d811ae9dfc79dc7
SHA1 17bf233a51efa0d52531249304c0af376c96df95
SHA256 cc86c02662b1694a7c137b99e38bbf5e5b1d6293da8f6bbfcac79726905cc2f8
SHA512 9af1a13d0d6e9a756bc851fcf13ca6dd81d40b29770560505181cb5483a12e90297b53fd4a11be5f8df04f233e88e77eed4b854b87e5698ab565bbb5f1dadc99

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe

MD5 bda5f3a14caa68652b34a1ead7b526f5
SHA1 bb54e8b4c8438cb43ab5d8272f7c493a4a5a19e3
SHA256 19f79860de6ca149dc4650f8b482270bc9cb6959b8b5fb854529f8987691257a
SHA512 1de110e9fdf37c8a7844e9bb17f4dc53fa886d73e2279e96102985bbd90b41806d6b539fbd4ed606dbb6b7dccb46751c336f72e4755e26859f4f3e064d837ee8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

MD5 f41f66c1bb56cad7dbd9300d66853d1d
SHA1 fdc5c1865a32ac18e67c3b0e78cbd207b2e2b76e
SHA256 b0af883e511d6531cd0f06b80b2d7983f44709afa7975a8a67bc6282a1dbd67e
SHA512 6ef32a0fc1079f4350521368e00fe35566b57c77dd9e3281fdfe6f6f654b91d996d18db8d608e02a8003c1ec42caf9fe1e29fd61a898fd9fb03c9a98346248ff

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png.exe

MD5 d4ebe67a31a181b40635c7094be9c711
SHA1 226db0e0cc4599460baf340432ba821b37803cbc
SHA256 075671a2687040d639a334edb67056bc7beaa2f780b4a2d75faba2f2bf9bcf7d
SHA512 9671d695a5251e9e933d9fd778f3e74563764b2d746f7342e7fbafa923da0c169d3b5ddf60c759e281020769cb4ac12abc602cd1797a8e2450173cba43f9c59e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.exe

MD5 1c06a8d658d04dea6209dd0f2c6b9aa2
SHA1 56d1650973241b048ba26e485776f48c9d74f1df
SHA256 9ee905fc73f42ec16a55c0e667445b9adcd036c2b55be783f2370188a67f991d
SHA512 4b30b3f12d8e586e55372ec5f6a21a0d0ffcf1ec05ec79762307294172f68924a6998312d7ce7ce97a6d8abee03644c7970a24d280152892f4c7a674d47bb034

C:\Users\Admin\AppData\Local\Temp\OYMS.exe

MD5 68480cd6dd7adc0ac1f9c7192ef51d44
SHA1 f02fdd8afa605c567e6c322ed12e358d4bf2db6f
SHA256 46cd7bdedb8a2b1c0f6f29f9386e2c784031863a26971320b8e6dc4e7606bad5
SHA512 3a090821c25a877f690d293399a19048f68e716b3fd9294da8a593d476b6b82d1400937853b90b9628a4290587687da4de07cacae0685dee833152b5278182d7

C:\Users\Admin\AppData\Local\Temp\ggcQ.exe

MD5 597d3d0279e6904e4132724ef1ce5f0a
SHA1 3eed4f1b60e25d8d6dcbf524e5e61fed0554437c
SHA256 a2455339dc0e329f2c1d64e13a803bf91c366987e912de123745a2ae77cf73cb
SHA512 fbedb25c7f4e2a1458b331ebdb7b5ebf04d0eb9e2407d70d9b97136b6abe069052b348e9ba0845dc85fd27f976c8b09656c5760cb20f31243579a95bc4c8a8b3

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 c0ab6320809430a93bb476e2ab17a54b
SHA1 2eb53d1fbe205a95e32f25ad56b2069fffe4c4ca
SHA256 ee2f627e8d26ddd7a5c78f81aa4e4da31382454f81be501838ac24fe55d5d0ec
SHA512 57722626385d49640d94e4b8cef0eb36f01bed41dd20cdcfcefcf16d806f4b26f865c3cbab8a2ac271d63b227cdbed39a0e24ee75f3c4711ce35b521d46feeb8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png.exe

MD5 e1756895a50c4cc2299cbaa35b10ce45
SHA1 37d6404651eb1ec48131409b16641ed3edfbbeca
SHA256 385debe6526bd8709e5e7a3d05a1adb475f375e2b5ac99609e16abc125bb9fc0
SHA512 f9721a69b9b2f62617e438d7ac93d13e284524fbdd2c498336b8a6ab5557673459e835ebbf1698f6343ecaa5b2e8c4db4baa2d6431fb214d4b7a0f8f309002a5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png.exe

MD5 466acf0cd42a32d3b19522a5a6461b2c
SHA1 2dcaa659b33084a66fbb447f3791891d3337c629
SHA256 7273fce1d9e76352b7452c0bf92c49836f4fc81a09b68a2d5c05182a4e293fb9
SHA512 8a3cfe22077099fd1ce583d9b04697627ad5d572aaea08dee2618141a4735901585c11ce285e376a0dd3d7e2cf1c6c6cf650754a419c8fa82869e9d903fb26d9

C:\Users\Admin\AppData\Local\Temp\Ikgm.exe

MD5 88c2bcff7eeb76224eac1e3483ce6302
SHA1 69a6e36b4481f4eec13da815087a82b532a9aec9
SHA256 96c025c77a6a40fe50250550c7927d6166617d25e1e20b79e2e79035ce2179cf
SHA512 2eef6f002fb20f89f322af0b579dac8840758b9937f8eee959bec22e76b3c73dbd31bba3ba1eb51373337f0f8066eb54c8761db656704c9d0cffe9651ced7c2d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png.exe

MD5 0481a302246a330642126abdaee1d39b
SHA1 74b80cdaba6c75a6ad81d29e4abb6232e882c1b5
SHA256 24e7146cf3a5347fd298a601cdfe615dfc92745ae5edc7d904c2e9bc9289e091
SHA512 f2bec8feb53c5ed35b09b10457c985c60cd255d73fc253384519e1145e67502437cd9e63d2d94b1a8a958b23409f4c79b6875b37614d942cf998f40124322465

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 92e58cb9f88ebf3a0c9d34ff181670bf
SHA1 49acadbddafdfe57c5f7a6d7a3d55f363c4988fb
SHA256 4042e3fd4401f62b8987cef20a1f1b3edc8cde11fcf5c437f6df1d7b647371ec
SHA512 eda73d0ecf473afd1643d8d9825f5a7710284db24ce5198ad340b6214416c7b9191e8ca3bfac55b28055ff3eb2b0749c7e39db680f088e3c6a6c5e7a49eb12e8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe

MD5 56affe0553990e7e79a9eaaf91d0ba80
SHA1 fdd0e959ab4147077d99ba1a280f7e88c83acd7c
SHA256 a2405a068f8d619eb08d24197be8052d79a2b83404b5d87c292947410440cfc5
SHA512 562f2a20870ef26690dd86c2ef9a13d39bed4155c1333c57c9fb94225825b74d15e95fa6d53d873487e5694ef6d5ac44203ebeb9f66c016860c8e1cd27a8c1b6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe

MD5 6e0511dafc7c17b75e9adc84af9427d1
SHA1 aab8a747bf5725e95da462e4b27ae893f2327513
SHA256 84fb6401c50c7ce1f6f8f22710210beee9c94def05e4337bebd50bcb738be4f2
SHA512 e26402353346fa27f0d12468b62ecd132a91bad16f90cca793795f34ca7df738ee6817e99ef20c056778d6857798acc71904e46912303bb53e902928f678436a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png.exe

MD5 6ea06ceb6abae9bcc7ddd89a5bcd493a
SHA1 bd9b2ede00756faed269b844a0495f502604a702
SHA256 1dff435f296138e66bea32dbf9df95898dec7ba4e08aeb6259d9e46562842e09
SHA512 05e49191521eaf44ed306ba6108a124cabde8e833b400083bde09c5c95aeee31074b7ef32ac4962ed886f5a3a478da40451d192ccc1b69046f1b8f05a5261d82

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe

MD5 05bb5388d455f50479f9b4359c89bea2
SHA1 bbb4c6c783110058e91475deac2332c4de7c1520
SHA256 2bf452ec081373cf32be140b5b7113b940aa633adff097cd1001183782aeb549
SHA512 d26eba8f275723ee960ebbf0e6cef79e69d920be8d7fe9500c20ed3ece44b7d39f0faf479a7d0d6826d23a7baadb6849ed4d127775dd7489a018b0ba6e9aadfe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

MD5 bd2553d75aabbe440347a2dfdd347299
SHA1 6fad7868ba5ce8143248b741cbd7e200e2d2c6ea
SHA256 dea997526ee774819e580ec4f3b048ab24f84d6c19c418740585eeeaca98a88f
SHA512 b944ea0c1f1f111b8fa0d66ef7d8b97b3d18dbbf914d408cd6d9b908b50ad5cd177f2d35948ea7ab68f2d28f92d81af1cddd52d8e4b6ffe8edf30bf6ae1174af

C:\Users\Admin\AppData\Local\Temp\wkEE.exe

MD5 3519550a267607a5314a0db8ffaec069
SHA1 5cda2485d1f9c817e599accd6cf85ba22d73f7c7
SHA256 3b3d2eb1fbb6186278e1b718165f98a13b8c8662cbb11dc9b6b414ab643c9e07
SHA512 c2f65d3039ca336653103f3ba1d6a9db46a77e77ef050ec88aa561b15cb26367f7dbc849c8cac059f2d352f46f3b30cc27abe5fa504a88a9675ffddb2208140e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png.exe

MD5 e52f5c4c58c0abdf4ef17d44cf32243f
SHA1 39e6be6e4bcc65a1640a96efda66b583fc97df37
SHA256 11c12af2842875189af00da94715b3f6204f462ee56daec55eb6b479b23f7098
SHA512 b97618a8e418546054926127eda50efdfee17a88c11d0348c150439e04912c5bb215f80d32256e1abcde659844783663f5ed5cd4b87300020e5a6852d3ead374

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png.exe

MD5 5244052b2fc1a23e27410ba207accde7
SHA1 424ba57bae5a26d6d2148e50efec58a1c20da653
SHA256 c0ae62521f47c3df0fb9f6de3fe38f877a1edca73ed21aad11b461fd10f0eccd
SHA512 6903d5b49713eb2c24e6c47e12b9f47e3c09e33e5c876aac056cafec60e744946eab2579d223e1c1d054af2b563f5ee7579a27cc9b76874ba66ac2822818d7a9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png.exe

MD5 0d74959e9f555d20c2269db722a4ca5e
SHA1 7a51a6150c220ca576dfa5395eb043cd48a4e67f
SHA256 79be40281a8c4d2399c9de3986a97b762566afce8b9c91628d368dd57a8d505c
SHA512 231d057e86026eb5e45611923bee4061c4a4a488f36d8745d02cde24a19499bafac08654a1a33c01e06f7588ef1cd3a5e7d7f5790dec33782966a1adc73e2396

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

MD5 d22f6c73cd6e0c6d113156cf84a8e2da
SHA1 f0352898a2af3105bebed56d5b83961304ac068d
SHA256 e96f274ee55ed240e8ca4d9ef44357bdda670a35b585f4edf1d76a5241cbab6c
SHA512 047c190d4d37028d44103c4278d15e9c940d5880ae0311079108920629566db63886f173437b2e1e6a9f68c7c3598bc52c705e7fffe113106a284d2655180bd1

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png.exe

MD5 535e1545f25e8171a8e8eb99de0ea53f
SHA1 2924297416b4b898a3856116d1734944f6e593cb
SHA256 11ba70a9f4ebe6e2816371d2c23ec803ba1849064a2b80900a4f015f6504aad8
SHA512 659571dd079ee472e85d1f88ef24cef5805ae16456fa2ed07d4ad348b4086a05d5b34a452000a16b8e1f4a64cd6d47f50012fb04ed97e4d29f05911366dbf793

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe

MD5 aa534414b98b8e687201ade511dec14f
SHA1 bbe73782919cf1ca203fdf2be4b11d42a02d85cc
SHA256 108a0561223ccde3dfd528f2a554e94a4e8813b8693f88faab24da22ad03d5c7
SHA512 3222fa6a9b7dacd4f9240bca43eb71a09203970ece0c8fd51777556f2420d3f1984017f987cbd9dd46e34fa9002e22b71b865f1c64348b322d52ceb74bd48dfa

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe

MD5 6780f0d0a196c0a7bb01178fc0afd88e
SHA1 ebe35d00a59948f7dbd6293b8d2925bb9b2e4262
SHA256 c8e2561585ae8794c2d1e024ee478e8a0aa8296b3357d2c6ebf1fc18985b5694
SHA512 e10239203ab2049a984be1d060f28fbdf22c57134a724a8b4a8a6e415581298b34e9b3110257a7a041e30c4b3830b9b101968c197a3c466847996fd30376ff39

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png.exe

MD5 b08162af4aeaa0a601b5d6f71174503d
SHA1 474bf759b7ff41707393a277136b425b88c90691
SHA256 010493c3ceb91eddd29c7a6b355ee58fd0279715a18c1939b8a12dd76ff300af
SHA512 fcda8f255381fcd888e38a0d431506ee535b12bcaa9974f7cf76bd96b66fba87d0cac29b308321902f0bdf78e75bb20001fcaf5bd08f71a9d58f204f6ae4012b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

MD5 4b7fc17f79e73086c64dfe556f26e1b9
SHA1 5674c96f4201755b053d3744a5bcc382943f4712
SHA256 e48823f44bb7bd5055c7aa32cf331f6eb707b509f38f614654393790ea6f2b4a
SHA512 fb39746d0cdb6860ef58882697c2df163b923f3ae404d5be7485bcb0bbc71acb774728f4c352430c413160c1c91f8d42f401fee5b26aec33ffd7ebdd89a4994d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 ef080d1d9aa12acb24da0a48622431c5
SHA1 9268e8aaa0581677d12e12c18a0be91b88ebbbed
SHA256 2fe84def53592f1844bfcec93e0b156ace79da026598c52a18469fced8864d00
SHA512 a9abb97a043e571cc4776c4a3efa4f6072971ddd5f68f4534d450b20165bfa48d3ed0b084573e3d8ee454e1e01e1d45b37a4e6d5544deb0f60f2ef725b57ce6a

C:\Users\Admin\AppData\Local\Temp\IYsC.exe

MD5 19defa7a0cf21ef3f65ec4cae4235fc8
SHA1 44aa52113c39d81158e5f4307e7ebc62037d7b7b
SHA256 6658480b42d1a6d56dcea1840a3201ba0c31dffa27ff77d86e8933f1ea914f82
SHA512 2fa9cdbf5798e3d4c51a616a55d1346cf9c2dca972bfd77d23fdee163ea847a9678e559a3e9d96a003b6631a6eb96571b31850222e6928294dc6d8f53e9204b9

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 fb5a2898a8d17ada951ff5b54135c6ab
SHA1 15a213f7045dbd5e9575cdbdf924c0105bb86bb5
SHA256 5169dc22dee813589b221edc0dfeb1d8c5a226401d2477baac10332331b07780
SHA512 822c759ae901eaa1cbfb568970db4a90e0b2c7ac76e75adef1e8ea86641edd49b8476ba1631622209434580d52233ea77c522864019728d97f66a105f3bcae0e

C:\Users\Admin\AppData\Local\Temp\SwoC.exe

MD5 87ad47f5d63634f0afdccd940d1b919c
SHA1 67ce0874ea3ae247399fee078bc4c880e066113a
SHA256 563c6374e28d39d4cf12ebff6927cf5fc0f8c2ad66db1e0ae6c3644ce2b3abfc
SHA512 75ce2b6b1ca7b87acbd606b53b3ddd28ca30fa10bad0134a853aedfe3af8f2d892280df9d46df35def5971968b949b938f51973cd852217ae16863b856079322

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

MD5 9769ea782c1f1f5936eb98733f802c9b
SHA1 8f353692942154790ea28e32c037f4be01399f94
SHA256 7099f55706f39fd0501d5edb40fcfdfdd229d6d5903182c170b3b7a9a8b3fac6
SHA512 c55d890b8b152fec4db1ca834c37b16ef8e4782218579e33da0a57340e7afde3933f63dbf709cdc9997c8fd641fb6527c12cf52ad585fcc25042e9d3a24228c2

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 6aa5d22d43e7b72e358f6721f03db4c2
SHA1 69d3bab031042b492d27ff9fe2bd50583c712436
SHA256 8841dfe4c68194a57d526327f2668534cfa789acdd3fe3928c8e024902f8b86f
SHA512 c998db3f0051a397320c95e955727e19cedfac9617aa68903550bb927cb46d4fb018a8fa5d1c6f50b5386213bfcffdc75596aeb7f5dd4213ef2fc516682fad72

C:\Users\Admin\AppData\Local\Temp\GEok.exe

MD5 ddfd80aa0a53ce3b66ff221cbdcb8d3c
SHA1 e8d932c68445b108f5d98c8b7c399c7e24473b86
SHA256 62e034382713ff07ed81b12efde66432490e31ea4588839738354201f51fa220
SHA512 c5edea8046644ea8dafed6fcd7f822c39ab322eebb45178ac0a44b988da349879e2de514f90615e969d9ff75961e1fdb494b877110f6d1c2b2381d6abbc4eec7

C:\Users\Admin\AppData\Local\Temp\qIAw.exe

MD5 097a5ce70a03c1f3813d3f4c150556d3
SHA1 fe496540dd9a0712cfcb1c78515edde76b6229fa
SHA256 88160a3989d618fd470836e0b91d4172ac5cf645c1bf070deed55af06b206cd7
SHA512 16ba18d60992b6a79174859253f88bc677dfe9583acd44dfa257fbd30953221b6cce78b4bf96ce982ee2b0dadb97b2da80c2ad5a5cf34586e10a5ff9e94a8e14

C:\Users\Admin\AppData\Local\Temp\YQQA.exe

MD5 3443d005c02abbb727e97c1a3821e968
SHA1 ebc815c3fdf10a4be46770a98b452c4d08eff954
SHA256 ea4b437d1f3130bba5d6d871f435c76a530310f05740d8bfa9c1157961ad06db
SHA512 4bd019a7303cf82c8fb8d0a10e588dc1eaed5923d6ee87718b78dc807afb3e821fe7238071c8be309e1135100a9c2944e63978f2c23458a0d0ddef4d2f822b4c

C:\Users\Admin\AppData\Roaming\ConfirmStop.doc.exe

MD5 8cbb6b01b58db0790baa0dff34916b00
SHA1 13c188e2aa4ffa8ebf89346cbf49e290aba643c5
SHA256 a6030f02bd4f5d56a4cab4b85b0fbaeade8cb3c035afe5c881969a76ca1366db
SHA512 414dc921ba316994ff9a14d35e868d801950e11ecece1df923f50806f754483b581163da0d1901a50a686de84b1f0c80d4fbd4535a5bc2d352a6db84e9063e79

C:\Users\Admin\AppData\Roaming\RenameConfirm.bmp.exe

MD5 3d1b0c02f805ed8d8cc32f4de0f3eb50
SHA1 dfc3482d89d6d9c7872d0ca1a65b342feb2392e4
SHA256 58665f9b6a47b0e81f8accb7a5355cb665856952975d060432ed3a706d85ac4a
SHA512 0d037a2a9456292ade18f8f775194687bb9a09dc4fcfad5a203f406962a3c3b550dc39d616b6be5107bf086da32f945534dd69be9abe22bd7192698f6cc3bf9e

C:\Users\Admin\AppData\Roaming\SearchWait.mpg.exe

MD5 7afeda78f0983b8c2554244276e96060
SHA1 ea42c236e8be04ac0c5b2b85d3764939d05553ff
SHA256 d0758c5e0fcaa6fc3e7f8741385b36b61bdf3b1036b1153a3f0260f80d6063b8
SHA512 a5368e053290acc500bf470172e99e7c947d593796e49d0df3e1ca8efc3985544a433b5784735a6495a69819f83dc119c77bb12c75c235dd59ce98073148e1d4

C:\Users\Admin\AppData\Local\Temp\ykYA.exe

MD5 5650780be9ae114b7690af9cfd44ac13
SHA1 b7dfc32af322bfde328ebc949b704f7c48abc70a
SHA256 46bd6878260080fa61adc53ab8caa19dfcf027ff2c6a50d205e6c2f9592886b9
SHA512 ac87e0151dbf877af28c5bdbd45331199bb90c0f738770b86edffba56e9721aceb51b89798a5bb96a32f758f2d5ff25f9ced0984f5c07928fddfa133a60f9d2c

C:\Users\Admin\Documents\EnterGroup.xls.exe

MD5 bc2f9e25c0bae2d06662c163f51b9e4a
SHA1 0192392220c1d716f40ebf73dd6ef48fc376554f
SHA256 6437165232596cff8c90876175254620a98746c7117f4075889721c2464b2d23
SHA512 ffebc5d811d1f93f949a00a96e6a079b756a7b4b581693ca000a3dfeb82c414b23238949cdb91794be28ac48bbd0c20c1359a67fdb9251b69a030e095a2fcb57

C:\Users\Admin\AppData\Local\Temp\aMIu.exe

MD5 9fb5a24cc70edafe4fc4555c08e4b506
SHA1 43cb9e71be1bb221d97f31d9841f50fff5ee286f
SHA256 7b6bb070ff0aa4078c751adcf3e9047630bd451cf9118e431dff72347b43bb2a
SHA512 e9832316c4daf174444730666cbbac9f348ebf8253fe773cb167a865c2dd409e13396971dfc986782a77fc43bc57199ffad154c418e4efecaf2440fd23228be5

C:\Users\Admin\Documents\RestoreWait.xls.exe

MD5 7a6c8699ddb127f0068869d6ffa0644d
SHA1 6b38163a1cad85a82eee9e64c97a52130a735328
SHA256 c334b909915d4fbed02bddaef5cd3a55680cb86dba3cac9d40c75174e3c1fe98
SHA512 97adf5fb081feabfe53b4db06ec395e67679875befa284194e7c31e34bbc7a9e682544ff57a7eea18bb9aaa29e72bd3c685083ff23913e61c521bdf5df06bde2

C:\Users\Admin\AppData\Local\Temp\KIwI.exe

MD5 d40d5be462461da6eb11c5856af67319
SHA1 4be605e546b7391f5b8f330fae45fb876322340f
SHA256 94865cba923fc80457e2860d1e5c2f064c28fcd922a78a113d95ab4d5dff9420
SHA512 894be6d599fbab3d609febc505091291d9674233653a36f446e07fbd7ba95ac28ae980909abc2f2ceacf3492f95e9ce9fae7e94cf053000a318d0553e68fb07a

C:\Users\Admin\AppData\Local\Temp\oAAg.ico

MD5 2d56d721c93caea6bd3552e7e6269d16
SHA1 a7f0d3d95a19f61d30b9e68b0dcee7c569249727
SHA256 f8e8be11d1062a945187b65fc5e5b1500bce03cbdbf6f4af9404b649aacc2aa3
SHA512 c01d86c43876fb8eeab79b72380a00f095d95c3047f530b777ca89d309e7bd797bf83857beab29527eddbbc491da3edd95ba343f6a0725cc565015f095cf0919

C:\Users\Admin\AppData\Local\Temp\gwUs.exe

MD5 a8208e2efc35fc69372d11d2cdc9877d
SHA1 0a988d241869ee6adb55bae3fd98c3deeba7ed0b
SHA256 03226f77041a3c08cd57fbc012a6fd26b956567d0951799bcec25c35291836c7
SHA512 be7f46a44bd8fdd2a7c43438ad049b86c99d9332ea1458628763aaaee565c63f4dae63284636a93764564119e01670ee35d14f18c189cd963e423e8947edc2de

C:\Users\Admin\AppData\Local\Temp\Gocy.exe

MD5 a2e3ebc2b41cd96c717ca387960ef025
SHA1 bf5557d7f487e5fdb2808fa7f6c5f357775986c1
SHA256 efc3c81d9dcc8b13faf7d184d1a758ae3b04e93553b43eccc9ffaf05af81c343
SHA512 79867a39f35eae5c19cbdf0a9f89f97ee380305bc49ec22ce076fa841820fa265583befeb2130305611cdcce76f4320a22459d621aa5c14ff55304b653dcd326

C:\Users\Admin\AppData\Local\Temp\UoAK.exe

MD5 669132962b9186d859eb27fa737d7180
SHA1 b092bf596169002ffc1c182e7cd284cb8cd19082
SHA256 c243bc0bd803949d184927c24ec37cd831c87396ae0f07eaf8ff0bc5d6b1d1ad
SHA512 62669cf2912c8af09dee933a732094587350c0808cb15bc745be4d1ad2716ddfc4dc120a3ae5406258d5ae8e5f8cc19bf5b8a75a16ce6642eb4417443ec3cc71

C:\Users\Admin\AppData\Local\Temp\EwgI.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\OUkA.exe

MD5 30ed1bb46a37af11986add6d0e20351e
SHA1 c14e1148c8edde837d1d5109220eb6d74a68670e
SHA256 9b6c968e81701df1a551eceef3dc73e83f7b3c4908b7d6a99ab8ae0f192c44dc
SHA512 3126cb01d8fcf0a19ebe7a1abcf909d9ca86d137b8266a85a68fe23694b87fea7d137fce827c03357c0b15f4ef73d3b7a1697e8dac72b24e6a74fbc2a37c1b94

C:\Users\Admin\AppData\Local\Temp\MIQU.exe

MD5 0ce87a09157a51c972354da3c7fe6cda
SHA1 cf7c008060f69cd5f74b5a679017d56dd1644087
SHA256 86e94d1ecede439a9b8c331c029abdf4bca30925d034ff3a005bac9782372b90
SHA512 1dc9fbd2d9c18734faf2366e651f26ffa1126f03e5f94fdfdb6e45aef7d229bfff156e00fcd9e7ed98a60676a6721b41eb79d42318bb850324586b5c0c261082

C:\Users\Admin\AppData\Local\Temp\QIUK.exe

MD5 dddd8583ff5c6f0eda07063eeb48c2a2
SHA1 9f293a02beccc008c305392ce7d5d4f5b111059c
SHA256 574c2905cc24678f712fe865f19299ab7f4249a24d3e107bb080e1bf082f683f
SHA512 bb8f90ea273ada12f4092b5cabbd268573cd069c2365dc3d0cf98dc3e0860c65468b038be085a54aa176ea3640c5ae8f5b38c65dcfd1567f5142391583be78f7

C:\Users\Admin\AppData\Local\Temp\iUcm.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\AwkK.exe

MD5 2aecf47dc081da8929105eac1d395532
SHA1 ab9d2ff77429ef527ef1490cf3998a1c84559576
SHA256 0782eafec2d3014024608fc587da1246550ded5a8332b918f5ab4d1fe50da5d5
SHA512 1e6dcaf6f52cd6a94e470e6906ba9d8c041f9e6562185626c1fb9f0c0a27382e1ac81e2d915fe63fa68f391dfed83c85c60029a02a6c93b039418e2d47a7ccc9

C:\Users\Admin\AppData\Local\Temp\kYcw.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\Pictures\EnableGroup.jpg.exe

MD5 54d773bc06b8755d3699f929b76cb6ab
SHA1 6cd7a4510ed9f093be6aefedb8561dacc441212c
SHA256 2db28f2967adb72c5309ce8ae7152b4b3158d15b2b845c27847a951aca11bb49
SHA512 c562377f26f4a4a024cee5f42815b1dacb9c6469d521da608f4ce3b88e31f236f3a8365279b26e7c7116c4fac332c8525bb7bd6b25d2a169180eaecd9c79a2b6

C:\Users\Admin\Pictures\ExpandGrant.jpg.exe

MD5 cba16de9b346583df4e06994774beb31
SHA1 569ca42873a52c66d54019dfa9827d778541150f
SHA256 0fc8b373a26151d2beac5d7cf8009682319838372d3eac309508230df45ac351
SHA512 c766c6b9251abb98da1001c88d6e86ca5aaa9cd856815df0be9c0ff7e37964af0f2e43901284324bd2d2e0c7814a3d6f984a1a0d1b315795dd229461750e2389

C:\Users\Admin\AppData\Local\Temp\sokG.exe

MD5 98039e9e1e3ee0083fe0b80cd95db4c4
SHA1 7704a4ae6d51c4eddd761ffe3b2813a35cd0b702
SHA256 6bead373b1cc8662161e9bd30876e3b5c53dc162b3030d2b028d6c587887c6a7
SHA512 33abc1d0e229e2fe61bf243a08a1520202619a43c9a1bd246f1729befe87089c3246adafff701fecf9009003354aed61772eccb945aca73f87c7ccb59e605474

C:\Users\Admin\AppData\Local\Temp\kUcg.exe

MD5 d93fd4431025c1e3c7f50bd09f0d6911
SHA1 276e9e79597a673c14423d61c9bc753a2b63e179
SHA256 d89872fa389d14fa6aa6195219ac9ebfb2b3c2415b82c6c5aecc502b245c9031
SHA512 df250d7923d3b05babd3a21131568d3aff0a02c853ac2f97b0aa16c450cced5ed83f24a692d5a18640d7779ae050dd688a4dbb462a262084f3bb7e08d815675f

C:\Users\Admin\Pictures\TraceSelect.jpg.exe

MD5 e2b053e695d81027ef2b1f0d51146be4
SHA1 3307eb3e9d89061d80662f47b738b192a13afa99
SHA256 429282478ab493167ea1e41645b29196fefc855b2ecc890cf10a6c2e73870adb
SHA512 9f7d2f681ffe5704bca58d33216bad1b08c52745fc3e8962ce01a8c7fd4575ac83df2d1d691ca698e8658dff0e1c889edb21bff2b11a0e1e15f68f440c4d3d0e

C:\Users\Admin\AppData\Local\Temp\yQEy.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\AppData\Local\Temp\gcQc.exe

MD5 0550082159a56a9e030569ae9ca0ecda
SHA1 0da386269c849e0458d00db54fc30f3c72fd4f70
SHA256 359df98fbee0d8b5f74a42bb5962faf2aad8dbdd35b70210744105a6cd0832f8
SHA512 0e303b3823a29715ed6eaeabd121ab0ca71f15aefa659fd6b70b1a22e9c8fb268c1af058839e83b1ba544979f12fb1cbec24058e5f24e142018f44698b0afa4d

C:\Users\Admin\AppData\Local\Temp\kgMM.exe

MD5 d4ec37e2d2cd7e73cf58dde9f9959532
SHA1 40f11cdfcd3ab0caa0e47d4f9e93be98b870e8d0
SHA256 de7b35d2ad7df116fe1b9fe92af19f0b52a38554d37219b5553ae87fb8094ea0
SHA512 306fb93597b060ceb0860ecb200985e28cc8ad622ed08270a20354385964190e4f88bfb583ab3253b0aa8eba2935daf9c13e8a5971a41b019f12dda11c11a9b1

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 4e81914f8df47aeceb0b9ba47569740f
SHA1 f4455bda5b6b524b8345def6420e758b07de4084
SHA256 b8b3d07c8af423db87a468b9d4d711a4ac112ab989041db6e3afa93805f01d4b
SHA512 fe6a69fe7f57b94edd63e9b3217e15c18b008ae5124b7065b2d18f7effce6011e2fac6aae1e22433165245200008d64dbcab31378e6bb9bbf4ecbcdb91b06f1b

C:\Users\Admin\AppData\Local\Temp\ucIK.exe

MD5 c03a4d7267b753b1b4e5c3aa92b412ff
SHA1 2be1bababa3ea5a7611f1fadb899861b82b2e02f
SHA256 290a3fbef1f13edd75bf7a81fa7e38a1df02e082f2d15b22d36ba1e11c56a868
SHA512 4d99d4963e5db75167bc094b398d2c1394d54ce1e4f1e0265514b6e98f3d6c39ba749e688c4c920f123507ea6de64640501978952e8c2705ac4e1cd5fb4d41ca

C:\Users\Admin\AppData\Local\Temp\WoEC.exe

MD5 dd615c7b14e8e44469519e49ecbe1e72
SHA1 9bae6f8df4be214fbefab83ed13de57810b485c5
SHA256 0b8748bbcaa7d37253298aa9cb196632b742a5c04619600ad3eb1437d05d8ec8
SHA512 2ac65e5d2876c8f73dc7f415c52c781cf35a26e46b8d38783e62c89042015727adeaa2d81293c8f6729c165866ae24f52d623e65e4350d9872becff324b0f269

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 a3bf57b2f47a40e94085ee57413e2a00
SHA1 2d3b1b637f472544eedc64d85f7f3def90538d50
SHA256 0f031cf55ba089c58ed7a70d5bd2f37595ebd31642da7452ad61374ee2ddeed9
SHA512 a04703ad7e21107ae322b624ca53dca6daddecc53ed10c2e5d6d0526fa3a93a4c5cac5ac3ea84020cd263fe9208f309932a68d8981b3f8803280c5f8f812d8b2

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 e8d99dba3c22e832230e175d22bb0be1
SHA1 6e6cbceaa976377422f2656c1589a846a8bafaba
SHA256 4a92098b110b47fb3a70f290da7400b5ebe85836ce919ea44685474263513aa5
SHA512 45823aa67af5ff2384fadf04cd1dc19eec8db95d52dea13c5dcd30dc274b21917fa6a58916d15fab585656220778c29935bcd4fbca247aa58b32d748919bda1e

memory/400-1611-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4024-1612-0x0000000000400000-0x000000000041D000-memory.dmp