4b43f8d9da366bd3021f417c6227d7272cd354f7039218eeee6507573ba1477e

Analysis

max time kernel
95s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
Size

2.0MB
MD5

bd7af9ee4a321430c081293bf23511a6
SHA1

75d8c44b6b614225a100c4b068206bd030fd505d
SHA256

4b43f8d9da366bd3021f417c6227d7272cd354f7039218eeee6507573ba1477e
SHA512

15fea8a8160eb7d5b5edf82c73b1f733b55464a83ee8cf22a82d781a0f96fba41a4ab04ee0e50d0607e9d514cd60c71c1ce74859789814f53e2dadc7465303fd
SSDEEP

24576:wEjNV509U3uABOiDfRePDE8vlxk7Tnhm7svkf0dJP97SySpTufYvzWmVZpYdb:jubEOiDf0LE8dgE7sMMPIpTufczY

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\NccAskAQ\\eYMAcoMM.exe,"	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\NccAskAQ\\eYMAcoMM.exe,"	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 8 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 4 IoCs

pid	Process
4528	JYwQUMoQ.exe
4556	eYMAcoMM.exe
3748	KcAAEwYw.exe
3180	JYwQUMoQ.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JYwQUMoQ.exe = "C:\\Users\\Admin\\fmwogksg\\JYwQUMoQ.exe"	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eYMAcoMM.exe = "C:\\ProgramData\\NccAskAQ\\eYMAcoMM.exe"	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eYMAcoMM.exe = "C:\\ProgramData\\NccAskAQ\\eYMAcoMM.exe"	eYMAcoMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eYMAcoMM.exe = "C:\\ProgramData\\NccAskAQ\\eYMAcoMM.exe"	KcAAEwYw.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\fmwogksg	KcAAEwYw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\fmwogksg\JYwQUMoQ	KcAAEwYw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 45 IoCs

Modify Registry

T1112

pid	Process
4464	reg.exe
2376	reg.exe
3184	reg.exe
4312	reg.exe
1412	reg.exe
2416	reg.exe
988	reg.exe
456	reg.exe
1356	reg.exe
4904	reg.exe
280	reg.exe
1640	reg.exe
4564	reg.exe
2104	reg.exe
3164	reg.exe
1788	reg.exe
4640	reg.exe
4260	reg.exe
1472	reg.exe
3100	reg.exe
3248	reg.exe
4684	reg.exe
4824	reg.exe
3700	reg.exe
2580	reg.exe
4932	reg.exe
4648	reg.exe
1368	reg.exe
3916	reg.exe
1056	reg.exe
4060	reg.exe
2208	reg.exe
2288	reg.exe
1840	reg.exe
2500	reg.exe
3760	reg.exe
1668	reg.exe
1540	reg.exe
4944	reg.exe
1724	reg.exe
4200	reg.exe
2312	reg.exe
1844	reg.exe
2240	reg.exe
4684	reg.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
4556	eYMAcoMM.exe
4556	eYMAcoMM.exe
4620	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
4620	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
4620	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
4620	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
1052	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
1052	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
1052	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
1052	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
468	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
468	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
468	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
468	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
4724	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
4724	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
4724	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
4724	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
1968	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
1968	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
1968	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
1968	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
3932	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
3932	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
3932	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
3932	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
564	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
564	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
564	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
564	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	4956	vssvc.exe
Token: SeRestorePrivilege	4956	vssvc.exe
Token: SeAuditPrivilege	4956	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 4528	2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	83
PID 2704 wrote to memory of 4528	2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	83
PID 2704 wrote to memory of 4528	2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	83
PID 2704 wrote to memory of 4556	2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	84
PID 2704 wrote to memory of 4556	2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	84
PID 2704 wrote to memory of 4556	2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	84
PID 2704 wrote to memory of 3340	2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	87
PID 2704 wrote to memory of 3340	2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	87
PID 2704 wrote to memory of 3340	2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	87
PID 4556 wrote to memory of 3180	4556	eYMAcoMM.exe	88
PID 4556 wrote to memory of 3180	4556	eYMAcoMM.exe	88
PID 4556 wrote to memory of 3180	4556	eYMAcoMM.exe	88
PID 2704 wrote to memory of 2240	2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	89
PID 2704 wrote to memory of 2240	2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	89
PID 2704 wrote to memory of 2240	2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	89
PID 2704 wrote to memory of 4564	2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	90
PID 2704 wrote to memory of 4564	2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	90
PID 2704 wrote to memory of 4564	2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	90
PID 2704 wrote to memory of 2580	2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	91
PID 2704 wrote to memory of 2580	2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	91
PID 2704 wrote to memory of 2580	2704	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	91
PID 3340 wrote to memory of 4620	3340	cmd.exe	97
PID 3340 wrote to memory of 4620	3340	cmd.exe	97
PID 3340 wrote to memory of 4620	3340	cmd.exe	97
PID 4620 wrote to memory of 5104	4620	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	98
PID 4620 wrote to memory of 5104	4620	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	98
PID 4620 wrote to memory of 5104	4620	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	98
PID 4620 wrote to memory of 1056	4620	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	104
PID 4620 wrote to memory of 1056	4620	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	104
PID 4620 wrote to memory of 1056	4620	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	104
PID 4620 wrote to memory of 1668	4620	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	102
PID 4620 wrote to memory of 1668	4620	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	102
PID 4620 wrote to memory of 1668	4620	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	102
PID 4620 wrote to memory of 3760	4620	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	100
PID 4620 wrote to memory of 3760	4620	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	100
PID 4620 wrote to memory of 3760	4620	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	100
PID 5104 wrote to memory of 1052	5104	cmd.exe	106
PID 5104 wrote to memory of 1052	5104	cmd.exe	106
PID 5104 wrote to memory of 1052	5104	cmd.exe	106
PID 1052 wrote to memory of 2192	1052	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	108
PID 1052 wrote to memory of 2192	1052	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	108
PID 1052 wrote to memory of 2192	1052	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	108
PID 1052 wrote to memory of 2416	1052	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	109
PID 1052 wrote to memory of 2416	1052	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	109
PID 1052 wrote to memory of 2416	1052	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	109
PID 1052 wrote to memory of 1412	1052	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	112
PID 1052 wrote to memory of 1412	1052	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	112
PID 1052 wrote to memory of 1412	1052	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	112
PID 1052 wrote to memory of 1540	1052	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	111
PID 1052 wrote to memory of 1540	1052	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	111
PID 1052 wrote to memory of 1540	1052	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	111
PID 2192 wrote to memory of 468	2192	cmd.exe	116
PID 2192 wrote to memory of 468	2192	cmd.exe	116
PID 2192 wrote to memory of 468	2192	cmd.exe	116
PID 468 wrote to memory of 3244	468	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	117
PID 468 wrote to memory of 3244	468	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	117
PID 468 wrote to memory of 3244	468	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	117
PID 468 wrote to memory of 988	468	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	120
PID 468 wrote to memory of 988	468	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	120
PID 468 wrote to memory of 988	468	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	120
PID 468 wrote to memory of 4260	468	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	119
PID 468 wrote to memory of 4260	468	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	119
PID 468 wrote to memory of 4260	468	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	119
PID 468 wrote to memory of 4944	468	2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\fmwogksg\JYwQUMoQ.exe
  "C:\Users\Admin\fmwogksg\JYwQUMoQ.exe"
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\ProgramData\NccAskAQ\eYMAcoMM.exe
  "C:\ProgramData\NccAskAQ\eYMAcoMM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Users\Admin\fmwogksg\JYwQUMoQ.exe
    "C:\Users\Admin\fmwogksg\JYwQUMoQ.exe"
    3⤵
    - Executes dropped EXE
    PID:3180
- - C:\Users\Admin\fmwogksg\JYwQUMoQ.exe
    "C:\Users\Admin\fmwogksg\JYwQUMoQ.exe"
    3⤵
    PID:1708
- - C:\Users\Admin\fmwogksg\JYwQUMoQ.exe
    "C:\Users\Admin\fmwogksg\JYwQUMoQ.exe"
    3⤵
    PID:4564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5104
    - - C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1052
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock"
        8⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock"
        10⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock"
        12⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock"
        14⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock"
        16⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock
        17⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock"
        18⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock
        19⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock"
        20⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock
        21⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock"
        22⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock
        23⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock"
        24⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock
        25⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock"
        26⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock
        27⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock"
        28⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock
        29⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies registry key
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        Modifies registry key
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        Modifies registry key
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies registry key
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies registry key
        
        PID:280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies registry key
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        Modifies registry key
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        Modifies registry key
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        Modifies registry key
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies registry key
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:988
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2416
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:1540
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1412
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:3760
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1668
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:1056
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2240
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4564
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2580

C:\ProgramData\bocMAAUs\KcAAEwYw.exe
C:\ProgramData\bocMAAUs\KcAAEwYw.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

Filesize
2.4MB

MD5
7fb83d6333a7ad739940e162b3548c8e

SHA1
da32962024355bdb3f9e3e5ccd2c65b31e2ae48b

SHA256
00f70ca2aa443b82ae5d9abf8366d7fc81393063d690c6a9741e0a93846b1206

SHA512
e4ffc370868c10c347dd5d31b31e58eaa126cc7ce61b41339c251b4808a1a9c00bbfa5bad7b412bda3c432d13bb0efc67e7b32a401b89d8ab64f057ceb4a0fd3

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
2.1MB

MD5
a40ff0fe09192a00e4ed1396d5d9f27c

SHA1
63ed8657b6351b56afb607eed5dec46c9033e9d5

SHA256
8de694dca771fbfe19af3dabba11720028a24d20c630221c4caded200f05c03b

SHA512
0abddcf4c3068e04694885047d41ff10864468f720dac3eeb1d54347f5d1056a54ff991c813fc06130ff74cee86ce6821dd2ff581cd40c947d0532135825c6fe

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
1.4MB

MD5
10451672e5e7475f1316971eef83f4e6

SHA1
8a1579c8b1722619191e40c34d814c85c9a3d8e2

SHA256
aad336fe6e2f32ca83756ff05e5a0c3898695a2b9e3406a61c53a63411ad77fb

SHA512
924bd4b61bf6e412cf04d10be1aed4c9d3ae457d2338eba380782e3a98dfd87a484ecf93605074a174fe17a34a8f10fb595103b855f05368636bdaf05eb19728

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
256KB

MD5
dce61018a6ecc62eda6dee6cc55129a4

SHA1
7f83941513fb13866f8ce3ecee1f18dae4687281

SHA256
edb5ab134288660e29bc531781e4a6b3a6bd5e73d33b80218c1dfaac0f3f13b1

SHA512
6f3da3d0a3587139bb499ae077b771b66dc9c55278d0bac612ede149fcf8653de83ca75e7bef282e63bc141d6faf5e87d7ac0c13d87fc773b57bf87b8de036b6

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
2.1MB

MD5
03ede801f09530ad447588743f2f0bd1

SHA1
1bd81e0ceed3875187333119b51a430ce0548f3d

SHA256
b11a839258168a72b4f393cce15cebcc2ba40b9ca1b7e53fb2170b7c9021989d

SHA512
4d376a241cda6f710408643dc749c15b0d166e538d5d3a790b877a52c6690854d271c22e7a4d79f5cbfc841708f72ed7242d2f9431b2c8239ed42a2e7c4ff835

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
2.0MB

MD5
3a56ef929ffaa0e62b5ef9a413fdade8

SHA1
f1c53bacb3d1039294c3b8d8fe9d74f227bdc64e

SHA256
003af09102b1bea21e5ff4fff8f8cf4bafbe51ba3d7fc09749746a359455a766

SHA512
67fa3c510aeb583b34de79c06a64385c0d741f3a6f583e90b590f08eb4b0b974a632bdf0dba57214d8ca6bf28e3f27fc63810da592791157c281f85bb2210ed5

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
384KB

MD5
cc4f10458d09ea20c0dfc26ad11b447e

SHA1
1d1d2513862631c56de5c5866eab8582f3d9c420

SHA256
1a8580a8064d53b936ba9878116a57e356265a4f9411924fa3f291aa56f5d6fc

SHA512
e5dc37bfbb4e8559ad0b7329afdd8c44646abcc73b99c127673ee06a8654a9067248725e8aefffe260a6f1644c108ce9ebfa132ba025621cde799368072276ff

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe

Filesize
220KB

MD5
ee316691c0f9efd22f9bede1fcbd85b2

SHA1
752937a0bf14646e833aa2671e607a93c4b107f7

SHA256
bb335ab80da7277893eec0fba37b48a86d31d0bb9bb192c4ea2beb334df962b0

SHA512
b320f8fc5d8f77b4cd16eeb8fe28d5d31ed117ffe929c6e4d36b1669326d7bb45b5c8858a95a44efadb548c1b1d6c2a73e8288647c46e4e0f435fc79eee4a57e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
2.1MB

MD5
2163c3776a46019b06fcc1c3d22a116e

SHA1
6a8f67fa13469443e44dcda026ed4c5eff283951

SHA256
339182cdc797b00637dff6f3b1b457b0f462194280b78ab5905fb7722724b97a

SHA512
fa052f8463913996fb8d46e2a8722d2f1225a7f1b051bf401fbf4d32bbb0e29f537bc1bf4ccac1fc9d10e2e1c0e562e1080fd38eff3c8933fef82ff97124831a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

Filesize
1.4MB

MD5
d8e36d40ff24b8a2ab2de1c60eba2374

SHA1
df79ceb8a370440e59d4dcc165d56793e2ab9042

SHA256
bba53725e90a5169143dcb1b338a18b15529d20cad485d2ae52af2a74959ed3c

SHA512
71de53cad4876616bc1cfecf82ec7f852e90ef10617aa264dba4ddd50ee41b7119b018369a90a3f12d059be4450ed1c83bd699f68377c22fbdf078cb4d5dced0

Download Submit
C:\ProgramData\NccAskAQ\eYMAcoMM.exe

Filesize
2.0MB

MD5
dfa2d9198060fee97ab7b97f82e0e452

SHA1
31b11a86c57a4552d8f1e158341c1a53d4a2b451

SHA256
a00ab8c533a4cf6aac790098539a35d500072cddd0cfe4a78f723ff9530c75f1

SHA512
96e5d90999e7ecd0696d6cb80d6dd2e1c317149eaa6d6782cb1971e0d79a710123cdfac5a7149c2e20bc3dae4ed234226bbd924dd6d51aa38f1f840bcd4178e8

Download Submit
C:\ProgramData\Package Cache\{17316079-d65a-4f25-a9f3-56c32781b15d}\windowsdesktop-runtime-8.0.0-win-x64.exe

Filesize
448KB

MD5
1a6efeeb4b0f93e52f649e471cc38cf9

SHA1
4f29e1ba8245b44c63a5e25664306b984026b1e4

SHA256
8c67c67c8b5d9905f743fd1848736af3913deb99c3273b31959a687c5c2930c1

SHA512
26e58f7d1b8b4744aecc277b45cf5da2e79975b3c7ded38dcd0e2563cf5874736be55841f2aae7681c99165aecf756fa542a5832ea8deb1742ad88edf6c607e5

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
620KB

MD5
51e3b7512642760853a7c4a00be7536e

SHA1
3c77a5f1bd3b45b39adb85ff3daa15d891b682dc

SHA256
f2721e123c8687fbface7d3a51ae6af41aa2550cdb905fad1ed89f7273e2578a

SHA512
4b84931823d268060d9e6a77cde7d14e8bbcbcc63f9dee3959137648e8c4194699ff043c1537c610e3398867c0f67d1cab79df0debf9892f2ca2871145f95af1

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
2.3MB

MD5
d16658bf941c9aa6f3ce7d41b7633909

SHA1
e3e161312eab1b9302cdebcee1434bf046260353

SHA256
ef1cf830886fb1d0967c80e7449577140688f61e529995d2659a6d57ce2455f9

SHA512
3eeae4db1b2e82061508db919b2070966e0742fd5667beab72e758b9ae28163b0cc644a7a34f2be113af8a86a114bdadce579e44fe005c5f1985440a24596fac

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
2.6MB

MD5
eb1ccb808b74c818195bfa4cc6241687

SHA1
dad4b53bf9f85cc7a95200e6c51b86620522c1e5

SHA256
2294199b2865534a5c43551c0b7a63d83a957db52802a5ce8bb892a83a4250e9

SHA512
d24936821e221a40aeaad14feb3c56b03b5c88a0f7f444dae4dacfe52eee74a5cb1d0ff013c94f8ba0178fb96c769c1beaf0836b2fc5c3e273417596a0cb093d

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
896KB

MD5
d97275fe473b38fe2b69a4e1759a39dd

SHA1
5fcf691c01c1f59ba4a545edff25ccc72c8bfa9f

SHA256
a359f13aa489e559040ad428a863ee3b8c51fe681f4ba9cb9f5a3e35ee764c3c

SHA512
17c1ada580dff05518f1850c2c239ed1981ffe9aa5b2c47aadfd4d03bf9d41a4d45919712ad050ab08be8d219073a2b31790bf8d8e876fa3101c604c513aaef7

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
1.6MB

MD5
a6d0a905b516e99e3de03b731a2583ae

SHA1
b201636a7ec0f9a50885e19e29916ff3cf8eb3fb

SHA256
b6013ba2fcc8c0d65713d301364c463bbad5796a34e56cd244c47c0d618c3529

SHA512
52b2a8134126bf33be2467740337648072c92728eabe2396ceb394d64bf332ee0d0a2ec90fa927535de84153eda3c88849df9fd662da142ad00a9294f192326f

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
1.7MB

MD5
a279a24bf1c5f6361f119e51f605e8a2

SHA1
21e8c7b373c2de01486f7da649b5a7431b61c955

SHA256
65eecf63f566d5e2757a5cac1286c1667d7b465ba3abea6e785730795d0734f8

SHA512
fbd77477ab626bc99c20e82bc5ad98f1c661d41a9f7a1251e7fd8384bed639906579a7520fa7706e50c61f198f77dd3851135ecd3e83b01a869c7278989f6831

Download Submit
C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\windowsdesktop-runtime-6.0.25-win-x64.exe

Filesize
1.7MB

MD5
34de93ec4f93fa117e711c3ab03ec4b5

SHA1
c14688e8a90c0d14cb3aaaa157682a65bb251df9

SHA256
9e5497c38ad162b9f5cc01fce8cfa1a361779a601d5a92268c99117732f10d20

SHA512
be02a966c51d6d4d9ae893d044528ae139278df911e5e7324cf11f6dcf35aeb92a337091f15f3ff8ae25e28094be8eca75aac5c486bf0704f49aaad26f495e82

Download Submit
C:\ProgramData\bocMAAUs\KcAAEwYw.exe

Filesize
1.5MB

MD5
d6e0e201eca052a6d7a92bbef0a8a644

SHA1
ecf2a9c9eba46b3180af210ff12b9f9a8e619e3d

SHA256
aa5f2f69dd3d606a9ab7131c6494595ef444ee72cfa34d70db452621fa17fade

SHA512
b9957fd47cf39429a4648af93ca9cda1e693d28d0ad574fb8bb799c1d047790ebe58350af9ee6825e9e3c6656ef99ff46f3809c30a4a933d307405d6a16ed4e6

Download Submit
C:\ProgramData\bocMAAUs\KcAAEwYw.exe

Filesize
1.6MB

MD5
aabdd8172121d2b8304e61096a49a230

SHA1
470f22e533c71ba1b6cf4f1f5414b18d41ab1215

SHA256
f250f4fe8a12c83371f82c16001b1196027b595f2ef9901dba056525707c2da4

SHA512
a092e2ff25b8459180976cba2ab0aeda9822a8d71248c0e6d54b6b79eb06dca6cccacf39fe3e26250fb6c40225963e8c44cd3729e59b15d992ba700d04e3f44a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

Filesize
2.0MB

MD5
bce9d4e17cb3c5efd2c17c6c865a1869

SHA1
7243a36adcd5f1bc1bbabd57e6ec6fee387e3353

SHA256
e2f17f0017586a06ecc08bdc4736e4a26dc9d88528b66fc39961ac50f1fc7686

SHA512
2bf5b8b40dfe43b15787362953117f50eac5195fc2033f68e87656973205941ee97cc6c8faebdce77a2fc438e9c7b7cf520e283dad5e1b353112283e6eb0e307

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

Filesize
2.0MB

MD5
3735d2368ba597d21d7e8f96c705219a

SHA1
eeb4ea3f14e103ec7b85e1287fb8df0a30a72357

SHA256
7859c41c9b31646a80fb74d9942f3f0eab176f56496a2963f067762cb38281b3

SHA512
a17ad112afffd65ac5b15c9bb7f9c7e9202e873c8b68f7bc2fd68eec8f88940d7b59fc5d23889b7c996b579ff9edd2fb2ee711acd4677a7dbd18558dfdde0bdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

Filesize
1.4MB

MD5
030ee4e4f9062d7adfdf919a3b734432

SHA1
f9e0b6323f1fa0c59ef4e89edc13738795b6766b

SHA256
d7902538ecbe56b3a3e1ada4f4b5ae685e366bd7f70a1d41586f2b88d8298d40

SHA512
b587033489dc7c673c150d0ea8068cf850fd47025d3a1efc79274374d3824db9cbb2cd907af50f2d956f31ac8a1586f3aae786b20f9de616a085f493fb9472c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe

Filesize
411KB

MD5
b77ed90dcbf4d48d23645048491f1df9

SHA1
3248b9542448403a0e4953d1386841325326bf80

SHA256
415a2f5d95287390598896fe4adc6aa61765f5204610c2ab9f19b9c17bf2dab1

SHA512
d026f75e338d6bc62ec000c9066278c793a46a5d7c4cf8bdb1b09636444e3a62364735ef806bc7a7f2963396495d55529c1438666915b659b409c89b4b97f185

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

Filesize
2.0MB

MD5
da6e1793ff8279ccb5e4b7752c29d5e0

SHA1
f7d002ef026e5b86570d58e62f57f14484c8dc7b

SHA256
ada7e43d8ed85717d722ec59da40465718c800d5fa083a8e9f686881bf93f00c

SHA512
c9359c57664931a88e2ef5f12db1c3c2407d2dd1acaf75a8249aa06269b31ad72818d4e66e26e1ea132b01ed6457b7b58b15fa897e5e056248d82228015c7bdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe

Filesize
1.4MB

MD5
297a9a3cacf1ddbec25092dd1e5ee1a1

SHA1
8a6111de626f46edefb54a21eada6cd73d0664ff

SHA256
d51e6615781b8cf2e778b121e7099c19cdb075211e7fa5920d614c28dadbf9e0

SHA512
bccc9081cce7a06576b531e1087e1259c35f39579bdcd96206b506c1aee1e430836a187493cf2dc1f03f406623620f7d037769e566a8120c6a198ed671a6e6ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe

Filesize
704KB

MD5
b5243cbe1bcc1420838b910151ab5565

SHA1
4d960b17a9263121a6db7a343a892c6e74dac9f9

SHA256
f1333f1c3b2d00659e79611adb41effeba922d81e452d84d2d7036db284f53fb

SHA512
f570029909db232afcc99f50952ad43b580daf3bdbd9e90e8fe07b3d24832484a59649b1d94908c693e0ff4ad402023b190b3002d98f1bf238647581226734f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

Filesize
2.0MB

MD5
45aa95d2121d2460fec1c607ec69f3af

SHA1
3df57a667c629f9fb279bcceef493a63c90f95ce

SHA256
754825f5dcbdd747e848972e828278a87309fdab733e4d9e753c0431ecba239d

SHA512
8a66c4b0159af0d833bc55dd95a319ff328c8895ae7d01a5c17defdef0c2b68b098c527695598cfbf2746936db0d719107fe764a95d79cb648016e45047e3afb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

Filesize
1024KB

MD5
56bc166a9d1faf2568f2f253f69b9dac

SHA1
d78ed325df6e7e5e88db517c5b5fefa90645dea7

SHA256
5b11f9aec223f1bb674883bb37387ef84673ce882254f1bba1804f15f565f24d

SHA512
1d88a83b37f15daf3d26fbbc8f5efb911b905da53792ec26e6907209dca119dded809b74a257e7ee876dea88cc4dc2eb3e30f461a4ecbe1a05add37904b5f18e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

Filesize
1.9MB

MD5
c27c9bea41d27b711b79540371253fa3

SHA1
f58cffd91b1bdbbc11dd3d4d449ab9367a7f3577

SHA256
d73577eb20d74bf7dfc5582c7863aa669535ade511dced410cfa8a8a25cd5a0d

SHA512
6d25d9541d9a13b6d570c730555ff82ad603f264e2d13a803fef65008ef614527cc2e6cad37833c7fa0895eb137f8d587689d1aeabc55f7e44fa6ad9531da675

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

Filesize
1.9MB

MD5
2bd604917238197677f2416504bf9095

SHA1
e29b3a85fe0c95ce6715a28dcc306b2297c6813a

SHA256
6394eaee37bbc306361eaddecc5f8d94c91b6c24a3c448848bc00a32b57e77a5

SHA512
e97e95bfc530a26e3fca04f7855413771b6155647c479ff74b761fb47d01626e9e77b63da4658e86de930de8b99c22b2f82b08decf5c109bbe5e58351be2c0ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

Filesize
2.0MB

MD5
6846a6e4516ac8794177dc9ed73b4a35

SHA1
5a4d7c89708aaee25b70805e344a87ac8e3822b8

SHA256
d3adb8b3cb1aa7dd79a96665f882082ee8b076f07a9aa8b4161cfcf53c7c4b3b

SHA512
2eb426e56600882840672ddf65fbced150c80faca56687dc18b5711d3c354947ee7964736ebb6ebf94e571ac4b3cb37e719a587344142518e3a298df3a01442a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

Filesize
1024KB

MD5
cbc6abf916bbc26931f4dbf394e0e000

SHA1
0c8972b2daa2e46ee6e8c178532459d4ee89833b

SHA256
7c6b111bab76fa7c342383da1522945401549a2ab3b80ee927a55339a30990de

SHA512
b82d702655924704e56c67b3febb78837696c788f760441c525315ea30f5ff35898620f01bab6cd852962e88ecc42a30625de52931b114bc0dc4f9b58ef39025

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe

Filesize
910KB

MD5
22763f749c74586f4bc13aab3991fb8a

SHA1
abed4f16eba7203ceaf20750c156d89bda5d49ee

SHA256
ac73cdc7c205823715b7fa76a16c4323650d2399aee7aaba1a0d5e3620efe11e

SHA512
bb35f30eb03bd3039218d2766e92996823fbabdb1a93e7db6e4e44b4a2d72e0525498d5f4da89a0e9f594906be5ad7f2c7d010f7b7e29ca2afefe5fbfee69307

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

Filesize
64KB

MD5
d9ef7c9ec1af3d21ca8639f8791d82c6

SHA1
2a39fd8f72090fa8612333b418a1d0649faa8e47

SHA256
d2f2a7dd704e6a1fb2defa73441db353a485461528683c0199333d187181e736

SHA512
44546f10918cd0d6693208174145a6d0af570ac4c30bf755499abe302a341c46cb34959c76a62b7d429942298b187be0028b00175cc8a38320addddb43f5cbcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

Filesize
2.0MB

MD5
a9087e3d6fb77b96e5289e063e3115fd

SHA1
eb1c70bc35de25db7decd5ae485465d070894379

SHA256
5d670de33232c0324f1065bb5af2f3f9396a5bf44d790f1905864c8134fe6b42

SHA512
d571e18d7688a2ca0fd4e61ba5071ef96795fdde63a3b5f8a6f2b42cc1366ee4c3ac9816cabd546e4d6e1c47602415db8f5f5334ad08a50c22f4a47c7ffed0eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe

Filesize
2.0MB

MD5
6ed6a1844061c6a01d4aa9d866601626

SHA1
1c3b29c64d9b42449ac046e63753600211a94a0c

SHA256
7a9659e348a45a3f9cef4168405f27a1e7eeb5445eda60d0be2692a0706cea24

SHA512
3b81cd4ee6ada34a868dcd19bf519214cd5e9cc09ac4d19dccea07fa769110b705cbcffc17146c7940d7a7e803b593eca57fa90e2e294e31b19755abbc9cca1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

Filesize
2.0MB

MD5
bbe5e2c15403ebb570a6f562e02f1157

SHA1
11a0678fae20437b55c25542e242428e1cd6d74a

SHA256
a3ef931d5aa1fcc9bb5cc363daf693ae337936fae138785a207972e40cdb8ea0

SHA512
9c5a751a6d0d73c56e79732011ae718776edb80a547df257752381a77919522179ad72f69d3317558745c96540132725ae54bbd999c92e03154ed8eb1214456d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

Filesize
1.4MB

MD5
13ba2604b77744a73c135aa75050e0db

SHA1
cf97da9122141e67c47b4c7f66842b4952e337cd

SHA256
ff0cc552263e862092f011a5520b210e07ca049f44bcf550211f424881ee7a01

SHA512
010ed21acb1873117a622a03ee27dfa5ea267afe2d02929038ddc76343258bd7547230175c41700026d23c90a0ec4deb9b5a9dda9835de74287656d6aa002ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

Filesize
1.3MB

MD5
20f4b17baa49a75687c4c23af44349b5

SHA1
ba38448ff20bb49439a65067d8c39fea77b99060

SHA256
f9e1630007f13d5e6f4f9ec5b68becbcdafc02c82530d85f2835882767197e87

SHA512
9421742705a62d460f53d9320a7d1cf5d80738cd87e1c906243bdb43dc16a949beb9434354fd25102173b3d5b95b734b086d275c7f67daf1776c617fe2792749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

Filesize
576KB

MD5
97acf4fafbf32478decaa0c3caaf8d25

SHA1
d52eadaac57fc7f2e5bb95df0f788cbd0decd11c

SHA256
fcb9434331e2a67751288f9212d5ba36abbc327268c9f6e786d04a8d3c6cda2a

SHA512
4208877911750124190154320e6af778db448d23918470692c2ad3e87dc0477a92cdccea850ea79d44c5dfeb469a6d85075f2e4399814117c438ad7b31e5af83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

Filesize
844KB

MD5
c29a203249ee04f7ccb72eb6fcf66735

SHA1
750e4278c18bc267f0ec40607b4dcec9cadaecbe

SHA256
e8d2d74437bb590e9399133e8b66417e7ea5d893a8c1a672c181644121162c4a

SHA512
743d7c6bc352d33f0fefd9bbf03f152e28135e046aefa7998b765e268205cb82c0070394ad3c3540f1f0f15d6872f016d9a0313c00b750ed4f72000d7443e535

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

Filesize
759KB

MD5
124688b4d4289060a8208ec629349e79

SHA1
672ca560a75cb793e6f8dff987ac49f53052e20a

SHA256
ead91972d8b1293cfc2f0d56b6f8dd94577d9446714ed59748c04ebb03736396

SHA512
1fd201109e4c858b6b16e9966c663ad09a28f6572e9bb6a107e57a64d69df8308d33bcf6376279a63f6ad08d38e0a6f0164ddaeacd49ea52a3202a1c9492bd73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
1.3MB

MD5
255f9fea3d940a93975fbcac4ba0d20e

SHA1
9905c2453f33cb9900704df83209700dddb9b9a6

SHA256
d2cdd95e9674eb479a3fc05ab59b27e1ed3e778d7072ec8b556a73949c6a7054

SHA512
8a858a23402427994f025550a5bfef54a1b2f0c5993989110511da087100d4d0d092d379d26d2ce2e5371a38806731aad79969e7f93bb33824ea4cd91e7d0f06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

Filesize
576KB

MD5
9eb0c63a214525718727edc236d714d3

SHA1
7bc979f1913a837d14dcee5d01a7a660f8401c3a

SHA256
9c7aa3bcaa7b242023b8d3ab6baca160697209843b7731f775e2668296719819

SHA512
a540cc2ae7b30a9bcb553ee07f702d93219773ef39df286701f73141fc226e587f0f17a0db23451ae184ff7155d46975b33cf46a501f3250af7ba4cff15a48a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

Filesize
320KB

MD5
931f80582c1a863dd95fe7d68cd30b8e

SHA1
bc73b44a3de73a5344bfa5187102d5a6c1e69a74

SHA256
2f2c9da038208cdb298145d37e7999976aa96e81b8f052916335e34cf3e6e93b

SHA512
1f738e5050b545e68199bd93df2e376035d41a003e34926bd7da0a61e269882438e9407573ca827ed323474a8bf11161be4fb82ddaf2a6e19b272bae34294022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

Filesize
896KB

MD5
62aead73cbdab207c9e4e7f6525937ec

SHA1
8528b32a0f2d4a0048a7b910ad336dfd60fcbad5

SHA256
0b3d59f13790d8ce75f9839cab836309d3df0539baebc1685131bb9ed3bd271c

SHA512
a9459ac5403aca4fd9b23f7bfbb083073ee2d3ae71cfb079f09470f5779435609184f2736abb7bdbf462aef546e518afa448087bb3f0c786b433a146d6e67a56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

Filesize
2.0MB

MD5
1df552644e2ff9577cdda21d2c9c6bac

SHA1
31c54e142c5732f81c481c823f3535b074601ea7

SHA256
1e066928bb98a46e7c3021dede4069751f0429499aaa3581ac1f7e40b8502a2e

SHA512
6f8575eb142a61631155c434a0612f1de1ead75f956e24b4eab74b09800b02221ce0d7140e73cd603c700137cc6c9650c9a3dfaecc1fea27b9f253420b510f6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

Filesize
1.4MB

MD5
682b839cf291f5b0f5946edbbeffc2cf

SHA1
56c22924ea4b765b837a87026012bbfa57d22e71

SHA256
c80b665fd26a54f538494852ab65c8d4c05537b486072ef2bd5cc1ad6e088fc2

SHA512
1a0114ed21384983ef930a9158f2caa723e59e1d776756ff56671fc9621c6d17fc7fb834eb4edf93be1e5c7e473b5529760d8767650171cec91c07639111a881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

Filesize
1.5MB

MD5
54722e48f48cdc90aa03045a4dc2a564

SHA1
64a99b411bcdcbfb316c5c1dddb50c54a23a9548

SHA256
37ea8eb1227bb8a82af215063a253a7fa32a2a6fb4afad35b654eafd66904756

SHA512
fe53ec949f11cb7fab8fb0d215c52b4cd6b4347082ff7bfff0af2a3808596c7e87e0a4fd5d6cede503877d8b65fb95cf21280829739694b75d61115867ce7bcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

Filesize
2.0MB

MD5
0c6c36e217b2fd0a63f6d6579c1eca9d

SHA1
cae562f068916dbe2984839c94059bd873f9403f

SHA256
ceb3796096e9d3e3f811cbd7cbb40a36fe7bd1f19ce35b578fc3ce62dd8024a3

SHA512
3e5ffd2372e2b780eae63b7ae0bd3b44f0756cd4c31634501ea07a9fc4d78beaba5a8ad37eaed243c62486792352b7b4ac0f5bec557a4708330489a6545e1343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

Filesize
2.0MB

MD5
6f49925fda5b09ad085b9b1eeb70a748

SHA1
0340fdde3f778f9e8fd5914d0afaacffd0075e95

SHA256
ba98e7d59a84f3339bab834d459ac5a50491e5b01a75ceacb591c53aee8e8d56

SHA512
4ec17855a7d7479294b499351f61b8741020ef51c766eb54aa2e96b4018ea86071263d2b7c2fdec4ca68bac7680d28c07055c03fc70e0dfa2a4a7b1210c978b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

Filesize
2.0MB

MD5
78cdcf5f8141656d89d9ddf580af99e7

SHA1
a074440e353f1fcf863c0686b17501c0a658f5d5

SHA256
879ec29b0fe27bb514fb1dbdaca6f133cf48d80275b40edbf8189cc958d2d502

SHA512
974d73cbdd74ab3e3a2e471a4f684dcfe61ebd38d22113afb50289843dd9142d65753828c049e4a6d096a252159b866f5ce66638244d82f46bd68ada51c1f2a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

Filesize
1.1MB

MD5
55c2f2830121329af0b7c957faa673c7

SHA1
67553f6558748fe8a99fbeabbfd22437c7d9a5a2

SHA256
09f2351344778357c11d1559a0e288f2381c42c51dff86e6a2e05022eb2a4fc1

SHA512
5e426df159546835ccfcb52d354d015da6a6d18b07be7f1e8d09a140aa08131c8ad5908b8b8f3be917254c6f40266c684df4bfc13f894918b5af1c7430f18521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

Filesize
2.1MB

MD5
96ab27ffef612c1ac435f56dabc5826a

SHA1
95ae24da699e93534776ae9443da4b2cf23d1efc

SHA256
82339c02dac3cb0e9043c7a01beeb77b9606b7b530721311edc7a720762bc29c

SHA512
3fa0695d924016d44794fc1730d49c166b5a3b8fae28f83ca5c854c29faa614c5144cd6a68888432f8234c298bd8c60ac6d9648f1e37b47f9acb69ee5ab5c49c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

Filesize
1.9MB

MD5
060b06b5af6d05d0a8d1529c64c3bf93

SHA1
780f571ef48202773853963450c13d2b82f8ef24

SHA256
96738326015c860d760eb1c9641dae5436ce6f40526af908e123c69cf66d2d55

SHA512
0abaa2c775c56715fafb80b1c885091fdefac5e239f9d01003c8994587ba1770219cc34c45ea6e306a5b2611cf4b5098d9c1d87be6ae55985f3206390e4a7d4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
64KB

MD5
63360870d0f56f6b1d239f7550e1ba0f

SHA1
749a5a97a48533db71b255e438107b1e4282fb55

SHA256
00b5cbf10ac30bc13d54f95c7bddc1d7ac8775dc4b2028dac5721d93a5df77e7

SHA512
fd0b93587a96175166b9bc708c1c3be10399e80189f35a39e9c4f5549561809079a2245bf8c683c197688add172ae4253194f440b78fd00cb291acd8a621319e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

Filesize
1.9MB

MD5
cfb14c86bde6ef133fb52e9ab430524b

SHA1
1310d4151a4fff4cfa5b2b75ddffe0ef2e473f4b

SHA256
c9e947e89d7d4a7aefd187f6552f137ca18a4f35529981098f465ed3230e7586

SHA512
0af43f95f5d97eafa66a3e62bd4815f2463cad0bdb0125e37737fadf62f91aaebef0bc3da27ded613a8ce77bf0abc4ba5c14d5f5c94777a8acd86d442f3a25d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

Filesize
156KB

MD5
cae671bee3ba53b2ca69ea2f6ed99861

SHA1
38b658e41961457275c3f7ed65a3a52e6b6c37d1

SHA256
dc9b07d65e6b508a72cf75da938ac695eb21b58f586b1096e97c1873701dffba

SHA512
45464d315bcec2d343078b8b606acb27f36991ee91ee8ac4150d9ce1e1c32b2c26f830ccafc5adf84d88cd58578e930f913164b3236c79aa3300cb780fc631c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
1024KB

MD5
7ba9182bf0a634f69dd0d34922bdccb2

SHA1
abd435b68b8266453d5d12be30890ee9da52a092

SHA256
8ec2399a66706a0863199a22cbf870831de376d56a2a7c4895ee8534ccebce34

SHA512
bb9fa2edb487a41176315607c3e1fff7858f0b71396ee3de78186100bdd51c822a65892ccaf49006a66d238beef13618816d94607410adb0b0ce165ed109f8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-02-19_bd7af9ee4a321430c081293bf23511a6_virlock

Filesize
4KB

MD5
913064adaaa4c4fa2a9d011b66b33183

SHA1
99ea751ac2597a080706c690612aeeee43161fc1

SHA256
afb4ce8882ef7ae80976eba7d87f6e07fcddc8e9e84747e8d747d1e996dea8eb

SHA512
162bf69b1ad5122c6154c111816e4b87a8222e6994a72743ed5382d571d293e1467a2ed2fc6cc27789b644943cf617a56da530b6a6142680c5b2497579a632b5

Download Submit
C:\Users\Admin\AppData\Roaming\GrantDisconnect.jpeg.exe

Filesize
1.5MB

MD5
feed6ad5b209f15caee983251bcd344b

SHA1
aa77be01e71a5a9a88526575611232b20fddf4fa

SHA256
c9734a2fdd699ef352e0db7ee2a64edb322f2671c774c2b9d087935def00c56c

SHA512
b5c361dfd46c5c3ec2ea055d6d74ef68f4211a81a9f0596f52362850cb6a7850b798315630d746c4020f01852f57da35ac36ea5add2807af6f6869f7e77d2c70

Download Submit
C:\Users\Admin\AppData\Roaming\PushImport.bmp.exe

Filesize
2.3MB

MD5
cce81984d1609f6ad533dda424c745e3

SHA1
2c0692c07b5dd9e8165f8ad31344bd22ce925d4c

SHA256
8d1b9e0222ff8acea4135dfe34dd54eb4a410b34355a3c2680bff2eda7eb27f1

SHA512
155cbc048e22e90b9210c4e40bdbd88f10e22cba4056a722e032e148e0039c91619f2c18daa491a8dd3533d30dcdb59f6d9d0ee710c8eaca745f0014883c472c

Download Submit
C:\Users\Admin\AppData\Roaming\ResumeComplete.docx.exe

Filesize
1.4MB

MD5
f39233c12c6e8358dff28076e3b4aed4

SHA1
3e2a67467636d179f589e9f93fe8797bbab58a72

SHA256
ae5e5d36851e8f0663563b4cb055d6e848f22639e12bc8a5d0de6f4f524da2cb

SHA512
126e64183d389f5eed389de0d755cc11673654fdc24f32870fdb069471ba492bd48b38d5e71b07e68a54b6858ebe83a289cd21223c42f3e0cfc51bf6315dc685

Download Submit
C:\Users\Admin\fmwogksg\JYwQUMoQ.exe

Filesize
192KB

MD5
97d3365391cbdd3ffad7929ce5ce907d

SHA1
bfb0911d50abd139da2dd777c1ee612d3aa3efbd

SHA256
4c07d407282ce7578d236652f9f1714cc9d62142284d3189424f45d6836c698e

SHA512
8c91fa907d1b21e8106e179f169f11d89fc358989a7e4ae6c45e6ff8bd4a8e3aa398b41b2eda32b87f46cc776b877a76ef6004277682044e2d2a57d8c00a7825

Download Submit
C:\Users\Admin\fmwogksg\JYwQUMoQ.exe

Filesize
2.0MB

MD5
dc588c0503d4408dc71fb6d1fe15a45c

SHA1
5a97992d38edb700da62658ea0817b96afaf268c

SHA256
0b417ec09056a940942fb417c6d915a69ec93caaa8812027283bdd706022cdf2

SHA512
e2e069936ff3b849e9af2e97f6da24dda54d403fca3eac2ce074348d555c9b2e49380f372835b6dc04c83579b9b3add2a2156679dd2882108acc79bbac05a45e

Download Submit
C:\Users\Admin\fmwogksg\JYwQUMoQ.exe

Filesize
704KB

MD5
5d265bef6be86cc4ec5865f40b3064b2

SHA1
d107b098138f69c64f09577ca5d5e38c0dc2947f

SHA256
c36c5ec3e01bfda0e8b91a5194b8c60b9d84d9e0434c2d8fb872ba964849abd7

SHA512
7abe15d112d02848d786763c3969814a4c965a6f5abe9c4f282d40f3eb42f15db5dff11e128e0e8d05fd5c33fbc26ded3bd76dfb7dc9a0d975e8a1a94099a18d

Download Submit
C:\Users\Admin\fmwogksg\MoYE.exe

Filesize
256KB

MD5
8341de34cbba0efd08b6146ddccc2394

SHA1
34e4c4ecb381a4b343e7dfaa5d988ae4b464b2c8

SHA256
450bf45669dea64e8c945a3ff6e7412c0a2ec3524ca91a1ad70a8f12adca4004

SHA512
2fa85b26b21bf8bfa80c748afbd9db4e379c33143f2d121fececbe45b3e82385d7409e13d999335ad493ae77000ae511fde85c5cab2044fd6cc53c7a75a2544a

Download Submit
C:\Users\Admin\fmwogksg\xMws.exe

Filesize
2.1MB

MD5
e634d39fd7bea94934fd562387906881

SHA1
ea3b1124a9d1fe28d27d55806d95096f002fb0a1

SHA256
717f91cdc514a585395e0069cf6a1dd1dde28675d482fc86666bc77ea9055f4b

SHA512
53dfd5db7928388de8ae35b4b934152a16615a04a009f02810a4ef84011bb5058a6380ccc23897c80fed9b5a72bf72289acf629dc8c55fe4a16861acd34b0792

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
1024KB

MD5
b86cca276715c75215eb1a8777ee6df9

SHA1
878e9d7934e4deb9fe812601bc18cd999bcf9e9d

SHA256
1cffc659443a7e326403623e6a75a7e530d01e5dde4b622a499dc2bbc4b99c0b

SHA512
c9641471210ad991e7ddcb24da481b7ed31af8a7727d4c0ccbe5cd7245ff8523f6aec69ad8464fd420a4975c31b9064783fa2afb45a462c499a1455f2c4a6599

Download Submit
memory/468-186-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/468-54-0x00000000008B0000-0x000000000094D000-memory.dmp

Filesize
628KB

Download
memory/468-56-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/564-479-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/564-128-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/564-124-0x00000000020D0000-0x000000000216D000-memory.dmp

Filesize
628KB

Download
memory/1008-480-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/1052-46-0x0000000002280000-0x000000000231D000-memory.dmp

Filesize
628KB

Download
memory/1052-47-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/1052-125-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/1836-529-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/1836-449-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/1968-344-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/1968-72-0x0000000002210000-0x00000000022AD000-memory.dmp

Filesize
628KB

Download
memory/1968-80-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2168-351-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2168-521-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2256-525-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2256-519-0x0000000002180000-0x000000000221D000-memory.dmp

Filesize
628KB

Download
memory/2256-524-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2704-0-0x0000000002270000-0x000000000230D000-memory.dmp

Filesize
628KB

Download
memory/2704-1-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2704-24-0x0000000002270000-0x000000000230D000-memory.dmp

Filesize
628KB

Download
memory/2704-26-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2816-193-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2816-510-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/3180-79-0x0000000002320000-0x0000000002426000-memory.dmp

Filesize
1.0MB

Download
memory/3180-23-0x0000000002320000-0x0000000002426000-memory.dmp

Filesize
1.0MB

Download
memory/3332-518-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/3332-272-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/3748-17-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3748-62-0x00000000001C0000-0x00000000001CE000-memory.dmp

Filesize
56KB

Download
memory/3748-15-0x00000000001C0000-0x00000000001CE000-memory.dmp

Filesize
56KB

Download
memory/3748-71-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3932-118-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/3932-104-0x0000000002250000-0x00000000022ED000-memory.dmp

Filesize
628KB

Download
memory/3932-394-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/4060-512-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/4060-511-0x00000000006A0000-0x000000000073D000-memory.dmp

Filesize
628KB

Download
memory/4528-6-0x00000000021B0000-0x00000000022B6000-memory.dmp

Filesize
1.0MB

Download
memory/4528-53-0x00000000021B0000-0x00000000022B6000-memory.dmp

Filesize
1.0MB

Download
memory/4556-522-0x0000000001580000-0x0000000001585000-memory.dmp

Filesize
20KB

Download
memory/4556-55-0x0000000000610000-0x0000000000640000-memory.dmp

Filesize
192KB

Download
memory/4556-64-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/4556-523-0x0000000004820000-0x0000000004846000-memory.dmp

Filesize
152KB

Download
memory/4556-16-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/4556-11-0x0000000000610000-0x0000000000640000-memory.dmp

Filesize
192KB

Download
memory/4620-27-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/4620-25-0x0000000002230000-0x00000000022CD000-memory.dmp

Filesize
628KB

Download
memory/4620-117-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/4724-271-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/4724-63-0x00000000022A0000-0x000000000233D000-memory.dmp

Filesize
628KB

Download
memory/4724-65-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download