0d0e7d86268f7acd51e9d4ac94f016034fb949b605b21405cba0b5581e4532e5

Analysis

max time kernel
32s
max time network
89s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
Size

2.0MB
MD5

7e3ffb20da3685265b2ceb428a661536
SHA1

459f15272146c9b24279cdd04d98ba44ca5f0804
SHA256

0d0e7d86268f7acd51e9d4ac94f016034fb949b605b21405cba0b5581e4532e5
SHA512

468e3b381939d5cd66c5e7500ecdaf24ab4cd4e10887547e3c88f0ec8a4049b44184c1e84a69effdff5f9167d4cfedc419176b209e3d60ea7c5133930abed501
SSDEEP

49152:bPDE+iGJYpuZYmqHx0PQLjXp/cfO2aMkekh94n:k+iGJY2fqHePQL0

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\SkEkQkYE\\Bicwockk.exe,"	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\SkEkQkYE\\Bicwockk.exe,"	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 8 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (64) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\Geo\Nation	Bicwockk.exe

Executes dropped EXE 3 IoCs

pid	Process
1972	RGUcgUkA.exe
2860	Bicwockk.exe
2956	NKAwYMgo.exe

Loads dropped DLL 38 IoCs

pid	Process
2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\RGUcgUkA.exe = "C:\\Users\\Admin\\uiIIssMc\\RGUcgUkA.exe"	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bicwockk.exe = "C:\\ProgramData\\SkEkQkYE\\Bicwockk.exe"	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bicwockk.exe = "C:\\ProgramData\\SkEkQkYE\\Bicwockk.exe"	Bicwockk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\RGUcgUkA.exe = "C:\\Users\\Admin\\uiIIssMc\\RGUcgUkA.exe"	RGUcgUkA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bicwockk.exe = "C:\\ProgramData\\SkEkQkYE\\Bicwockk.exe"	NKAwYMgo.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\uiIIssMc	NKAwYMgo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\uiIIssMc\RGUcgUkA	NKAwYMgo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RGUcgUkA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bicwockk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 24 IoCs

Modify Registry

T1112

pid	Process
2544	reg.exe
2200	reg.exe
2772	reg.exe
2376	reg.exe
2544	reg.exe
2148	reg.exe
556	reg.exe
1892	reg.exe
2636	reg.exe
2564	reg.exe
2656	reg.exe
1336	reg.exe
1444	reg.exe
856	reg.exe
1448	reg.exe
2648	reg.exe
1136	reg.exe
656	reg.exe
1584	reg.exe
1700	reg.exe
2068	reg.exe
2136	reg.exe
1428	reg.exe
2548	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
1732	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
1732	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
2248	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
2248	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
2252	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
2252	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
1056	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
1056	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
1804	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
1804	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
2860	Bicwockk.exe
2160	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
2160	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2696	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
2696	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2576	vssvc.exe
Token: SeRestorePrivilege	2576	vssvc.exe
Token: SeAuditPrivilege	2576	vssvc.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe
2860	Bicwockk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 1972	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	30
PID 2244 wrote to memory of 1972	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	30
PID 2244 wrote to memory of 1972	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	30
PID 2244 wrote to memory of 1972	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	30
PID 2244 wrote to memory of 2860	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	31
PID 2244 wrote to memory of 2860	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	31
PID 2244 wrote to memory of 2860	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	31
PID 2244 wrote to memory of 2860	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	31
PID 2244 wrote to memory of 2724	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	33
PID 2244 wrote to memory of 2724	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	33
PID 2244 wrote to memory of 2724	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	33
PID 2244 wrote to memory of 2724	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	33
PID 2724 wrote to memory of 1732	2724	cmd.exe	35
PID 2724 wrote to memory of 1732	2724	cmd.exe	35
PID 2724 wrote to memory of 1732	2724	cmd.exe	35
PID 2724 wrote to memory of 1732	2724	cmd.exe	35
PID 2244 wrote to memory of 2148	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	36
PID 2244 wrote to memory of 2148	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	36
PID 2244 wrote to memory of 2148	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	36
PID 2244 wrote to memory of 2148	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	36
PID 2244 wrote to memory of 1448	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	37
PID 2244 wrote to memory of 1448	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	37
PID 2244 wrote to memory of 1448	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	37
PID 2244 wrote to memory of 1448	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	37
PID 2244 wrote to memory of 2544	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	38
PID 2244 wrote to memory of 2544	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	38
PID 2244 wrote to memory of 2544	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	38
PID 2244 wrote to memory of 2544	2244	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	38
PID 1732 wrote to memory of 1544	1732	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	45
PID 1732 wrote to memory of 1544	1732	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	45
PID 1732 wrote to memory of 1544	1732	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	45
PID 1732 wrote to memory of 1544	1732	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	45
PID 1544 wrote to memory of 2248	1544	cmd.exe	47
PID 1544 wrote to memory of 2248	1544	cmd.exe	47
PID 1544 wrote to memory of 2248	1544	cmd.exe	47
PID 1544 wrote to memory of 2248	1544	cmd.exe	47
PID 1732 wrote to memory of 2200	1732	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	48
PID 1732 wrote to memory of 2200	1732	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	48
PID 1732 wrote to memory of 2200	1732	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	48
PID 1732 wrote to memory of 2200	1732	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	48
PID 1732 wrote to memory of 556	1732	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	49
PID 1732 wrote to memory of 556	1732	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	49
PID 1732 wrote to memory of 556	1732	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	49
PID 1732 wrote to memory of 556	1732	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	49
PID 1732 wrote to memory of 2772	1732	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	51
PID 1732 wrote to memory of 2772	1732	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	51
PID 1732 wrote to memory of 2772	1732	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	51
PID 1732 wrote to memory of 2772	1732	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	51
PID 2248 wrote to memory of 348	2248	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	54
PID 2248 wrote to memory of 348	2248	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	54
PID 2248 wrote to memory of 348	2248	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	54
PID 2248 wrote to memory of 348	2248	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	54
PID 348 wrote to memory of 2252	348	cmd.exe	56
PID 348 wrote to memory of 2252	348	cmd.exe	56
PID 348 wrote to memory of 2252	348	cmd.exe	56
PID 348 wrote to memory of 2252	348	cmd.exe	56
PID 2248 wrote to memory of 2636	2248	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	57
PID 2248 wrote to memory of 2636	2248	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	57
PID 2248 wrote to memory of 2636	2248	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	57
PID 2248 wrote to memory of 2636	2248	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	57
PID 2248 wrote to memory of 1892	2248	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	58
PID 2248 wrote to memory of 1892	2248	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	58
PID 2248 wrote to memory of 1892	2248	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	58
PID 2248 wrote to memory of 1892	2248	0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
"C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\uiIIssMc\RGUcgUkA.exe
  "C:\Users\Admin\uiIIssMc\RGUcgUkA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1972
- C:\ProgramData\SkEkQkYE\Bicwockk.exe
  "C:\ProgramData\SkEkQkYE\Bicwockk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
    C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
        
        C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
        
        C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
        
        C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
        
        C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
        
        C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
        
        C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2648
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2636
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1892
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2068
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2200
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:556
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2772
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:2148
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:1448
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:2544

C:\ProgramData\wGscIokI\NKAwYMgo.exe
C:\ProgramData\wGscIokI\NKAwYMgo.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-711651307-1338378541-3864715391972726390-368669669189800309422539324-945226717"
1⤵
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
2.1MB

MD5
04300db3b17c6ef7739e147cc9979d89

SHA1
63bc73ef392fce041a64eb34b5b2dedfbcd75d9f

SHA256
a90f18c81d960f5501593dbbfeb3504e7e63fdae928b3264066e98ea92e5ec83

SHA512
3c65656e8aa33904144f5335e29e8bbb4fb606486bc2f990b5e2effb83a748e31d6a83f906441a6908e476b09759fa899c514dfe87055cd8d6aa887daa808123

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
2.1MB

MD5
7f095d5c1a2512de543e83273fc049f9

SHA1
5019c62b4fa25844eeb117acba631245db44be69

SHA256
de6f1f106936201f3619c8985d263d2b24fcc33c647c903c46b4c1d93f284e73

SHA512
523e3c42c46109d65a55b0a0d2c3afff4a4796fcf29d54fb58968d1999f154b209fbadc54b1c148eb604dd8509b3f1053acae3ff9a2b64abbbd9bcb9a0df516a

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
2.0MB

MD5
25ea1ac71e1ad964478781f93a5efb0e

SHA1
f6662c3343787023dc98f8a3e7a1d97da0f7d93c

SHA256
3851f5b6bd8c899d306188d26e1bc2d174428016e163afac407a5bb171077be2

SHA512
6973024a3ad027837059506666e4d199bca3567054ae14828e144d3cee74305f8290a8b17da3c66e2d10c4d18ec670b26376f67696eaee34255d42013d0c3c1b

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
1.9MB

MD5
2ff31062ae54233bf8aeeecb11265fd2

SHA1
e6c1a41bfce3050567abd36c7b71fa1be931ca1b

SHA256
14b0aefbca5fc2f19f4191412ceeb398c49b872596695290a04dc0d9b31dff99

SHA512
c9356b704b259a2db9369031152f4912972e4204ca6e918b5e2cc0c335eb525259015ec8ad2734616eacfda37950f83d07f027193b5de099106a8a5e10c78b6e

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
2.1MB

MD5
c783e3177d21aac1a5ece6ce67bc95eb

SHA1
6354ae80387ed505b16537b888c580b17d0f29e2

SHA256
18f142084719bc24c5ae01b9ae2d81df014d2391e677a12abf266e9e275a029f

SHA512
ec2b1b4484b5a2b680bc9a9200cc77e98f3b05f15d4e805efa5925197e3eef3ad3ca47bd5a26034c80ce6a613d55c793f953116f8fe75c9fcdd1d2b4030f778d

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
2.2MB

MD5
bb95f4fbb9e68f7595fda50afa6ac585

SHA1
ba2a4f7824d9174342d15a581e5bdc8709037f4b

SHA256
02cbb5ed1100237714de2ab5d93b6cdbcfbdd54e729acacc1da609fe385eedfb

SHA512
399883e053e2cbaf5a04d83f9eaf6d2aa315306fcd881e3f41483c742165c18f4b52144b43ff321d2415c6cfccf56ab71215c8488bfcc66b25177163ae79a326

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

Filesize
2.2MB

MD5
105070a1c33c6320e98bd44a130beb5c

SHA1
7756c7f9665e6e87b879cc45d45f9c5326938024

SHA256
5317ddf70db76c2d33f09ebf3d7e5343fbea0e154252d298bf8c2943f1e10273

SHA512
3bffe64a0aa3cba1b001bd41495d60a7f2bab148c48e261b1d039fcb714c68c3556b9fc69e2f819febf92527c5d8e6acdb0493d07a3bf18fa2dfe897c2d2642a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

Filesize
2.1MB

MD5
f79fa9d4c79a5ee8244f29a45b2f4871

SHA1
adf7259d69a1aedb68af04a65b2d66c74cc75ed7

SHA256
bafbb4f88bce91fc6a5887be4a89fd4dc07cc6ae2b81d9583b832eb62af1d9da

SHA512
f25857ec704826dbad79590922d74754a2a234e09922e78b52d73123080c842cd0d590b6dbaa9929f379044453cf871cf7d404ef4dacf8cea14e365b54101ff1

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

Filesize
2.0MB

MD5
56facf6036884e101279360be0a1e082

SHA1
09ca1c3b095fdc02ea7ee21851e4925584b40350

SHA256
541dd38b390dd22f045a022a806c9cea3ebeb824098c1e43d14d9025163d61c2

SHA512
2cc621763ff4bdd0e1bac24a74330116860790cb602da87fc476e42cd53be4382fd6680619d1bb82b8285f59c42bb6e42a41fc45a1b256085147693bfe1d2bec

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

Filesize
2.0MB

MD5
bf5f67404cc68b2bdfe91b5bff17b545

SHA1
8768278e1649498e22bf1161a07b39db77f3db0b

SHA256
932c5887a338a940783f6e2e35886f2d931680eb0291baa76108277a3014a8ca

SHA512
c5019d90a10a4eae487d882a08e8f45687ace88054d640f66a6fe3a6b7e1c2a40496c2f45bf7e792ffad3f087fee82b286e9d9471e7092fafa295dbc7931c72f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

Filesize
2.0MB

MD5
b418dd8ef1fca5a7679f616dc6a2d7f5

SHA1
6c6000460e71b468cbd71b934cc17bd5d40010a7

SHA256
02300387db0a5b04e47251e4766629c126b90a69e17c1d0d78fb39a45493becd

SHA512
71da29696cd07cbf38062681e03cf421e7c20285a381655034a9f1887a81704773fb20c0b698b75a19d5a4d3a64bfcc386651305836977845c114a6bdd203aa3

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

Filesize
2.1MB

MD5
fb68bd5a32a4d64b19cb5e7db3ec2c3d

SHA1
4b3dc9edf68ec44d5b440e0db1d01e5efe428fea

SHA256
f0955f8adebd6e3228b15c03dbc39c39944dceae611c4b680a4ee1854c7f0ae4

SHA512
8f2d57f8afe3b6b963bc0dff7dbe4d882b2bb9e15201c2bdaf7026d6107263737ea370d2c41f6cf9d734b6c6d24fc32907f575a33d8cf7e03b592d1c952392dd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

Filesize
2.0MB

MD5
48bfcbcbc75fc7e30a4733c092383565

SHA1
73380dfbe1bd01b1a7e95e7092ce36b37dd800a1

SHA256
4fdee29d6e50c37ddf36642b057c62fb2faa36c944aa00098923107fbaf8ee55

SHA512
276d0300073b493c5418c6c0c9d9e239d7d25c57c0c8cc1331efa8d8c25810bcde1429c0740907a867915a82d215994833660c49af2efbf25254809d73bb6d64

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

Filesize
2.1MB

MD5
8a9aa65d55d3643962576988beb6e818

SHA1
56f791ca06862f1fe57c574032f8925213cf5d62

SHA256
0675dc2a32a8ae3c30d6bcc3f7cb36c6e63ba4ddc857fc5d49f7ded7adafae92

SHA512
728a79c94e49cc0c561b6c32b2505d512331150a6a3460f65783ec45c95ef95ea1a73fe94d0cd702b5f0a164ad20f630e5b550f0145d5ab9619abd082b495dc5

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

Filesize
2.1MB

MD5
72620f5ace4e6f444fff09257c92d5bb

SHA1
cde9356b0a2a390b05ffc09b1273255804c5e5dc

SHA256
0461f36eebbcd0a6d79185e6fae23fc81ca675b5b8a7defb8976b95f4f33c60e

SHA512
0d42262b0cc59ee60fdf25a88d542361218c9416a41f7f45182627b834c91620838ae737bbb0930d61c19a681a874b8b4d57765aa977d819a940c72adbf7391f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

Filesize
2.1MB

MD5
66eec0f044e5bfc35f5d3b44cbac7773

SHA1
9bf6a93d7104275a8fa9857adcbedf6a283d7306

SHA256
b0f974331106ea0c2423d306cc4e0c53b7a16ac8407be3fb1867e697cc23bcaa

SHA512
219eb06016aec11ef98739c29c4956cb82b1c5c3fafc0a26c251ec37342c31dd1f77f0354be7380f8ca63f746571b75fb17e6d6d90ebfd62b30c074acf81616f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

Filesize
2.0MB

MD5
bcd0cffd5085ae70b1507fc67d9ddb86

SHA1
fa59291fe28defb2e12eb1b92d73ce87f80b7061

SHA256
4caa20d2c56211df6d86e708ef0b2f858d4b0d29f1ca1d25ed0a0098a226ccdb

SHA512
dcb1f35af32b6a07b0e016783d916dc920e8b60875be9880fa49420af4643fd65696b2ba1bedd692dfe489729f157674b80525cb08c65e9c4f950e73a45c6ab4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

Filesize
2.1MB

MD5
de1203e6ae815d29ed830a1e84861e87

SHA1
684feb89ec23ce0913c09527e4577bebc90dd8be

SHA256
52270d4423c923d71c9e8ddbd56807a5dc118ea3ca704dc35dea85dea55ac3df

SHA512
33a93ccaab304e64f530a37bf788bd92cd4640604f4e9841d7ec7decb04868c56d891e8f26a248537980c9d35c285caad3743437c7aba404f991551f67dbfb2e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

Filesize
2.0MB

MD5
8ea5c80367309478ad8f87f5ce5864a1

SHA1
ed1937b7ec8467b4e1c5325a4ebb911a49acf1c4

SHA256
1cb88883b5fe408de2245ff30d06e01fbe5577117d0cb9eacef09c21cdcc088d

SHA512
69c622f1c33fa2e913727fb8a94e719b3fd34f4d91e80665080996208f95ebde9f35a2925b8008e0430494a92dd1c72e0226af753048128faae6c64a46dc1aed

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

Filesize
2.1MB

MD5
a3456bda963ad11b0b7d5f9ba361555a

SHA1
a9652e0e50aad3235a4953b3f6e54f09dfcb7766

SHA256
3dd236a527ee442391cecdd395cd88e4d86778ce68737f8d38070bdf9db49f4e

SHA512
943b1c6fe417921f80751ca1052aa9dbaf20db28046cd8b872fc80bcfd68894d2796450ae25bb3d90b0a0bfd694519ccc9097573d98ebdbaadba5ed1cba6294e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

Filesize
2.0MB

MD5
1a005b370c1cd7a2fce75aed86e34de4

SHA1
72d98f5983c5b3181da5424feab84cb1e27aac32

SHA256
7a99581caa186a6eef469e5c4bc6446534827b29de4f34598454b77b10e540b5

SHA512
38d7b5742c7917a03560eee360534311b545aa8afbab865899de4319b994bc2ccf6309ccd15d4b3d0919aaef3f6f137ad9851cacc42c679c81a527b546270262

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

Filesize
2.1MB

MD5
59ba503f1a4acc9c72e79d1843ab5932

SHA1
7d910d1dba95ee5971608caab134d6af93a1ad91

SHA256
f2efbb39a3b99a3ce64a6f3cc6011c4e683da1f59453318d3e9662f0fc3d43c7

SHA512
3d22927050cd674a9e77b68ff11358bd2751a3839cf5d8c5a512ee0abc5ba6375af7513fdb889715584ca4048de2070b5ff93c3f5bc13a0d4f24a5c09bb4bfdc

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

Filesize
2.0MB

MD5
07fd1caa3491ae513141eb656df9c116

SHA1
7a22163d0ee37396702384649d2c99952dd16c0c

SHA256
b28a625a4daa90b48f2629c917916f0ef29d440d290b2626018140dee93d3304

SHA512
2f1328c19f96707cc6dc0fc066544f3d91e5225eb5ffb25d286fc736dc1e3699b9620bbb75c721e6178c6e9e15596fa5bf580d73285ffbdb7e41f2b1a1844c3e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

Filesize
2.1MB

MD5
6add5a3bad71f1de09f66b5b629f6f3a

SHA1
b9192ad714ce7b26ed8aada43d2d0d7400938348

SHA256
f480b7d874777807cee9159ffaf68ed250efab2abc3e70a2bd9a94ad7ff54276

SHA512
c9f1d68ef1804449ec34a6115f845d2bb1858e7cecf0a2e10585c3614bf68604dabaae0330d44d955da84888e6502150b5bb872ae47f5524fbfa7d52caa51a34

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

Filesize
2.0MB

MD5
c16e40023bcd1276027bb00da2606396

SHA1
b2cc63158aeeb62cad2a348c9a6d33466c382559

SHA256
898b3508cb4fef0f0db428b6b5212bbb3344270fc26906ab889f7599dd42525b

SHA512
e3ef3377b3bde64118a5704b70a8647ddc7ac4fd90d9a20d50a7b14b078fca4f4057524374655ee1a43be0dc53bb31230b9beb028edf94710a5fe7e2e5753189

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

Filesize
2.1MB

MD5
42100ec171ec00b8e8130301963bc0ab

SHA1
790163715fcc291d51b8bcda80425e71d5a794f9

SHA256
26239a1b543ed592722515d9c35e02a2a9117744ef191e63d341dcc7ebf97c37

SHA512
657bdfde3d18c63a572bbb0203bc59cb4a9ebf0604a1bec217101569f9ce944670de106ff25865dd5261bc79b519cb6a90b3d8ac7afcd2a610d09b64ee0874eb

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
2.1MB

MD5
3922fc87e50e00d4a67146266783b630

SHA1
d513266237c7973a331acac9144b7ad73805a82a

SHA256
611a19353cd665c0d38de1ab650a8ad7533e1cca81e4952b08b60bd8ebad923c

SHA512
55f730e994c6d82cbe11e23cb08f7e42857d14436ae0ae448374ea1c53d686f9e4b4043d23e189ca647aec5f36b4f86309399f01ea8f249090bbfb954561b491

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

Filesize
2.0MB

MD5
78f754812654dec5662cbafbdaa00bf9

SHA1
a15c9da22b7f72a113884e6986a8019bca7169dc

SHA256
1362961473b2d4e0073d5beec3eddb835540b5c8add35785c0f81c06c5f23012

SHA512
3b7eab9532df6cb6b6efc28af8744470752de0b88f39efd6883d8aabe95fdddb97d246fc8711f1e1be9aaddfc9161ce1830a1437ccc0bc6dcd4afcd40fdc9e50

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

Filesize
2.0MB

MD5
6310e37a5974be5cfe71c349c37c7185

SHA1
7948cfd96d0dd7bf77ca756c4ed52b313746feec

SHA256
d2c021f72b5a7c6c0535e8bca150038467eeed997d168e19ca3c12da4715edba

SHA512
1aa243c597bb3385f061c20b3597ae5c36a0d79189b7aad003717f3aa9ed3d26aeb29136d50f75733bfabf79f312378270edb8a308ae2d1ee039f83038c5f5d9

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

Filesize
2.0MB

MD5
fc3942a87099a32d58d10d65e7bc35a0

SHA1
21fc6747dcc8391bbd630b3c05c0d6517d29931b

SHA256
8e3b9539757ccef2e6680401326155e70243692884dc52dccb2fb7e8e577f6fe

SHA512
f5195fb7071ea04a5c351992033a469439f8299e50cda153c03e4fb8c2b94bd3af2cbbe62cc057658512c9db8344f0c2a3be9d222aac8070ef07a742eb71dcf9

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

Filesize
2.1MB

MD5
69d211cacda3a1ff492f3ab77c69d879

SHA1
bbf62a360a3b2969e7cdc1b151dc337ef2a1ff0d

SHA256
0b024d07dbca17215e74b081c2c76f392e878552c4006ea9569c1803e730de48

SHA512
6550b5097f763560b4415b71f674aa670d9c3e16c2dfc2d2c0e007fc2c7b10d1a2e0f91dfb37d3f1d8513fe58a27971d6c018092d0a1c60837b09c69d5f34ee7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

Filesize
2.0MB

MD5
6a6ef0ce6de137052d6e731906b128a1

SHA1
dfc8aea99612ec08ddbe0247cda377145f7a2c3c

SHA256
48cdebfa3ad43de811ea2438151cb81cc5e27c29d4ff65c5c35a5ff714c9386b

SHA512
a11627500ebb35011fba39a04cfd76615b82662dcc42367450d78d4ceb8e06fa51673f508e5eaedf850c5c31901de6193b02cdab7ad51643dfb51a4df3f85516

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

Filesize
2.1MB

MD5
03e0f37f8591e737544d90d969b8a89d

SHA1
099c83bdad431edf05d2ab8218298c7ca8ecba0d

SHA256
b7cfc06f6ac744a0775322f66ccc7ae91316f1365f3787675905580e17d40097

SHA512
7217aacbc663d0569ef92da7ee5753894dad8d20874f57c9d5dbee112282331982e2904fdb371c0edd1f8af6c259acde653bc42af3f7aeaee1cc06f99f9c0371

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

Filesize
2.0MB

MD5
399f7d3721e7cf77ff42ed3ca0687f4a

SHA1
12ce2b5579f8dc84ad1388eaf87afb05f6f0d964

SHA256
2d2c323ca1e99e391de4f87ee332ba1a044fb4b821939fcbe70953f9815bbb84

SHA512
46c64b27993244667f8ddda73b490ce96a6c4a27716b0824bdb15c067755694d1cf1e57558100d339987a3a51d2039b5009c8905912d425cabbf27116921d75d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

Filesize
2.0MB

MD5
4944610baa7a961c4c5e1e3f9ce51d34

SHA1
28064e143da53d088fff131b9009fbe5bf081d0b

SHA256
81657f0be520161a56cb2de582052ff805a0f869da53bf2e7f9786e8dee083c4

SHA512
5ff8f72dcd4259eff1bdc8300d34ae111c290c3c027737672fe956c80c481706246b15892843e592639c9f81641001db61b65e08eb1e2133f84232bf37d6b853

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

Filesize
2.0MB

MD5
6a030591b983aea4d0e69b4a886bf8ba

SHA1
b9fc3b3ed5728095cc3d3878ba0dbb688b10f103

SHA256
7bd5aed3bcd241bb3683cc4c368b4095a5bd24b0387d11dfb9b2f6108cddbb45

SHA512
f4f1975489b1325e6db8f64d2687558394f427e2dbc4a0fbe182911f26419134f8100696f085fc6e860ea180d8fd11f59cabe462f9f4b0a0a02ccb9b5a8a7624

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

Filesize
2.0MB

MD5
ccff9e19854819c8f4c87e1fbc70864d

SHA1
a182ff83397675bc2acedd8f9a77a6ed533bd899

SHA256
ec85493827af59bc67de30063ba7e99e86401453c8ab0340ea90f4f889f4af94

SHA512
ddc5d903540e9490201526935e9f326f520485936cb5b9e07570817506979b5b07efbd763f2b318fb3c91f80129fd52e758722ef395a8d28def08c4695b7d468

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

Filesize
2.0MB

MD5
a8ea9793f88fa7b8299be65d7775a232

SHA1
ce2fbec562cc387104663cb688c8fb2cc05702fa

SHA256
b8558df435bb90549acff4d3bfc0150e043b28d2cbdcd70c7fe0485d3a3f215d

SHA512
c5f2397c124ae1dd423b5a590c26eaa3eb1299ecc415edb1b32a659605787c5eabd563ca8f60ee2881fa80dcbf32038a47e2e2d730a8691bb4549b088a3fe09c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

Filesize
2.0MB

MD5
d6114e6216a710c7c01feb48570c7594

SHA1
b7fd95917a003dd4c8b069e8b07bb3681d647d7e

SHA256
9bb97a02f14cfc14fec257277df7a520043ad1743a841b86963936961bc1a7d4

SHA512
33868c95116311c57d98cf879e55a54293f49bab8f0b6956774ac63009553a3edf3ba46e407f145563dbe933c38fc2c36b791367a62d89934aba32d5dd99c4f6

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

Filesize
2.0MB

MD5
937ac732681db73ed66e883029ed9710

SHA1
929dcbc38ec2a3bb474eefafbd64b2d916f030d9

SHA256
f0bf71171069245bcbb5547296d01e897464d85f55f8b02c964392b3f8545d60

SHA512
ffbff4567aab339f35dc4d3f87bf3f7b6cab2c48d92f88c465ab3388d91d55e88171b6568b01de4de6dae98c4afeea71172faaa89aeeaf92b9e0f1a92c65dfc4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

Filesize
2.0MB

MD5
b6a6878b4e58b5fdb2f09c71fe66bf0d

SHA1
c5b0634951c3582cbe1b52f2892f2b3932725917

SHA256
8258a418be666b2c05e9ebaa3b46aea2626e45cdeb2c5b99ff3208d2b17d9ea8

SHA512
765020953e8f0c93dd748d2eb7f42ae3f96523c9e413f158fc58936f492c8eb3694cc8a3b225cc8dfe09d32859654f1941128c57d2d4d3bb442ae2476ca47086

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
2.0MB

MD5
df7574fcb3e72739eeeba3157175a78c

SHA1
b412366c8cc0166b2131fef1569f28b01b141764

SHA256
292a467bf95439a83f5b55467ed2ecf1f855fcc45578d398fe7853caf4988013

SHA512
66f9dd39509f7b7e07173c1022058db90e656700d7610f1e031f2879af9c9fbba5e2d90f9a0744976c09a57ddf13cc29d8036ccbce31ccafb8491b5fe3d07128

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
2.0MB

MD5
a72a8805296cb8e85e50fc738c3c6445

SHA1
358dcdf4d8228e0e198eb9b18777760dd60b8d77

SHA256
e39d0e5961cc76c15e62b43ac298d4b64cab78ef434957f3515a4a560271836d

SHA512
8cc49f454b439208499bb870b942371312d710e9b72f6818f7e49b629a158a1592fd22b77f664b784c4b83e6bec222e2365156a613aabce1c98faf6752aba9b9

Download Submit
C:\ProgramData\wGscIokI\NKAwYMgo.exe

Filesize
2.0MB

MD5
97d0736276e6308cfdc0dc27d4dea70c

SHA1
caf42a32350321b11294ac5b0ea2ed10525e0dd8

SHA256
48f7509573e9ba6f1d6626ffd27b6be56a52b4a3caf3aca4bf1b5d8ee7545833

SHA512
78bfcd050a13a231ed381da4a4b80f66fa25f3ee25a7e9d58081fe711eef9052fc48584b98de47603854c02c6fdf0d93087e638fc317645956b8a96c3698a91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5

Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUwYocIo.bat

Filesize
4B

MD5
6f282fa16cd0162cd29348fbe594dcdc

SHA1
cfdc838d0b8a5bcda97440129c4a32ead934a383

SHA256
805e85266df27c19fa61c6059e47408df83b29ccd9d1323d2a2d1f8683db4e3e

SHA512
748b4ce51a312c2586400861173018e3d41bc76d7a3ad222b8aa71d5eb26de0e43b3772433de796079d1df59f4447e2c31ec02038db2b4cab49313187554ab29

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYUswYkY.bat

Filesize
4B

MD5
ea18819923a594af4c4b5ed78379fa58

SHA1
6c1345e2c6c1b8a6a5a8d711aed9a056b3199aec

SHA256
f62ed996005a028ed179943635bbc9342789e33922bea3a6d9b30a76b351deac

SHA512
3ae7b14902b5aa025427513ba3a5b4757faa2c9fe7cc51f38d89b46e000bee7d06501b1ea525d5f7b0b67b0cc637418004d0677b9fae6b0aa6909076964e97f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIkYggk.bat

Filesize
4B

MD5
a67fc6b7a189fcc6692b4abfdbc5f5aa

SHA1
54488ceac3447175688fc01fa3b6cae2adac074f

SHA256
66cab8a36e5c1e77d3dc67dedf85e48383589f2fe45b9b6b3e2d92052bb5b75e

SHA512
828a6e09e36653efd8f5a02caceeb5a92a53197526127452d8c0b07a16e836e51917079fc255975368874603677f486d5f05f2d0578f348b83f872c06a5d4237

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUgMoAcg.bat

Filesize
4B

MD5
4fe01abd4e49adebdbd78bae142262c6

SHA1
9b2294da069b207eb39767dbc8a23cd174f5b4c2

SHA256
fb8ed4e2433a2604bf81b61e44269b2c475ee172daacc3c205474990b5b78960

SHA512
d65d220c10c0952b3f7e2771205d1eefbcfcb8de9cf2389467e5364663c89ff67ceb6b13485264ba0c318fc63dda037fedeea92445242a796c3ac1b85569c8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\fAcMgQsw.bat

Filesize
4B

MD5
de6262eb34ef022159b034987273b3ef

SHA1
e863cad848c1a60f63917c275ac46e372ee44efb

SHA256
aba7a89392809e27b0a284187b5076fc56ca0634464a9317fa0a57e10982d501

SHA512
d1f704dd2fee165b16c68d16f331173b8e7c17cdc508f6f5e0e15a97524f4438ae9e4fc6822697ae5fdde10e1551c86c03125a2ad86860aa05d1368c47a4f211

Download Submit
C:\Users\Admin\AppData\Local\Temp\koMQYIwQ.bat

Filesize
4B

MD5
4c6c5aa809aecdac9e22c4a2048ed0b3

SHA1
2df2ee7986dbb9b1ec369f80ecf3043bd6351dd3

SHA256
e5a899a1ca6d43792bb42f1e063f8fdef75aa5b7267b97946d1b135413b0d5cf

SHA512
2f6ba872a5a632cb7b50a294c236f78980bea6727ffe3cee0b4b54f226d02cc95eac95a4023285135b7b834e44970ebb221a1f582c9de00e30e5de845c6204b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcEAokIc.bat

Filesize
4B

MD5
64e29b33c5a971a3b73e75e208c7c466

SHA1
7b5859449441e133ef00e2ced3472695326f23c5

SHA256
862749e9f6ae9e1bffa00923af54e39871067b2eefe2314b95dfddf222f419ab

SHA512
060b7092bcdfeab94dae3c94ab6ad4c0ef15249021cbeb8140401fe167aca20ec8068459c9159fe8503357cadd0dfcc93b1fa14691d56fac4a4558e609bf7fb3

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
445KB

MD5
1191ba2a9908ee79c0220221233e850a

SHA1
f2acd26b864b38821ba3637f8f701b8ba19c434f

SHA256
4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d

SHA512
da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

Download Submit
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
633KB

MD5
a9993e4a107abf84e456b796c65a9899

SHA1
5852b1acacd33118bce4c46348ee6c5aa7ad12eb

SHA256
dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc

SHA512
d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

Download Submit
\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
634KB

MD5
3cfb3ae4a227ece66ce051e42cc2df00

SHA1
0a2bb202c5ce2aa8f5cda30676aece9a489fd725

SHA256
54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf

SHA512
60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

Download Submit
\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
455KB

MD5
6503c081f51457300e9bdef49253b867

SHA1
9313190893fdb4b732a5890845bd2337ea05366e

SHA256
5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea

SHA512
4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

Download Submit
\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
444KB

MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
455KB

MD5
e9e67cfb6c0c74912d3743176879fc44

SHA1
c6b6791a900020abf046e0950b12939d5854c988

SHA256
bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c

SHA512
9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

Download Submit
\ProgramData\SkEkQkYE\Bicwockk.exe

Filesize
2.0MB

MD5
7cfb7ce054f3ad86fbd747acd7864f95

SHA1
9b0fb00eab839ee98a6dcfecfc115ffa6e3b5c6b

SHA256
69900d7d3dc8e4ec75ef9ab6be78823ce05177bd21a687c223332c0f8e84ee2e

SHA512
1f6e90d256b531611d485ff4e3208dd47cf0fde1e2b90a34943dc082510c163251c3c803967addd705296e2214f0b5808658168150c43ea272b01848b9419956

Download Submit
\Users\Admin\uiIIssMc\RGUcgUkA.exe

Filesize
2.0MB

MD5
67e2614aa6428408bc24212a26e0a836

SHA1
12c68c4739a5cfef6bc3b5dbfa3cffcfc56196ce

SHA256
f553d67e75a0296eef12b7179a70c3d40ddc5af9f6d92017d873e5d2fa85f68f

SHA512
c0fcd20423f1c0a03c96ac0dac0c42bec09df95d2f8edfb1f6293051ffa097c1c724e9abb180cd3dffe84bc37eea6691cdcb6633b849627e382b04b3508f56df

Download Submit
memory/2244-563-0x000000000040C000-0x00000000004A1000-memory.dmp

Filesize
596KB

Download
memory/2244-0-0x00000000002D0000-0x00000000003AF000-memory.dmp

Filesize
892KB

Download
memory/2244-1-0x000000000040C000-0x00000000004A1000-memory.dmp

Filesize
596KB

Download
memory/2244-417-0x00000000002D0000-0x00000000003AF000-memory.dmp

Filesize
892KB

Download