62bd95eac144ded7c0aa3777f611939144652961b2c91a8a71376a6967439313

Analysis

max time kernel
34s
max time network
36s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17-02-2025 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YouTube Partner Program Policy Update (2025 February).msi
Size

1.7MB
MD5

651628d8ba1677cee19fe5014b0b6d64
SHA1

7165bb6280cadbcfe48238d09e80db6a9da7e035
SHA256

105cba529818d0fe22a17177a7fca1b07c75951ed9dd7676d1fc191703c62e7f
SHA512

2390710547cc82623d792b61522cd87091ae9b683b747ebb6053a0e385d08abcff9c47c8992b71270abcde70957d7364f28dc06cf371559b8b2177872de564c6
SSDEEP

49152:Tc1agkIumpuu4aFl9LNJymz4DBiFVhYZt:Tc1agSMr4olVO5ViFjYZt

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5064 set thread context of 3192	5064	DesktopX.exe	94

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e582c7a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2E69FA6A-3308-4F0C-BE11-59875C91C9CF}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2DB2.tmp	msiexec.exe
File created	C:\Windows\Installer\e582c7c.msi	msiexec.exe
File created	C:\Windows\Installer\e582c7a.msi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
1508	DesktopX.exe
5064	DesktopX.exe

Loads dropped DLL 10 IoCs

pid	Process
1508	DesktopX.exe
1508	DesktopX.exe
1508	DesktopX.exe
1508	DesktopX.exe
1508	DesktopX.exe
5064	DesktopX.exe
5064	DesktopX.exe
5064	DesktopX.exe
5064	DesktopX.exe
5064	DesktopX.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4400	MicrosoftEdgeUpdate.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000053457cd7afd26d580000000000000000000000000000000000000000000000000000000000000000000000000000000000001071020000000000c01200000000ffffffff00000000270101000088380153457cd70000000000001071020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d083020000000000c050e1000000ffffffff000000000700010000e8410153457cd7000000000000d08302000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090d4e30000000000000005000000ffffffff00000000070001000048ea7153457cd700000000000090d4e300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000053457cd700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4708	msiexec.exe
4708	msiexec.exe
1508	DesktopX.exe
5064	DesktopX.exe
5064	DesktopX.exe
3192	cmd.exe
3192	cmd.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5064	DesktopX.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3544	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3544	msiexec.exe
Token: SeSecurityPrivilege	4708	msiexec.exe
Token: SeCreateTokenPrivilege	3544	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3544	msiexec.exe
Token: SeLockMemoryPrivilege	3544	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3544	msiexec.exe
Token: SeMachineAccountPrivilege	3544	msiexec.exe
Token: SeTcbPrivilege	3544	msiexec.exe
Token: SeSecurityPrivilege	3544	msiexec.exe
Token: SeTakeOwnershipPrivilege	3544	msiexec.exe
Token: SeLoadDriverPrivilege	3544	msiexec.exe
Token: SeSystemProfilePrivilege	3544	msiexec.exe
Token: SeSystemtimePrivilege	3544	msiexec.exe
Token: SeProfSingleProcessPrivilege	3544	msiexec.exe
Token: SeIncBasePriorityPrivilege	3544	msiexec.exe
Token: SeCreatePagefilePrivilege	3544	msiexec.exe
Token: SeCreatePermanentPrivilege	3544	msiexec.exe
Token: SeBackupPrivilege	3544	msiexec.exe
Token: SeRestorePrivilege	3544	msiexec.exe
Token: SeShutdownPrivilege	3544	msiexec.exe
Token: SeDebugPrivilege	3544	msiexec.exe
Token: SeAuditPrivilege	3544	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3544	msiexec.exe
Token: SeChangeNotifyPrivilege	3544	msiexec.exe
Token: SeRemoteShutdownPrivilege	3544	msiexec.exe
Token: SeUndockPrivilege	3544	msiexec.exe
Token: SeSyncAgentPrivilege	3544	msiexec.exe
Token: SeEnableDelegationPrivilege	3544	msiexec.exe
Token: SeManageVolumePrivilege	3544	msiexec.exe
Token: SeImpersonatePrivilege	3544	msiexec.exe
Token: SeCreateGlobalPrivilege	3544	msiexec.exe
Token: SeBackupPrivilege	3736	vssvc.exe
Token: SeRestorePrivilege	3736	vssvc.exe
Token: SeAuditPrivilege	3736	vssvc.exe
Token: SeBackupPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
3544	msiexec.exe
3544	msiexec.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 1632	4708	msiexec.exe	90
PID 4708 wrote to memory of 1632	4708	msiexec.exe	90
PID 4708 wrote to memory of 1508	4708	msiexec.exe	92
PID 4708 wrote to memory of 1508	4708	msiexec.exe	92
PID 4708 wrote to memory of 1508	4708	msiexec.exe	92
PID 1508 wrote to memory of 5064	1508	DesktopX.exe	93
PID 1508 wrote to memory of 5064	1508	DesktopX.exe	93
PID 1508 wrote to memory of 5064	1508	DesktopX.exe	93
PID 5064 wrote to memory of 3192	5064	DesktopX.exe	94
PID 5064 wrote to memory of 3192	5064	DesktopX.exe	94
PID 5064 wrote to memory of 3192	5064	DesktopX.exe	94
PID 5064 wrote to memory of 3192	5064	DesktopX.exe	94
PID 3192 wrote to memory of 376	3192	cmd.exe	102
PID 3192 wrote to memory of 376	3192	cmd.exe	102
PID 3192 wrote to memory of 376	3192	cmd.exe	102

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\YouTube Partner Program Policy Update (2025 February).msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3544

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1632
- C:\Users\Admin\AppData\Local\Frock\DesktopX.exe
  "C:\Users\Admin\AppData\Local\Frock\DesktopX.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Users\Admin\AppData\Roaming\ValidateWordpad\DesktopX.exe
    C:\Users\Admin\AppData\Roaming\ValidateWordpad\DesktopX.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3192
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        
        PID:376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjlBNTZFMEMtQTg1Ri00RUI0LThDQjUtQjYzRTZERkRENEFCfSIgdXNlcmlkPSJ7MDBCQTUyQkUtQTVDNi00MzMwLThGNTUtMjU2NzlFNURFMUExfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QTVFRUQwMDUtRDdDRC00MDI4LTk0NzctMkY2QkQ1QjNBQjIyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM5MjcxMDQxIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM3NDE5NDc5NjAwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTIzMTg4NDEzNyIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4400

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e582c7b.rbs

Filesize
8KB

MD5
a9432ad075c2d408535eb43733ee210c

SHA1
fd0d8c625ad6e1a381ced59f74d122e7bb08d7f1

SHA256
59edca4a07f6abd42e78dff777251542e6de0f992afe646b65e14b3acf13569a

SHA512
bc91e99bbecf0b06bf9b7bc63e19cc19f4e803deac33d550fa4b21df141bd0d976b515a8a85a4a6223600ae4df5a1d0f2520c398e32e8217482d04c921b61342

Download Submit
C:\Users\Admin\AppData\Local\Frock\DesktopX.exe

Filesize
514KB

MD5
9e90c7ba64a66d9ab4703af006540193

SHA1
7bca3ceb680ad8cb1f3cd0d24d106a28c813ce3b

SHA256
a519304c3bba23eae2045a85e01aae44e6556b2f787966654b7209db13cfa0c4

SHA512
480658daa57800eb3f1f7e1695d65097e308249f4724caabcbf4431fa1b5b10e6d1f65008338ccde869e1d3ec695dab02cc0eb638a74b5634a62d66c9b51b404

Download Submit
C:\Users\Admin\AppData\Local\Frock\DirectGUI.dll

Filesize
412KB

MD5
dbb97d5ba941838bb34ff9f98bd47b6c

SHA1
5e5f646f6b1f67519cabff1451aa3427eb46989f

SHA256
d121a42fc56b92cd0b8aede3c0a268bec534293f87da0c774cf78ca557d3e1ad

SHA512
0c21622f70f25bb4ed37299e2688ece256b9e1685d7d20ca940a6beccd5115dc135c8219aeeaf73fff87a40c42d0c45039bbdf64be45153d5f58cf34d4d85965

Download Submit
C:\Users\Admin\AppData\Local\Frock\IconX.dll

Filesize
201KB

MD5
2df05a3b433df20adbe86aeaa471f513

SHA1
0c0297f0baa82ff2da13f46276625ede110bb7f9

SHA256
1922233770e8f7370606e6c9109572bed98ea8a8d8891c7bd129273075ef2ee4

SHA512
46dcacf33e01db549fb933764c432d9f83fe0850be72010e5d6be5393d80cd74eba6af90355700c14c46e9d8ca5b2e64278583a41d16e8ed4ed526b454f2790f

Download Submit
C:\Users\Admin\AppData\Local\Frock\dx0.dll

Filesize
48KB

MD5
693dfbb9b324e80b70660927ca1dea69

SHA1
3748ccd9f716e4668af8672e037b5729074e36c1

SHA256
7c28d90e3484b566ee00adab4679a3d1c51f86f01560035d86c8f7788ac05234

SHA512
0c190b62f845d2eace63a2f55495df34c572e86ad66ed14e2f3b91d82a142ab0c609c20603c1245ddc3892c5a7d1c8b61c02bcd2b56f624c13d3d8595dd30565

Download Submit
C:\Users\Admin\AppData\Local\Frock\noddle.rpm

Filesize
1.5MB

MD5
9c9f289f28a88258780ba6d5b7f0734e

SHA1
0c01f64953383b08e86a072d23d81b1452365cb6

SHA256
3ba120b0296babede7ba109595dae1a202b56160d7fb061d7b544c4b287b8c5a

SHA512
259bac2369c081dd2eed5c14a0bb0a203673bd5ba1f128d1305122728b7d3de56287a0e790f6f1ee5050012bdbe2c4ce0f88f5fff4acf4c13a9521b71910675a

Download Submit
C:\Users\Admin\AppData\Local\Frock\sycophancy.apk

Filesize
33KB

MD5
56ed33b0c2e6a9e8067cc554996be045

SHA1
0fe5f8f5065c99eaac7961819f00d1c042a6ede7

SHA256
952766ebba49e9c144e6e05f6bcf51cf1474883fa9a9036963bfef6e6f2c3bcd

SHA512
6686d8da77fa0beeb3e868ef42a64b387b5277e82deafecacd5befe99a17b3c3b7b29b1ee7bc915429fa067c37e71d7f5e6c5e3a6f6c60118770ea9811aa87a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\24d761d

Filesize
1.8MB

MD5
ce327f38726b6311e3631b28e1819ec0

SHA1
4063f4dcdefee88ba08b24e50bb3f56b19e0d258

SHA256
30246f3b28ab318758b445101bc5ee5302dc9daa2af7f81d5887703125a7c9d8

SHA512
e71e6b6e4a09b7f3a1726ec94f1709f10f9594c6f0374e2b7016252caffa894ce9fa04460a1fbc3e1622df8f580512c2d1340f120ad08ae84e3de18bba4bab7d

Download Submit
C:\Windows\Installer\e582c7a.msi

Filesize
1.7MB

MD5
651628d8ba1677cee19fe5014b0b6d64

SHA1
7165bb6280cadbcfe48238d09e80db6a9da7e035

SHA256
105cba529818d0fe22a17177a7fca1b07c75951ed9dd7676d1fc191703c62e7f

SHA512
2390710547cc82623d792b61522cd87091ae9b683b747ebb6053a0e385d08abcff9c47c8992b71270abcde70957d7364f28dc06cf371559b8b2177872de564c6

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.0MB

MD5
433f64005eba94b796d138114da81dca

SHA1
821f4f7a3421168d2ed92209f58c48fdd1c127b3

SHA256
bed2483487266a8d00eefbdcc130baa59fc4b5072244e9e28d3adb04d2da981b

SHA512
fca4cf8f9433968e256c552b8a57811f368f2a071c2f80760f3ddf73181892034db39702d76288f616372d47ae1c71ed53e5a040d63e5e728b55d9d9ad198c15

Download Submit
\??\Volume{d77c4553-0000-0000-0000-d08302000000}\System Volume Information\SPP\OnlineMetadataCache\{d563677d-dfc0-4861-90e7-ee2a60dbae64}_OnDiskSnapshotProp

Filesize
6KB

MD5
3528024a8bd6c000b3165ac15aced999

SHA1
87177a638f51d73bc43b9dbc82c2e89adce4feb0

SHA256
0ba75a51172d8726f2f80cc88e75c78ee40186b87de9e802a460d7e14e0739eb

SHA512
1b1d0db3a397079c78d8037d9d868aae7124de49265dfdd4e74d3a70665eb296b59f018ab4a66c1767c2fdd7ac13e3900e1b22223a64865529997eddde61742a

Download Submit
memory/1508-40-0x00000000006B0000-0x000000000071C000-memory.dmp

Filesize
432KB

Download
memory/1508-37-0x0000000000670000-0x00000000006AA000-memory.dmp

Filesize
232KB

Download
memory/1508-44-0x00000000738C0000-0x0000000073A3B000-memory.dmp

Filesize
1.5MB

Download
memory/1508-45-0x00007FFA53770000-0x00007FFA53968000-memory.dmp

Filesize
2.0MB

Download
memory/3192-77-0x00000000738C0000-0x0000000073A3B000-memory.dmp

Filesize
1.5MB

Download
memory/3192-62-0x00007FFA53770000-0x00007FFA53968000-memory.dmp

Filesize
2.0MB

Download
memory/4968-71-0x000002C7D0730000-0x000002C7D0731000-memory.dmp

Filesize
4KB

Download
memory/4968-73-0x000002C7D0730000-0x000002C7D0731000-memory.dmp

Filesize
4KB

Download
memory/4968-75-0x000002C7D0730000-0x000002C7D0731000-memory.dmp

Filesize
4KB

Download
memory/4968-76-0x000002C7D0730000-0x000002C7D0731000-memory.dmp

Filesize
4KB

Download
memory/4968-66-0x000002C7D0730000-0x000002C7D0731000-memory.dmp

Filesize
4KB

Download
memory/4968-65-0x000002C7D0730000-0x000002C7D0731000-memory.dmp

Filesize
4KB

Download
memory/4968-64-0x000002C7D0730000-0x000002C7D0731000-memory.dmp

Filesize
4KB

Download
memory/4968-74-0x000002C7D0730000-0x000002C7D0731000-memory.dmp

Filesize
4KB

Download
memory/4968-70-0x000002C7D0730000-0x000002C7D0731000-memory.dmp

Filesize
4KB

Download
memory/4968-72-0x000002C7D0730000-0x000002C7D0731000-memory.dmp

Filesize
4KB

Download
memory/5064-57-0x00000000738C0000-0x0000000073A3B000-memory.dmp

Filesize
1.5MB

Download
memory/5064-51-0x0000000000910000-0x000000000094A000-memory.dmp

Filesize
232KB

Download
memory/5064-55-0x00000000738C0000-0x0000000073A3B000-memory.dmp

Filesize
1.5MB

Download
memory/5064-56-0x00007FFA53770000-0x00007FFA53968000-memory.dmp

Filesize
2.0MB

Download
memory/5064-54-0x0000000000950000-0x000000000095F000-memory.dmp

Filesize
60KB

Download