a340458338219b9a3f87c40756e1a766e9f1ea44abf85f045ec9ff70e443bf64

Analysis

max time kernel
159s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2024, 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
Size

116KB
MD5

01158263bbd9b49b1c1621ea2bb4ef2e
SHA1

1e2a7a0f4254096039bc17e936c77d2091f05e32
SHA256

a340458338219b9a3f87c40756e1a766e9f1ea44abf85f045ec9ff70e443bf64
SHA512

67dd2987a94d03523b41d8ac5b833a011b9587e43e287ca5a87dea0f7387272b813856d12b9f89849f6914dbad8c854862c8a46adfed031df0a98ba025ab9ecc
SSDEEP

3072:TsqNQ6pUhwFXfnHLhIYTlwvFM8TffLLaLAwB:TsqjGhwF/HLmYTlwtMqLLax

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 29 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 31 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (90) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WSooAMMc.exe

Executes dropped EXE 2 IoCs

pid	Process
3416	sKIckEQQ.exe
4816	WSooAMMc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sKIckEQQ.exe = "C:\\Users\\Admin\\lisQAgAc\\sKIckEQQ.exe"	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSooAMMc.exe = "C:\\ProgramData\\skckQYYE\\WSooAMMc.exe"	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sKIckEQQ.exe = "C:\\Users\\Admin\\lisQAgAc\\sKIckEQQ.exe"	sKIckEQQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSooAMMc.exe = "C:\\ProgramData\\skckQYYE\\WSooAMMc.exe"	WSooAMMc.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	WSooAMMc.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	WSooAMMc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4000	reg.exe
772	reg.exe
800	reg.exe
3500	reg.exe
5052	reg.exe
4232	reg.exe
3404	reg.exe
1208	reg.exe
2484	reg.exe
3924	reg.exe
4524	reg.exe
1588	reg.exe
2348	reg.exe
3404	reg.exe
3428	reg.exe
3164	reg.exe
648	reg.exe
4500	reg.exe
1800	reg.exe
2268	reg.exe
2896	reg.exe
2892	reg.exe
4392	reg.exe
4604	reg.exe
3280	reg.exe
3052	reg.exe
3060	reg.exe
3976	reg.exe
2768	reg.exe
2504	reg.exe
1208	reg.exe
1192	reg.exe
4136	reg.exe
1656	reg.exe
2268	reg.exe
444	reg.exe
4152	reg.exe
4888	reg.exe
1572	reg.exe
4084	reg.exe
764	reg.exe
1500	reg.exe
1120	reg.exe
3824	reg.exe
3428	reg.exe
4488	reg.exe
2032	reg.exe
1704	reg.exe
4524	reg.exe
3616	reg.exe
4036	reg.exe
1696	reg.exe
4972	reg.exe
1924	reg.exe
5032	reg.exe
3392	reg.exe
3304	reg.exe
736	reg.exe
2416	reg.exe
1348	reg.exe
3040	reg.exe
1020	reg.exe
4592	reg.exe
4136	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3188	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3188	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3188	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3188	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
1516	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
1516	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
1516	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
1516	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3424	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3424	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3424	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3424	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2028	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2028	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2028	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2028	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2528	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2528	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2528	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2528	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3452	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3452	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3452	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3452	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2272	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2272	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2272	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2272	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
1764	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
1764	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
1764	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
1764	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3312	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3312	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3312	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3312	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3496	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3496	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3496	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
3496	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2884	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2884	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2884	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2884	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
976	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
976	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
976	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
976	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
1964	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
1964	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
1964	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
1964	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2212	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2212	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2212	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
2212	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
5092	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
5092	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
5092	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
5092	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4816	WSooAMMc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe
4816	WSooAMMc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 3416	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	89
PID 1008 wrote to memory of 3416	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	89
PID 1008 wrote to memory of 3416	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	89
PID 1008 wrote to memory of 4816	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	90
PID 1008 wrote to memory of 4816	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	90
PID 1008 wrote to memory of 4816	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	90
PID 1008 wrote to memory of 536	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	91
PID 1008 wrote to memory of 536	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	91
PID 1008 wrote to memory of 536	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	91
PID 536 wrote to memory of 3188	536	cmd.exe	93
PID 536 wrote to memory of 3188	536	cmd.exe	93
PID 536 wrote to memory of 3188	536	cmd.exe	93
PID 1008 wrote to memory of 648	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	94
PID 1008 wrote to memory of 648	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	94
PID 1008 wrote to memory of 648	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	94
PID 1008 wrote to memory of 2768	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	98
PID 1008 wrote to memory of 2768	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	98
PID 1008 wrote to memory of 2768	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	98
PID 1008 wrote to memory of 1656	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	97
PID 1008 wrote to memory of 1656	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	97
PID 1008 wrote to memory of 1656	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	97
PID 1008 wrote to memory of 1352	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	96
PID 1008 wrote to memory of 1352	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	96
PID 1008 wrote to memory of 1352	1008	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	96
PID 3188 wrote to memory of 4996	3188	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	102
PID 3188 wrote to memory of 4996	3188	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	102
PID 3188 wrote to memory of 4996	3188	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	102
PID 3188 wrote to memory of 3496	3188	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	105
PID 3188 wrote to memory of 3496	3188	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	105
PID 3188 wrote to memory of 3496	3188	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	105
PID 3188 wrote to memory of 1688	3188	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	104
PID 3188 wrote to memory of 1688	3188	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	104
PID 3188 wrote to memory of 1688	3188	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	104
PID 3188 wrote to memory of 2416	3188	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	106
PID 3188 wrote to memory of 2416	3188	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	106
PID 3188 wrote to memory of 2416	3188	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	106
PID 3188 wrote to memory of 1768	3188	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	107
PID 3188 wrote to memory of 1768	3188	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	107
PID 3188 wrote to memory of 1768	3188	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	107
PID 4996 wrote to memory of 1516	4996	cmd.exe	112
PID 4996 wrote to memory of 1516	4996	cmd.exe	112
PID 4996 wrote to memory of 1516	4996	cmd.exe	112
PID 1516 wrote to memory of 4180	1516	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	113
PID 1516 wrote to memory of 4180	1516	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	113
PID 1516 wrote to memory of 4180	1516	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	113
PID 1516 wrote to memory of 3404	1516	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	115
PID 1516 wrote to memory of 3404	1516	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	115
PID 1516 wrote to memory of 3404	1516	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	115
PID 1516 wrote to memory of 4136	1516	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	116
PID 1516 wrote to memory of 4136	1516	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	116
PID 1516 wrote to memory of 4136	1516	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	116
PID 1516 wrote to memory of 5008	1516	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	119
PID 1516 wrote to memory of 5008	1516	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	119
PID 1516 wrote to memory of 5008	1516	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	119
PID 1516 wrote to memory of 1660	1516	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	117
PID 1516 wrote to memory of 1660	1516	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	117
PID 1516 wrote to memory of 1660	1516	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	117
PID 4180 wrote to memory of 3424	4180	cmd.exe	123
PID 4180 wrote to memory of 3424	4180	cmd.exe	123
PID 4180 wrote to memory of 3424	4180	cmd.exe	123
PID 3424 wrote to memory of 3480	3424	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	124
PID 3424 wrote to memory of 3480	3424	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	124
PID 3424 wrote to memory of 3480	3424	2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe	124
PID 1768 wrote to memory of 3596	1768	cmd.exe	126

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Users\Admin\lisQAgAc\sKIckEQQ.exe
  "C:\Users\Admin\lisQAgAc\sKIckEQQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3416
- C:\ProgramData\skckQYYE\WSooAMMc.exe
  "C:\ProgramData\skckQYYE\WSooAMMc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4996
    - - C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1516
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        8⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        10⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        12⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        14⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        16⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        18⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        19⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        20⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        22⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        24⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        26⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        27⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        28⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        30⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        32⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        34⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        35⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        36⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        37⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        38⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        39⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        40⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        41⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        42⤵
        
        PID:3160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        43⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        44⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        45⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        46⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        47⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        48⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        49⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        50⤵
        
        PID:1484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        51⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        52⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        53⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        54⤵
        
        PID:3496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        Modifies visibility of file extensions in Explorer
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        55⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        56⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        58⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        59⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        60⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock
        61⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock"
        62⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqwocsoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        62⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:3132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEYQIEcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        60⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMgUIIUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        58⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQowkMsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        56⤵
        
        PID:1784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAQwYkow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        54⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMwgkgMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        52⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies registry key
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAwwwwQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        50⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:4512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWkwwYcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        48⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoocIMUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        46⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmsMwgwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        44⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:4524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        UAC bypass
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIQkQQwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        42⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMcUksgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        40⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMwossMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        38⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:2268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSsMwkks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        36⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwcIMoss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        34⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        Modifies registry key
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWcwgIsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        32⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fMAssoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        30⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:3488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        Modifies visibility of file extensions in Explorer
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQowQMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        28⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkAMcAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        26⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAgwEUIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        24⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies registry key
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKoUkkEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        22⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        Modifies registry key
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqoooEQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        20⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWYIIcso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        18⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okwUkMEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        16⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIkIIkQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        14⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEQUUYEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        12⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQUckoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        10⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkYskEUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        8⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:5052
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3404
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:4136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aoIEAgUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
        6⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3128
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:5008
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1688
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3496
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwoEgkwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3596
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAQgQMQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock.exe""
  2⤵
  PID:1352
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4020
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1656
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
238KB

MD5
26083429bb84ff29c58528eac366e200

SHA1
773afc8671adb0515f0f5ccb48b2da69c592fc32

SHA256
639dc99f07027ee9a30cf4d4faf9ed14eb258c86ac44a444ecfb20df48df3308

SHA512
02c8083906931b3de29de29d07ef50b69280f4ead7d5695e96b23dae3288df2c64ab1a5dce339007e7e86001ba8b06a9c49b26d3dc361d0e5a97d300cc6b6ed7

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
137KB

MD5
1bb35c96cf7006061e001a1fdb6dc066

SHA1
f1e9fe0dbd661b2bc608260392e7c17593e703ba

SHA256
f8cc4b717b2f9bbdf28ee87d2f30170e9d64b24333a3e07d61456ffcdf4e139d

SHA512
f12ab18bc6fbac9d5d468caf48dbacc921c745979808e662b56d0d491294ace2adedff6c748a4b6db0f507d4ba98e3f7d35e28bff00799f6f96070fead95c5a9

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-32.png.exe

Filesize
110KB

MD5
e403541cdca1f1995c58c4e80204d6f6

SHA1
8a8d0e67df4c9e062aaae5f2eefbfc4e75056d31

SHA256
c58c1d7ce454033d44264426ad979328992d259970b92a713259119e11dfc7a8

SHA512
13292b0518c512e75a09df8a0eea1781c106cbf2269421ea66eed1c59407373398a691a27f543c5dfedebee77be62a46b5804d17744f0173d40b216e11b1ee01

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-40.png.exe

Filesize
111KB

MD5
479dc0efd6b44de4797d63dc0655ade9

SHA1
e46e4e36ad3788d8c1675ac79c71972d4fe6dfde

SHA256
6c25e0f7b94983f222a23bcaa0207badfdd532108cca0a2e59417f6a60185c00

SHA512
69fd51cf1c452343bf00cca2a669b95c07e37946bcf65e446148f888a9408bc7e8a9b7f643333e82edf5587accc09d2681a19404a285a92b0a28265ec4496e1a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
699KB

MD5
22ec4ca3c1330c5738fc9ebab020ea39

SHA1
f60a241e254a00a922a28141e879773737894c47

SHA256
91680c067e77e5ee86b602fb9ae6ed469d0730e5a5d8134d8641ac56055545b9

SHA512
992185478c03e4bd8a4484caaee88d57ed6ac2ffb1975b8d7ed7d2045d901bc66a6c44799f13c2ea8c913ad92aa6551bd6d90700017e921912c2ca4642c43938

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
558KB

MD5
e1df45989dc9c8ac0b1455b8f2b9e3b1

SHA1
b566d2ccfafd06e626fd3ae64ca37b491c011772

SHA256
97bbce1f2a2a2b66a24b4e19d585b09d8567e1e09465ab602600c34580a8d88e

SHA512
a77cd01ad856d6930b3d2d6ee5507ed69cca2ffd3509a729c35f8a87b91e7d5cd691e99a6c812d05c3a3f178d38ccdecfac86c8f6e248e637fc2863f78911f97

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
564KB

MD5
ce689d4c443d7e3d35fac1d23ea0442b

SHA1
8c64c86038f349458e34e6365358122f0be7c96c

SHA256
bceaa2b2d547122c136df89208be8e7cfe91bf40fafb30a35dd60546527fddea

SHA512
f480fa66f221b89004ea32a087d7d4fd128bec58af3fccb3e37d882d3a2850b1ded8ba598fadec64db59e56a3be21a2b039aa80abc380afb91e376331947f6ce

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
556KB

MD5
6f3eb22b1d284a69d184f60b8564f284

SHA1
b6b4f136095eb0bfbc9a7c75a8371585096efdfe

SHA256
a9c7156e08109893da4a3d5f5c1ffa5fc7f2ad1b35b13f77666ec63779482721

SHA512
35e9b07684d94fc3b1cb3d8e1cee16f739563243faa5d1d6a6be401bb87ba00c65d33783eb52f669be27242b90c88985d9158269072358b24cf2036517333c27

Download Submit
C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\windowsdesktop-runtime-6.0.25-win-x64.exe

Filesize
720KB

MD5
d49127e0431a71ca94b75f766109372a

SHA1
2b2ea61671317af2599b04546034bb617efcba52

SHA256
eb218f27dcf85de850733ef17e05459ad9e233fa2007af294d2cc924baa08b30

SHA512
832995cb0fcb78bdfa7c998418750b18069f361336eabd52eb54f4b3633993ede572cdda96f1f017522630d0a01a80044157a12ff00855add2228fcfd9aadca3

Download Submit
C:\ProgramData\skckQYYE\WSooAMMc.exe

Filesize
109KB

MD5
7b64cf6358257d14855fd5052c04b109

SHA1
6124516d617cbe1578d5e5222b211617710618b0

SHA256
1d2136548c93af15a7160c6c64d75fd0190d66d992f6d1c5664af17c23c9726e

SHA512
553173884eee9f0f9dc57d8f663149de14ed77495b4d1105b87205c9b9906e197ea40bd81eebf44a4236b0522ddcebfc08fb91de24bb00bcceed8d2367bbbaa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

Filesize
118KB

MD5
833cee0ffc72f85b8d176d854e629048

SHA1
eea2fe3456cd1dd0da74e7e186635309ffc16947

SHA256
90be5538d1a18ffae3b0e4ba3d39e7b332438e4426f5ef3e9aadb3ca6de56f6c

SHA512
50a687e15cbe59ca05cb34d1395b8ddc323b5db81736c3521b0aa96cd6bbae62e6cf93f8970685b52bb57b84ec0d0713eb55499533661f6bd45856395fe5b226

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

Filesize
112KB

MD5
976580b2090663cbba7d0acd528d6d6c

SHA1
20fd5e6be56641401c60afa05863bdff71fd4f41

SHA256
de66997684bc9b643ff089bf2d7fedd032199f6ef04eed14c8c6a8844fc65035

SHA512
e441f9f9d80bdc82c11a2dd4f95eb39a96668e48ebeb7d3616fec923d804652d3b2e443cc3c62e20c11dbe9700920bc6adbff48e77ea184543e3b62414b54d7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
119KB

MD5
23670cd235fd3d09dabe7d959f1b02e2

SHA1
a2ede9a9ee511665dd2769f552dcb2a1b5a5e4d1

SHA256
876821faf5335fb15870551f083581ef4b0d858a1a209b8587e6aae80c3958a0

SHA512
9ee6b766dfa66933ac52cd63df440ff41753744d3e5b84654301d150481117b91e3d69e82e0646e8493b8fe3baf5ca643e14a3bad4a7b9c0993c90ba5f0c6d4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

Filesize
117KB

MD5
8109785ce812d20a8469899bcb88a78e

SHA1
7f896ddd9deb90f2646974c18bb8e21246c5d5ff

SHA256
56bbc3e64a5c6ba37f30d21fa7eb649a890e9173c1eedd89c84cb08e704ad6d8

SHA512
dc069e74b01865937d078dc6402c30c9c948c1ea01b931684459ed251459751de093dfb550e920d53c1a1d601d87ef44745b1094e3397d5144a0ac89be950b5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

Filesize
121KB

MD5
680c975459cdacebc49dc236529f2a37

SHA1
aac321eb795dfcd79b509ac16956637c3171a30d

SHA256
750f2a8315905b8a03869d9cd7f3ca0eb9ab64101ee8107ca42a692be3ae0a21

SHA512
7f3cea478befc192e98986b97e8728d995e5f5e282ce9da94cd1b6505be11234d3ffdda9ddcc70d9694d1f81542fc7976927fc430bd1d004891d2aafd6255900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

Filesize
114KB

MD5
db73e127bd177e313abdc294dabe97c5

SHA1
85cdaad3c6349c637ea555a77e640ee5843b5213

SHA256
1011df5da2f81e0c54e412bc4e635f42d5f4c45cfce57557c645c7d4f5c14857

SHA512
9b34845decf54477b4f664158a5f80f3e78a1f9da8562db5c0fd14ae0aebdd9d5924ca0307ec91e7a84ac8090dc23ec251b98ee7f7c1879256cb617e349a6f8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

Filesize
119KB

MD5
789c68c1a34647853e8631a130d9780b

SHA1
4b8fcbb2c087551b9703500b260c354d84e56aac

SHA256
4e91d02436a634d0b6424ad0c6659ba4e0ed8c9bcc9e6378cd7f135147ec29e7

SHA512
bd9f2ebf889613f86662a45d00b8ebe23fd60f12572c1cd028a32aab6e5b9c2daff48665ebb85c68592af5d175b2a1d70a0824bc49ad4d80ce82517c2a8b004a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

Filesize
121KB

MD5
5abfaa4a7d5ac679e425381920975972

SHA1
d10ed02c2912d30b950fff93c496c674958491a1

SHA256
9c066e6abd84dde76bfd1d1566ace5b78a3fa542c9a27f0a9ee45c5b273accbc

SHA512
70a4bd8e464dcb4b1b4a67721076bed5a33dfc01e6277a702a86abf5aed21ec2345dc7013d38837c8d98cb1002610e06a9aa0c2f13bb737fb312858585626b31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

Filesize
118KB

MD5
f6544938ce9428a893cceaf67c5e4a9c

SHA1
5ee787538ebd940ad951a4afddd6563b7143baa8

SHA256
f4896f8867f2c391f053869ca0f53aae6c2805677852a9b41ec48bd5d9243b11

SHA512
bc3d041d1d1ce86d92591b8a9f5f029295c0c5439748d4e69a83c14300b62cfd046b669c4d82f11bbf82f72d02c7ea8e3946a8d3fe4a33acef320769714e93b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

Filesize
348KB

MD5
3c8eafef254bc7f3bdc9b56483cc3d55

SHA1
2a8ab840f6771b9f39b2fd032f966f898da87657

SHA256
c80fc671ddcc01b3174fd076f15943c6c8ef02b61a1d03155d3463665adff242

SHA512
3c2bb7ea8286e9f32f8b1378ad373e7df43d5a57db46a86a6a67ca84983a5b50b5908e4b4b5dc9327bdf087ed190f88127f7a671ab0a1281833a1a6718eb7ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

Filesize
113KB

MD5
59056e2ff232c78f9c409dea8ed98b4c

SHA1
46123df6129320596e9cde3c400272185dd09cad

SHA256
c2ea2bb44ac3fb88c482d694902acf1d8ed69ecf0b052fe975160e739939f9c7

SHA512
7771b98a05cdf7d4d1e38e6e2a7d4dbc539d2db11852c2159a188735f84351269a57465bf70fbb9c641b2e1acbbf189c1616bf2ab3df0055a802ae7354b13f80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png.exe

Filesize
110KB

MD5
f447fd5b5248b7427292242238c03b86

SHA1
3ab887810970f11539edeccfeb7b654cde7ff262

SHA256
d129f7537f278dad3b6d5d001a8f99431c6edbd9b4658c998ba0263108a0086e

SHA512
50b552ce9efbf1450997ca5e93696c2b68709a1de0eb2e19d019b3233ce7de7897aacc7c322aad72911ec6af899e19ee9962261c75332d45a3c7fdc6999b04f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png.exe

Filesize
112KB

MD5
aebfaf211c60d568855ff98c430c8445

SHA1
d31fc5350783b808ea0f416f3e9fb6127042bef1

SHA256
dd9d752f0bbfe87c9ae43e9bfc31cbca3382e0dd2e9524b0006389f3bfdbaf80

SHA512
7d2712fe7044161120dc759afd3eb78e50413b54296430183ca6727c5406a53e00f61158348a5ab3b249f122bec9c5d328033dcf4bc3e1c4557dde70b9155669

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe

Filesize
111KB

MD5
ff4a0f8bf99585aa683fb4348e2f3ace

SHA1
9db1d5341b89363bcb6ca372d55142eedc8a6ce9

SHA256
b1226ebd779520a75f9bf3f10979effd3ff4714082350ed69d12f07f23abf23f

SHA512
e5752e7413427512f4309135875dce15a0897f48d331fe4f58818b818bdca2a2a6ac83bcf11c5eb6f2c3d945495c174b0af303a91bae6c6b5d1baf3f3052f8eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
115KB

MD5
2a067c9bfd2fa0ea86ad811bf0346276

SHA1
cc8dd099a26ada1025b0f39d015fbcd00fad93f0

SHA256
4e8f2f2d4ea665e131fdb3e1419ebe847f1505e24fee10a7217edde0fa2dc4c8

SHA512
74d64d277edf3f39ad220aec9970e2e403d63e5074253e40571246d836ddbcfa1a14ac72dd65e2d68c2d5a1d0566cb9b970350f9efd61f95c4d6e0afd64ad438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.exe

Filesize
111KB

MD5
c7e5cc4f143c9f6f7d967af90d1e1c2a

SHA1
d6658a39c66e0102431f6f0fac7f19a4b2ead08a

SHA256
f0d78cffc591b1f90a55b19dbd607b6e7bcc660b999a60f0f06d28569a324a3f

SHA512
27ce35f08c4c025187bbe26f3f0c16369e2be36855bf660bdc9f00c0a5aea3ed5ff127ba2284c5662ddf1e81b95d595328ffb41e98a8bfc90435e02818ee2849

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png.exe

Filesize
111KB

MD5
b86151e06f8be74cf44b0d54500292fe

SHA1
ffb741b13d33f6d3d83e83c7a947cb4e1e10e0af

SHA256
bd084b753b8172af7a01d59d7ce56fcda8c8b10e632813b15fe1b639002ae250

SHA512
658c0144ec2d391d8c96f80bb9e97338d776f2aa21db38888903600a22753f156332f55707e60a5fcbc064b160e64d0489d379254bc4ddffb335925397c7a505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe

Filesize
112KB

MD5
0bff56ea82d718d6807d23da39b299cf

SHA1
c26bf4321e80652621f41352a1dc1bada80bc379

SHA256
32490385c4c4230b91e9020d9e86e13030a019047b91eea9f547e03922a63193

SHA512
302939210cb42b46659c5a4975d2f20c685eccbedbe452a8889b2fcd6617b86db64806bfbd4ed539e1bac4b4bddcdc8ce2f138631e409c4d6435965c83b9b392

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png.exe

Filesize
109KB

MD5
f37027abc30d9717cdc7663b11da67be

SHA1
8dbda48f078461fd116787944901d47b7b56137a

SHA256
3920644b724e5be41816872d4a6881e3b387f62140226fad2d3a6bcb10e47252

SHA512
3e5988bd79ab105d6486e6c5c41094a053d4fadf4359c54a673f0b4fa988794c165529c9211bce3677429fc6d5beae512a2f24affadf4757c16ec3e7b7922580

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png.exe

Filesize
111KB

MD5
71dbeca0af5a977bfa394400b54a3773

SHA1
81fa724293ac51f0ecce7988f59a3c475c1db94c

SHA256
8e6150f958306e8b5ff4ae91b19bcdc879ae6e958e2c552cee593328dc8c9474

SHA512
b9c5166419d31ec711f33ab2c6e90a9193eaec4b7dbdaad7e3208f33721aeeb5a359787ee17181301b25394c25a6b14dd4c9cf206cf105b7945710559174d1b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

Filesize
112KB

MD5
9f6770c1a3952cf54257b2c83acbeaff

SHA1
3300ac16b3c279dfe55c171542bddc5a2da76a4a

SHA256
0d8f0dc6fc64cdb0debb1ef1f8a08c8091115e8f181db87cca60a643c5d5d61b

SHA512
3b484bfa45571f0f04dd5506fd04c11c0fd996b966417630ccb7359b27a630ae3aa111eb8eeca7a56091cc6e7b9c995b70d635607b27a2ae1c611361494f3a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe

Filesize
110KB

MD5
cd0b895cdce066afbbf1b3f15075ac15

SHA1
a2d05567588ef2524a2013eb026aa95dad9582dc

SHA256
5226af71d5e2283138089c7a5a4643037db35b21f995c4f926c22c7a54ed55df

SHA512
b3f3a868b0675e26f204e82ec3a321990af49a928feb029fd40a0967fa5ddb899b5f110019c20f7e043d2c02cab8c88dd63996de2e75ff3a1af013e515c99fdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe

Filesize
111KB

MD5
2b3feb6a3a899183695634d233fbf97c

SHA1
9c207495e6dd837b7ad7d501aee83f4f185c7b18

SHA256
68d82cad3ae15f83d98086a394cc074b6ae4fb5f65571ddb50fdb62f20b338b5

SHA512
4cd67b99090b8264afe3269bb3f21fc2fd57a3ffc4419974dfc82775c9c24376b2652a71fb6c772c612d5c802f9b3006166bf4c8a0fde022e1a6ca387fab0044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png.exe

Filesize
109KB

MD5
ee65ed353bed82718dd9865f58a26e0c

SHA1
424c3095fbcf67d4e5c8525d6aad8fa7e28e6507

SHA256
f2c88878839c5b854e585f691a21e26336c4e084254aa53490be590ddd7e5400

SHA512
8c84380566717fc2604a5640dcb18ae5933fbe9e0b3b964f86a3a4abe73d5ca14df580f63b8674b10119aa714561329ee664b71dd0679ea3fe3f5c08f2a58221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

Filesize
112KB

MD5
1fe581bcb078868f559dc2050443edb2

SHA1
8119b9b5a32319db62ba05e0471b7856e38eddaa

SHA256
abdb0785c42f9587341e6d47c84a5458130dc5ee7a7927ec0d585281666afc91

SHA512
4ff5d09bbc1b3040ab4ba34639aae32f2ed2732a1f737d9e2075fe93c3725eb50f0a838072db7c9f1bd199d06c9fe79ddc255ff6b3eaee70b564fac3432777e2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

Filesize
113KB

MD5
422c0079a79a35a7330898f744b87fbf

SHA1
2e9d183d8d43091bfd4ca8e3f7823c349adc314a

SHA256
22a80e4f9fca09810f281218de226d60ffa369f35e60adfb1df5fb761e617497

SHA512
20ca71702df569b14b286ce2c61b446d3dfd9a5e85c2081e332e0f5725e7296909a056de0f29bd8218c3fb2b1a2072c2ac3ad2e986abe4ba949afd5564d7a458

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

Filesize
110KB

MD5
3815ecb31dbd8ec7952c39fad8c5a0b7

SHA1
486aabe3b5d353bf3f1f52a11f4a60e38a1de1a3

SHA256
ae45442e515200ac72fb2972582a6030671a685a06f72f61775eeec03802918d

SHA512
d85b784ce36de54cdbe8d400c3f4be81f6f20aba9df4c4610b432870811e903137a2de2be2babb929af82841a386d7a4d32a9cd61f69ddb155f22096b218b058

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

Filesize
112KB

MD5
293fc663431c3e7a100769686175d903

SHA1
46afd983224a149f688cb61649be0abd035b8be2

SHA256
c7a82eed30ae086d2ce0ec4f8e2dea2b51608b4b3b1a21cf8e1367a7158837ad

SHA512
61e310e6e62377d162784314da177a913dc623f763dc48f725ec68a42fb202fd51b027db805ebffee3aa893e2f998eb58490a241946e835bfe48cd77e449c36d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

Filesize
112KB

MD5
bb36cf308b84ac41c43f57173e29b92c

SHA1
cccba605b759340e1501e7e5109ca86a543b6dc9

SHA256
28481815217eef395f2bc267ec13f821dbd822b6ae1ca83ac9becc3e9688cc86

SHA512
e4245fd3b39198a7f1c6b042694022ba57b3f3582f44f2d84b80888652e0c3ffab6556c02190e504c01fdcefd3322793598f4c949f68a34b94ae6f5ffc3259fb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

Filesize
112KB

MD5
88bce8e4cb035015da0e6849e3307f49

SHA1
2f237e1ad9d54ca342ddc86d05a67f2c43566563

SHA256
a7fd2d12b9b4d719ff15eda8207ef1c02607978463e46b91d6884595e1c3aa0a

SHA512
309081f1917d6969852e98dfced2dcbc61783215cc47166b134351efe0c0e062e1c2ddc47c7f3688f524c29a137c844d2073fc403c8a400fd001ec8a4d1bf938

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\tinytile.png.exe

Filesize
111KB

MD5
d0255700b67e3e918df8680ee5f41da7

SHA1
364df4a8647af21fa62ca1af95e3edb6fcc36665

SHA256
3d9de8a84e127aca039aa2696920019563ccb275df42cff3b55257a0d854c808

SHA512
a25482f2e02dd56178ee4a909269b45f4b0ada788fd8ff76f63d2e3faf644b071341d1aa84861e707fe785ac5a4c29598dba441455aa810cff4aeadf4ff52739

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-01-22_01158263bbd9b49b1c1621ea2bb4ef2e_virlock

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQkg.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYAY.exe

Filesize
378KB

MD5
300166c261959a0d308c64cbfba296ab

SHA1
0fcbb984c72aba4f76ee1bac44fa24e7acc27951

SHA256
f06fc6387d81dacc8e69a26c2494a8d984aed4581a903e9c6b484958c9405b88

SHA512
fbcd30e062c0300232c07d4e41b29036600e5a0ffe34ca1b2fc5a0f3719e7a4dee3c69915aca83a87be76f6051ba07f2970f3b1917273354c2e0a3f8740bc648

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMUO.exe

Filesize
123KB

MD5
0fb5336ff8d4662e319c28804af0cf16

SHA1
081a7525e434837829533587735631e18e8e01b4

SHA256
ee6d7d2a329f9a3c8684437ff6b4291d0a939e271b3541d0518ab7c0616659d8

SHA512
37e55458d5fc6798958667f816eaea67b53a828b9f062b6e6d6d5661638dce8009a3792148e7ce5621f57b90236b2fa49dbc0e4fe0410f12d578d8bd294500ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cgkw.exe

Filesize
152KB

MD5
0a6820e4c152626640ec0cbd28764cba

SHA1
c9d67f052718f9d028ed983a0b4cf10ff5d39b0b

SHA256
bac33505572232f852367a0da67323f26105e5d941c2c8a1f5fbfce2e701912e

SHA512
6b5787e31f92fc4ecbaf1fd282707b53a5f0d17e52106c2453d89a06fd79f4ae20edeffcb4c395555b6f25663271d9d05f05a5c8e0f2c82eb9e7baea4289171a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoIq.exe

Filesize
1.7MB

MD5
29d803d45cb1df1a4c1d91873a5e1365

SHA1
4b5ba038033def89f7b0ff0414f6cb24e3403293

SHA256
6f2fe98afb7065034098c77b34d151068fffbe67c9c8af658f423be505d4fc8c

SHA512
8c6d7c65a5cab3dbde8b089f41b9b4653eec3166f3d9f87a2fb886b853a673416e269bc336d72684e4a0b173d20006ff7e671803aa60d20f2d6e05ba89efccdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAQa.exe

Filesize
115KB

MD5
792d0873f4d8b37a63e956d2857cd1ab

SHA1
c04a70246558ed68ab2fbdf8914e9d5493d5d0ad

SHA256
541a283a66b72a96efda1748e6ff4e55f29dcb8ba42675c50e9034e6e221cae2

SHA512
ab5333f670f23f41b04fb1746d69e3b77f38f16b0470740ce3d4f3b79673f75f90a062a225b12d8e567e989aea724ce46f3385e0be56295aea1a62be79e39001

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcAg.exe

Filesize
117KB

MD5
018464ae3bb2e71dfa759638ec33b6fd

SHA1
bbb40d1a87f0e6a60f981e6b55c18d18c0a9842c

SHA256
3900c3cdd86b88b78d1f88cdc2806cc014af2c13dff0ee58feac56e2f68d6697

SHA512
07569d8a66213208578efa6fa9ee6a73721525d73c15e6602a5a39cae0ad46a686b63e4d0b5607ab9867dd45d85b410d8255fc574fae714fb420701f6cc67882

Download Submit
C:\Users\Admin\AppData\Local\Temp\Egci.exe

Filesize
721KB

MD5
b49c4bc545f6b05abd0db4a40d8055e5

SHA1
24c61b801930804724a9f1c72b63eb031cc8046a

SHA256
c90d8922d9b73ad5f2fdca486908b340ddc77f080d9e6d058118ebdc11ee1855

SHA512
d1a1acb59a81309bac1776ced4fa07d1547e1a433cb5fa744e0157ad0f7e809f6da1bd7614b4159469dc6e3972ebe73d91c1cd6a1bfafc68992c6039fcfcf9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAQgQMQk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQUs.exe

Filesize
115KB

MD5
e46f46642c88f1bc2f27ad857294276d

SHA1
9f9795d6d4762bbc0b99852844e50df00e070944

SHA256
0309c62e9ccb9950809117d1bf6f4cb80558a4863c3280a5126963240cad9061

SHA512
078e4e0123c9629a5daaf2b6699b8b96388511a198b3baca513cc6c9866e24248f9469acb1a52c086a4e426aeb42fc0c2835ab99f258344a6ed3d6439bc985c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYYG.exe

Filesize
116KB

MD5
8a8d65e867c683e115f9273b4819d105

SHA1
ea219894c18bde103cdeb3008e249b2e16b79dd9

SHA256
5baaeeacfd936722e209b45dd6a58284a7e65493a577988d9cd32d7aec02ac6b

SHA512
d6352cecee2c33c5da967caf8cdbb70f2b81dfff10d8a3079d0cdcc5895588f505878242159884bd47e6727e9237b053a3943cdbe944a122fba0a04862777593

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hcso.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkEg.exe

Filesize
566KB

MD5
e6cd3aa88dd985114cf4901df689d85d

SHA1
b57a4e29abde0d4c83a02c9e80a54ab6ffcc8408

SHA256
d5cea6a1fc092e13920476d572bf0cf17bb7f990c18ebab296719ecc941a8b33

SHA512
daf8e847e1caee1c6d01347fed0101fac764cf69c49b3f10ff05de21f3062ec92653cae747a945bbf70ab2e97882913af63c4ca3ee79ad5ce0d2420322e4a8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkoU.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMcq.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwwU.exe

Filesize
120KB

MD5
71fd3ad6bdcf51758af3936ef158569d

SHA1
02f1c04ae93fdfc790d03d725a61cddb42b5cbb6

SHA256
fa3acf9fe701762d888c43faefdde4373063de2b472eaea181db0a676cabcfe6

SHA512
76deb8bf6cf9963de3c4c70803ec155ca2d95dfe099a718b81b7936982b6412056e01d361f095ee29a2792e6fc53de86c4e3e4c0e229668fef4d87527568674c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NoQw.exe

Filesize
114KB

MD5
d7fff8c9675be191b7f91de4a8b03021

SHA1
f757fa9bb4672b9640abb49998fd9e1eea64993e

SHA256
cf92328a59f294b4b82ecfe8ac15af5f870c8a21b4ef177ab00dfa3ff062539b

SHA512
a10e092d09f380827d46be0d2e375d1712bc84e5e9e3bf7cebd9eec6043f799bc1b40f7da1884ad80484ce93344da6b10d4d6ac5ac86bd5bf716ff1c03a479eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQQA.exe

Filesize
150KB

MD5
3cabdf24631d4e364c1177618731b18b

SHA1
6687691c6dbf06db2d2233a5643dd7fa6e0b7650

SHA256
abac87746057dc35c860f21958ff785cee78501c1c2d0894fdb3bc3bcaf09ee3

SHA512
ac8106c3b72cf17a99b60af71f28fe883a29f8082c4026cb932b912e21744f640cac1f466b39d93037ef74795a2e979d73df29748390af19ba87018d486ec433

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQgI.exe

Filesize
118KB

MD5
56e5f3ba648a74997ff11467cc0d17ef

SHA1
5d33fbafe4bcacab4640b77b198a6732c6c35346

SHA256
dabbc622bb6c240650ae2783c641bf62c839848bdd5b9e69244894d506b0e6d1

SHA512
c261cc9ffd7be7c0bca17337a6757bab9dd5a626ee9983caf0b599b909ee24273c4717f09cff48a9f743ba84c9a8fb72ee366eb49eb17fff3f83daa2f28a0518

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkoI.exe

Filesize
5.8MB

MD5
6244bd92356e33505fa0f0485481b757

SHA1
9019a00c17227cf28323f471bc9ca98bc2259349

SHA256
9c0b89b78be35b2135fc326fe0c76ccca62984e362c08a99fc6faa2edd6674c4

SHA512
1785d1e8f9119a1c9541ca65b461fbcf6620ee1ff8dd8ca5a8303157e86f4a39f5bfcff2107f61fbdb7f76fc3b0e7446e20e042546ff3dd7c4f60214d6256ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMsa.exe

Filesize
114KB

MD5
6539cfd1f4d3d6e039a5bb2e92e1cf44

SHA1
bf86e60738f3dbe7b5b8dd48536ccb406dfad1ea

SHA256
73c8b5ecc42c274b1897d6dc105263eb58a29804fccf3cb19787cb881fcedc44

SHA512
e054041d18c1b5848c78a85e26f3aa944e197f7ffa1a15cad9a47d4056397bdd99e479025b67764fc07d3e3beda3da474f6307b22762239cc66a41b0f60facf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pocg.exe

Filesize
125KB

MD5
203e7058acaf3b3284d2e73b3d1de3d4

SHA1
39bffd6da11b7291e8afb7ca5dd19df7b3919cb7

SHA256
91910527c6e92a89c8c2859b62467d1e8f1fb39e2ed7c1aad7a04eefc17fa8d7

SHA512
00fe12abcf83105074d15c3760bde5e0e66eeb3c3baea22c294c7d30d6096f8df15b8c4f2ac60fa73726d4eeccf550f9b7c04dfaf567a87457ed2edd0e0b476d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQIm.exe

Filesize
565KB

MD5
9929c341fd252593bfe6cf0572775649

SHA1
83f76d4cbe76fbfd6fab8d0506e114cbd5d6a919

SHA256
0f136d1acc29f90208990a76563da9b0cb9e294fd8e936ae6596cd1c12a0d75b

SHA512
34d3fcb54efdac51a0fc3f25ae99696123c63bb5acbecca92878195c5578013d686c85f4fb90921b6b09f956123d52950baef6781531d68f72cc1427937f2cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYoq.exe

Filesize
157KB

MD5
5c739ce5ac5a1af9e680530913952b03

SHA1
1d1572abe8bfb32de2c71cfce6e77af3bf9b5a7a

SHA256
62074a722e04d44d9236ebc3cc9f7dc8fd29357d687ee6d661735334f0d043c1

SHA512
5837792c920e3b656e69ef2d89e2733dbb5813bf8c2fcb278f0b40f1c048bc7bbfe0b671ff4f488fbaf7008608ed791c4c27a413c080376121cf8233886134e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAwk.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUEy.exe

Filesize
1.1MB

MD5
6b3fb40b8e4e1cc4c2c6ec5a61071a5a

SHA1
798dc1003ab9eac6ed073f35fb82d8dcb5cef1be

SHA256
1c48f0bdd1691b698cbf4f46cfa2891ddac31738b7533157f1ec95cd7c0b1bef

SHA512
ec91151438fa8e9df8db9ecb604c0e7459a29f6afedf4de6407b322c01116d94313fe3b30d2c93a3060b1a0152b4518543b5c44f35f1c59ca973e546a50824e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAMA.exe

Filesize
142KB

MD5
9c54a60619987b8f49cba55b6c6c85f1

SHA1
6528a93204b7d36080f246aa9869b08ad4517645

SHA256
6a79f8e0b6e7321ddabb88798ae8b953929df8c5ef2e06191af9d59257f924e0

SHA512
6cdb0770f43a749c92647f0fdb899eb0bed8c353fa02bab6d821688524492933c4fd1145ad422d6401e4617ec7c80877bbb33d714763c615203bcd695801d651

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoMI.exe

Filesize
111KB

MD5
011200bb0f9a93d8120ee1b5e94f13ce

SHA1
1c27095f016dd194962014f18d1a47c6b6ebe356

SHA256
c9f133fa4305f1d205601cefa4825ca7a614be4f26e4e18f691acf8e1e420f7c

SHA512
db5c6b530da53a99a0ec11ea3b089bf722259715b56d09f2564df4d9314e8c6bbb63ab1ebc614b4242dc7349c565f9a414f82437fe393669b4c467d9e7f67e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEMW.exe

Filesize
144KB

MD5
ec9f9921d9f9130b59efb2957618cbce

SHA1
bf0f0d9ce40f570621485f436e83961a3b7dcb14

SHA256
2592f29d6ff16505c88c6e25004d4bba7c7250774b88c56e8ad6f13d05b4b10f

SHA512
f90ade915bd232b6a33ebe53478dc28ec6a0cb33fde19514f9328d10b763beb58944921fb1ca1461a92e48adef8c926b7a47a03d6b8f7ac20430fd03e3dbb8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQcU.exe

Filesize
116KB

MD5
238477b86ee5f3226bab6e8af4f558b8

SHA1
3ed503013eadb3ca3cef7bfbb6105d8637592055

SHA256
d447ef7bdd2c9c11dd53dd003ede8b1e89641fea2a6ab9a73446e4f46115b7f4

SHA512
8b82831fb495d7c3036f2a6126f540b3af9c584038c64f0db258b3497e8ee3f687725620eaf6b741df66ea5d3eea883113596fc5e2371f7d2b344fc520000b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIgU.exe

Filesize
139KB

MD5
f8d381e1b8c2a7ad5761af57c12cfc1f

SHA1
f3e3574291ee9100acab0a573ad87f3d17793b7c

SHA256
d963eaa9cf5d20ca61138c9ddb82c67c5773575c02886b02875eacfecaf0edab

SHA512
128bb80e4f5b37af82d95f3226218d37470987989a64c04904380c2d83412e773386c5f39068a286065206990830224096c217704a21d7957bcf2990d6e27f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIwC.exe

Filesize
115KB

MD5
5e9ee693253c74d799fad174c57a677f

SHA1
74f60eb9d898b949d96b375b744ee2edbed70f68

SHA256
2ea75d499c0fb2058ee37c0f6eb7a35eb0ec54985a4117ac3f430479b07e6648

SHA512
2771c86923862743e76c3ea894dd18fc2a1e4992b7ec9c9976bac0e35c5fa0e0fdbb8837477aede1053271fbc31cfb6990a756547280a1cabcccd00d599745f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMUc.exe

Filesize
745KB

MD5
4dfbe37b2d5315d970261b6de3427db0

SHA1
1831897e8162eeb192e0b3c7bbdfb8fe8a9a4d6b

SHA256
21e01776ef3208ce6e17e066f536ed5185d156b244e2f9fd9cd922ab02028855

SHA512
ef7cb5d0c74f9c45cb7222c25829b210ff6322f8d15ae15282a50aff3e0d73f789b651268e89126c536263c73ff94ae87a214fbba689e3cd91b4543c082a1c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUkK.exe

Filesize
127KB

MD5
65ce0594d6530c5c5cb6cb94615f9d0c

SHA1
7c6d223aa92eb06845d0abaa72263614564ff634

SHA256
985576eeed35535a7be03b8320ca0c9460aa705bbb6106f143f0fd2c93c13f03

SHA512
295c048bc21160d6d1d8cc7bec72fc19f1b8cde7b88c46e3c82a02d93d8886af3669d7d3ed70de53d2f7ee9fe774a8c312dde08d537b0a73801e72b410664c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\dokC.exe

Filesize
117KB

MD5
b82b3d50c2e12532d1b02bbc827860de

SHA1
bfff00fb66d11fe54ea5340a89b1db3930238bbf

SHA256
05837a65f16099234e4bdbd223422ba409efa5a8c56c96c94019874c829ea669

SHA512
adade513bcf7e08136b7bd822d5a8ff952589944cc38e8472d0c52ea7f455bfa552d34e0c912a0763921c7c94b7c520750694eba251b4ed70aef2f0338d206d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsAs.exe

Filesize
117KB

MD5
6506248d1809ad32a38278c2e373d449

SHA1
aacc446842f9cbc8d0729cd7eb9b7ea67452589a

SHA256
a86db668a2bfbd3b567acb17f2615e0b3058f5c71369e7c2606344919b78cb2b

SHA512
6b11917a98daeb06110e2f087d12a5917faddff3c11816fe219785616473d70aec51a825dcda4186a4605b02e028c78dbbfa98f923fea698262a235c6b5a6594

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMIa.exe

Filesize
488KB

MD5
5b744be1990c1a649a4fc627d408e383

SHA1
65e3c1c14a2a7280d7766381fa2b1d9526b200f5

SHA256
8dfaebf639c0e8323a8eef0feaa2d1009d097c3f8c5e208056d9065632e86502

SHA512
fa7366f50534ae4d53e1c8d4df2935f0b77c3a9f547f558c3d2d644026eab45838d95ff687afc09572375a1eb32d93011c1b0c450923907fcc021016c651aae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUIs.exe

Filesize
1.3MB

MD5
160dd2429935f29c1e0fdeb159d51b8c

SHA1
854000104aa892a0585af0fce4297fd29323e960

SHA256
cd8cf19f1577530e98edd2f23519ec8bf31f7521fe36b044dca62c4edf6de4b2

SHA512
069cfa6a255bf68698241d9f3d82b9ae3e1d2db57a2ac19b8a1698c3d213dcdd182ebb03e68940fde89d274aa6dabbd38958bb3e66f518f7643bfe13279da8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYAO.exe

Filesize
148KB

MD5
1019bef916aed0304878999d3040f372

SHA1
999022d86f39d84794032b5e8b8558994957c333

SHA256
8695109587edbb2ce45bf99499ad5550e124724c32f932d6811784f688942e2a

SHA512
17eee05964883372b176468f88887e9d3fea380e3477eabe903a0576f70784874d9d3c9ab354df0bc5c562944bd631afd94fbc7456687b67515fdbca24c54d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkAg.exe

Filesize
114KB

MD5
aa014f1d272988b3fb36fde495bbe84b

SHA1
2d7566b5e96d67f8715600784173a91e5b16cc29

SHA256
ef291bc84b6b823212b928e82ece6b3db3123ac42f2a1b37655790f5b0f29195

SHA512
e1ec08ffbe65ec428605cbb888390b90afb9b3b8b362292047d1a919991169d0e6f4da9d80f220fc5743010d9eaab41e0f7be5d6991da1cbe4856b5b703528ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAko.exe

Filesize
116KB

MD5
1b977eb19b49e1f6b4358a75fff85a63

SHA1
0de5b6c83ebac3b57ecd45c4edfd135ca0836520

SHA256
6c7396d10e87ebfad114b2d7d8c64382dcd057d15de6085ca23fe88422a55dbd

SHA512
ea4df328018743eb720fdb6ba6ace31fbd5596233e822cebc900ab41e3df4af60bd65c3cbc7692159edcb3f913844c772b21ae6db43eafd6d55239bec4624251

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAoQ.exe

Filesize
237KB

MD5
62b876710189c3b0c7da5ba2b25ec612

SHA1
7bf0cfb36996e1f4710c81243425fb4868d689b3

SHA256
ebae70c16332bd31ec4d38897bd381fd121db2d403c2a34502d8c955819c85c8

SHA512
ed50b6a50dcd4c9cfd5a27d74f556dc6c15c851731c7d006a534b52259b382536ed570c50d24dd3b204892ac08fb525f0f4efddaac99d708fdde82490ca9f879

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIgs.exe

Filesize
5.2MB

MD5
6220b7892828719f9a5192ef9e0a040f

SHA1
89f71b9b64deaae2132cf1635a304d92e41b34c2

SHA256
dc3d9f11dfff4bc575f60c15ebb3604e8e3b6df456644450bc92e89eb2a3f4ea

SHA512
3f36cfe62743a61aadcd6bf10974239f6aef0f331587d2cc0dce721d24e7666e28da5e123d9b09e5c996069a6d75778328817b1ca3a82bfbee50f6b04b418d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYoq.exe

Filesize
118KB

MD5
3dcc97e9076591e750e674800b08cc46

SHA1
353e1ff02fd9ec334ae87edd5fe30db9d0149235

SHA256
18ab9e5c69b2b6d1e5762c4a38d54080a21190eaed8f5cbd70ed5a4a52d9e6a8

SHA512
b8cc41cc709436a4e7b2df883cb3f4b51086c2bf8c8e0c58c2cf9385a226cc480ec362c6603df5c22709047777610f6c434720746048a8f84608646d48a9d1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAYY.exe

Filesize
116KB

MD5
b06b5fed46784614363c9aba4749516a

SHA1
0286d406a3aca6793ffdd8ec8d70b919c46f1d99

SHA256
591a69891648124032bd190827dad3299d2abcc98391be8df819111f34116092

SHA512
9175af0a08289612d139cb9ce320163c293eed4c240cba9fce7999fd2fcc10b7d9d91290b6e20a44cc377a03b144f338ca95be3c868f0ee0e9e55a3699b50bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jQok.exe

Filesize
746KB

MD5
b8bc90053a1662c47831fc78681b0fce

SHA1
f8328c9e8a9873070d3db9005a0542d2b0180f44

SHA256
4479ecdebd43302607edfc1f28ec17da7cf8f14b21e5cc9100fb8082af75decd

SHA512
63e1ff9073fa407abf25ade5b4b270971933656c4c42a12fd3269849b50346ead777ab671e3c204eed7beceb833a7fbcd20a37d3218693fb209e7cdb4bc61da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jogI.exe

Filesize
110KB

MD5
93b318e4dfa25f2e13fdb29bd12f83ba

SHA1
cb819dff6fb97f0f2fa40e23da3b7768e4abf2b7

SHA256
3c1581b28a7b002cefe51c975407b964943b159fd20889174b90c5b10563faeb

SHA512
40f5ea57306f54dc1f8b68c94d5c0684c0206ffa4f661be9417d08917f128407daa769945c79e3b48aaf3bcf568260f58d5fee4417edc1f6d60e81bb021de60b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwMO.exe

Filesize
439KB

MD5
f2286111c2c49c96959335324cb937a0

SHA1
78ff206c5bb4d4948011b07ac59a27dc4b8a78f1

SHA256
a1ac62395c35072d8d05f370a3f6799dff5a281b8d481b396de3d04a4f008890

SHA512
6be09d3f09cf6338b55f2f53daf37e60b015dcf765b5dec203363a2b3e9436439a58ec2f473d36f9d046a7c39746555971bc88c220df0533391cc9ff60869be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEcE.exe

Filesize
117KB

MD5
2eb7950f063d5a3a8531ee3422e042c5

SHA1
f811e84d763f931b009051bc2eca182049f124fc

SHA256
1d3d0d40326e199763eb50e8e45c4232b4e3a4de43a106dd16b5ee58f7fc5ce3

SHA512
1f84080dc42201f0485e8eb7ff914e8d0117340028c6fe09045062cc19ee3099145aa4b3effd6a17fe181225d79fc07e6766858fbba6e930c8b2ad5fb2fb5602

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcIg.exe

Filesize
617KB

MD5
3e4125c89c378a413e77bd6b93d63fb6

SHA1
25825ae2820cca18b61ef50ca7a844d0f2b6ec3c

SHA256
eeb605023610138c3140f12bdf5aed3b4a8f5cd3927067b3d46454b30eb7a927

SHA512
1c39435f6e5f8c697055b71a8202004d47ba648137393dfab7dc8ebae283eaeda50f9f14202d8ce519dd6c0d45d79fb660ebbf8efa332675e647e0fa0e0715a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsEO.exe

Filesize
324KB

MD5
0ad96088552a362134dea334e96b259b

SHA1
ef10fdfed1d9a505d34a16a433b38e1c95a19dc4

SHA256
ac180c40c5aa187c4d9a3032b0df53308b3fe40bb2293cf6df8a54c13ba0cb20

SHA512
8b8adcaa119cbe68a6c1c4ef8a0f518e9df22c2314b318615070d480310a8f676fd181cdb474a29f67a532f8eb54741683154057249c902559fe41107be78d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIIG.exe

Filesize
5.8MB

MD5
a1baa62667800d435a97f69b067b7902

SHA1
69864e4283526d3fff31fdd9bfdc62276fecf602

SHA256
614c9a7edd04314d41a622c976656cfba8e47d474e7943eeed09388fbdcf6c1f

SHA512
4c0222cbe5e1133934c1e81722dab6594aa3ef98ea019424a2012a78997864ed1d9bfbdcad64f2e7e5613ea4f6bafd14a55de1e0c58ab2b7a74088a8190acb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUQk.exe

Filesize
122KB

MD5
8fa572a804e9e69fa0d1e80b2dd9d544

SHA1
4a42c779feb255cbe67bf554cce2ab07dfde3ca7

SHA256
82fbe59e877ea6ac8f60a92f98cecf0e5c245ed4cfe34b915c03a2b0e23a6c99

SHA512
132797e25c7a5605d23640f4a3e27adf3d88e288bf52690c88182c56e0f498a860658f39814f4087ae03b25271434a5db9641388cdcf1baa384f3262f1fafe4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEAi.exe

Filesize
114KB

MD5
5f8a8f4babd017ad96d3b6a18dda4a1b

SHA1
39e5cefd13a64763e8855b615d1b88ae3b35a81a

SHA256
79fc516306b0efb7b60edef0c10a3f6e5869ecaaba0c96ca8fa4b1ea4329ab8f

SHA512
237a364e8d496cae20fa60b3c43670f7f653177b9a5d60043e8100e299e336429fb745c13ce23a00372be99257910866904546986223f73bc78d9fb17356c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMUy.exe

Filesize
115KB

MD5
c30788620354c9e67202ec8e843052a3

SHA1
687c46ae45bdac75add92f844869405fd31160a1

SHA256
a1c591b578188007e169bce6fcf6e76797d60de89f438a3c6de47896f3581cc0

SHA512
34779ef7f939875f96a92760179b107d3e419476a3403705bd06eaed5a085ae7bbdd7948c87f597ba3da21d39e9c062168a4a9a09f550aadc371c43b920c61a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rggy.exe

Filesize
116KB

MD5
60dfaa823b1efcf18f2b93957adb7584

SHA1
b3a16b93e25c2a7c9be2aae95d9b8c61af915737

SHA256
5103bc0a6920f7dd90f07b2ed088b2baed1ceeecb610d304a9e254d204fe5dce

SHA512
1c1750e702d4d306bcfd326535aa1a481cf157b5b2021cd3e9c7617184451ff6c87bad72c80eca9b506b6e8282be7d8ef73a60a49c0db29d0431924e978647d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssYM.exe

Filesize
115KB

MD5
b4d0c000ef42f4007264d0e50e983afb

SHA1
157f41fd053dc7ea791f3757639929f47c0da94e

SHA256
d3ae7285a66d4921468a427573f303bc9084922ffb84d46d9b91f8c5da756b1c

SHA512
4592d073fbbdaa6edced3a69d2d02e5155d0bea589c3a53af076bf3803499e176bdf60ac974eb417ae60a6eee6377f5660c498c42568f1b70444da5fe83c1d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\swwO.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAUy.exe

Filesize
698KB

MD5
8a498e092ac7c5e99b93c0b00646ec55

SHA1
12975b89bc1bcf0f4fc30c60beedec2c0c4c6334

SHA256
6728904c918f7cf69fcc8fcfcfe16fe44aac382dfa2a19bc54658e5d0473a64f

SHA512
89d9983f474eafea63d0134edf4c73ca0a65af2bc9174075998bb2a4ca2c6312b8c69ca9b8c972479100e9beb03cd8b384a5c260803e842299a8535395121ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukYg.exe

Filesize
110KB

MD5
a9702e076a0e1c45f15e3c1d87e7dc86

SHA1
be699cbf5933b5f92f613f0c13f5db4a9a2c4e30

SHA256
45b718a1ac3994420fa2ec79111214e48e3fa4ff30abb657362a5d41aa497411

SHA512
d1851818aaa60cc451e8d009591170288b9e0f967cb0919dc7a02a89c93507d04085b37d7c7aad72d826c27e32bd49b8e9d9cf9ecf78f89022f998bf2007a56c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMAw.exe

Filesize
140KB

MD5
b4cccd4d64f46deae33416ca8612facf

SHA1
76069a65e071d764b0bd07b1756fb7e3b25fa9d9

SHA256
6737be10dc344f01f6ac989b173457a6d5c4364f7b94a63b4456912335efc711

SHA512
36c5adca1e1fdf72bd70a92bf3f9e8f31e21057135f968afdb97f7e8443bc3d8386c4932f8cc076c745bf9fa06dee9884bc116a18c96d770544b44c14e59320f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUsa.exe

Filesize
114KB

MD5
b29d580c158610688d3e2733a376b36e

SHA1
41aa1801e924438a590f43cfe6fe60845cc55513

SHA256
7af7755d7704531e31c94483caa9fae6730d022a3491d0e88b7f95eb42260f52

SHA512
d627154a119a373c82b0658d372d288855768e4c9dd08c552cda54fd06df4812678ad53ecb3d6df39532421171cca2442647976c35cf51d2818eb68791a48c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYQI.exe

Filesize
237KB

MD5
10c3f9273e946a708aed8cd1fa6f7439

SHA1
e3f3424fe4b5f5d43ffd57c8862362ee25822af0

SHA256
175022ed90cef13270e2b8b7ab0602bcf280f6aeebfa363c5892c5ee1b787da5

SHA512
a3fdc5db2c571982735694befac29bce8b1ea6d364ad3036f4bfa0f6935f269e7625c223f0e84ab796e195cefe45f755b7dc8aa150090bc6e013fffbb83989fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygYo.exe

Filesize
240KB

MD5
f0bc758cd3cfe06cfdea019888a3a6d0

SHA1
f412683795fbed07dc8f966b8d49d58a513a936a

SHA256
d06e8463fec4d1931a07515188df4c41d6de2d7b44f581d4c56fa19a151a55d6

SHA512
84ac8a239d49bbe8f2ccfdfe4ca82bf2f36c0f937c4cbfbaebf5c30dc8b1eae75e8dd0958fb0fe440bcdd8518d21325ca8854532c2a28c7cee70e94008d4bfee

Download Submit
C:\Users\Admin\AppData\Local\Temp\zokK.exe

Filesize
115KB

MD5
f648c12b9e21453495074680828b31d5

SHA1
4b448f0af6dd74013c35144ebed944fa635bf322

SHA256
643868b76271bae3e3331df179b74da0096410b290a4451005e4deaed59176ef

SHA512
58a0491834803d9cfcf9078008677c9d17e70939e68f457a1662606fcb5fe948e7614116cd5d9417a568e0c8d01b41d6d0112184aa49fd2a2755d860587b4d98

Download Submit
C:\Users\Admin\AppData\Roaming\PingRedo.zip.exe

Filesize
1.1MB

MD5
3a0d1d02b200de96548d2b8c4d79ef67

SHA1
50290ef20a0edb0bc1757e886270eaf9c247f3d7

SHA256
0dd0be5b1022080d77373c8990fbacd92e4b355e70ee9b8f91455e8771fc9df3

SHA512
34479675c6420d68fa49f5e318afa5879603e79c561ae510dfbf97745bc2efc334a4fc28e78dc6c6b05a715968489eadf98ae1f8464edac83ee06b1061ad1a73

Download Submit
C:\Users\Admin\Downloads\GrantConvertTo.gif.exe

Filesize
841KB

MD5
94021a16e9593fc27bed9eaa85e500d6

SHA1
4c7fd26caf12dd1aa0ed54d2f46334952cb2a876

SHA256
8bd1bb9a42deeedecb490422cee4b62a43da9741ddf0b386cb191fe7eaa5e6ac

SHA512
392920baa744d9508b15bf7eaf173c46d67d3493700fc818a726cb3ce70d57e70ef9647938f4919b284bdb73ccf698f43501e030e9e6095f08db6bb76e39c51a

Download Submit
C:\Users\Admin\Downloads\PopConnect.mpg.exe

Filesize
459KB

MD5
73b051c12ad8e7b05e113f94efbd03a6

SHA1
21bff5a2c6478581aca73a114eef10309454ff06

SHA256
a307b1405a48d0073a959444cd67d3f4004974e33aa6a778e1c60d62f976508c

SHA512
639f07b352bb23dcf27150602e37f76e0e5de6c19b5fb518449abf7cf8071f527d73acde94a954d9121207dc508c46cd1f6e4b9cb17aad427ce7c5783c337ab1

Download Submit
C:\Users\Admin\Downloads\UnpublishBlock.mp3.exe

Filesize
687KB

MD5
bb42cea6f8468b3912bf2486ab8ae96c

SHA1
28ae1d1fadfbb0cb5bf3c0e1149630347838e4b1

SHA256
7adad0cc4b81b6c407d7800a693a34dc9507d5d3477469b4f3737faa4aae3ba7

SHA512
d85861f1c0d3e126289c1f4e0eaa163df7b70e3bb253348c6c384595362e40c748382b79c904c224a5b854f7a9f8d8aa790ffdfc126d4079b8044c0cbcab5de1

Download Submit
C:\Users\Admin\Music\ReadBlock.bmp.exe

Filesize
377KB

MD5
228035b5dee2b22ab0ffa5fe41865901

SHA1
a61bc421bfa04d0ac2cec218eb00e9da69b1bff1

SHA256
4974d463b262582a847f5a167a7a4dddc84eb3aa26f707dfa5cbfb1f04a92b08

SHA512
940e6c2aa63bab3a2ff51db8eb952f7bd11376f57f033924f1798fe2961182bce492b74ba723b7b74fef2c3d228dbafd3e8735a3bca10964b32d44ed235c3e73

Download Submit
C:\Users\Admin\Music\StopConvertTo.gif.exe

Filesize
243KB

MD5
c169a1d80fbe4d68e172f25c8c0df7d7

SHA1
17e88a47d358fa14125fd0dde38d28f80a8b9874

SHA256
5582dcdf34baf650e44952e0dbb521be5f46afe5f0a45a19e225621b5c3a82f5

SHA512
7a9440836bad1fa8b435ceb1c3cad1e9e65a48905508ebd503561a79f0b26497307d09e0a38207e352ba077331e9f098f60bcdfb3eb45d213a031395314b9682

Download Submit
C:\Users\Admin\Pictures\CompressSkip.jpg.exe

Filesize
685KB

MD5
23d6ab7bb4523dd8a52c6008c1646ca8

SHA1
570b65411c32e56734b30f2466140ad5ae602858

SHA256
5a0490379b56b1ab58bf4124dcf7d906e0f811cc6ab1e940efecdebc531c5d86

SHA512
a05e779ee5aff335fcf69ae4d9bc531f603854e0fad1fdcc3fa6b0b495e169866929e703f300928400b9bc38d0ea4eb039874885dd25ed7f0463afdcd48e46b4

Download Submit
C:\Users\Admin\Pictures\ExportCompress.gif.exe

Filesize
449KB

MD5
89b869d9a8fc857417c6593e88776c64

SHA1
f3ede8c5233198b22bd9d38e591a61e6cd5b29ca

SHA256
5b4084e158ab4b03113868acb56617d30419b7c1860dcb9c02698b42b20c2410

SHA512
3e5311b374ede79295dce70be247865996fe517933b243155b94dcac7253938a38f0e3cad4f094ec034a28142939778669319d123ec70888e72bc133df218c37

Download Submit
C:\Users\Admin\Pictures\InvokeDebug.png.exe

Filesize
463KB

MD5
a70abd0f470e3ba2e3bc0e2c72145b67

SHA1
004132fca1797f942f2e19e5da495fd70ec8792e

SHA256
43a74f35500aafd0b820275914b9c202b93aa417aaebc79f074954bb8cff8de0

SHA512
35fbf3b0227af90b87ff0543156c4d3e17bd93fb8fbf57ab0cd9dab8e42f68b322cd301a0f086c12019f063ce53d207c05a42fb7eea1b7704057901dce7feb86

Download Submit
C:\Users\Admin\Pictures\MergeLimit.jpg.exe

Filesize
477KB

MD5
0723549905dd2c25ff6d5e132c4a0ab2

SHA1
a28e83ec490347060ab4df7b35959188713e9425

SHA256
4537c4595e7861afaad4c3caa2a3e5d0815a4d3832e1ac37e617639d99cac822

SHA512
03cc37afcae9c593a1b895575eabd1df2b8cd4860e543cadf8cf9327c2982e34f0b13c02bc94c59760d99a5a0e9620e8c225fec138c0f00236df6ea9054418f6

Download Submit
C:\Users\Admin\Pictures\MergeRemove.gif.exe

Filesize
525KB

MD5
09338aef95f2e96a443c1198809e29c6

SHA1
11c2c572087b8f976955f2c3b4cc8c8626846382

SHA256
8d4c0f96b4f29c304738ca18d0929cb4e93cab5e59a8d3d204828e605efc2b89

SHA512
91d7403ec1e67807cf27951e5f5bb2c2104ea95ae2fc35dac482b1ff058484d76ecee25063e4264d8a550a2c08049d778d1dd792361eb5eb82647b2f0d936ab1

Download Submit
C:\Users\Admin\Pictures\MoveExpand.png.exe

Filesize
698KB

MD5
c459fff71b37080a9ebab9c0148d1906

SHA1
8cfab87dad8b22a123f3e19b47718d50eb52c632

SHA256
9315b24ae3c902d35c49d3f27cc1c0b36791d691373a6ef0c0a421972f258ae6

SHA512
39eef5a1933c98fbc394a765cf5bc45a64ef9f63ec2ea8438bc50fee85a8cde200a806472ba8a6d91724c596b5a4971afabd7f2ca6cfef44a7251e2889d39da5

Download Submit
C:\Users\Admin\Pictures\PopSelect.png.exe

Filesize
507KB

MD5
83e0439f70a07cc700df4745e9a7f8ab

SHA1
ef22d13d0c3b5a4a9cc2904fcc7bf6a9e4a0d815

SHA256
74d3f851dfcc6cbdadbdbee715173cdda5eb0106f04d5e16a801f0700a8cf893

SHA512
787e8e9d5d1e28086babe1862d786578fc3cb3931d7558cf2430b369a40684b8f639659641d3c1353321cd5b156b8dc1fb135444485f905d57989bf1762a3916

Download Submit
C:\Users\Admin\Pictures\ProtectEnable.jpg.exe

Filesize
352KB

MD5
1f3ef540b658c5e727e58319b64f8a6e

SHA1
31fd06d3623d415a09bdce66d4fcc15d332cde25

SHA256
e6d19476d34c2c7101c188466f8059c01abb8d333cc0a31c2ec92c4bc59eec0f

SHA512
21cfc267b500c999283caf7758931a59e1888844275376fb9a15a3beaa7ac8ae49d293bdc7397a1d333fba9530a2cfe0038fd271333b9b9064c46fdc16260128

Download Submit
C:\Users\Admin\Pictures\ProtectSubmit.jpg.exe

Filesize
534KB

MD5
16d543b0e7f5d16e9d39e357763fdfdc

SHA1
ee0a5c11a32c52c59d6621c9dc8516a83bba7239

SHA256
16097ec76ef1c0dfca88f4b19370bfea2ffd80c8a787c48956aa0ca46d6bc4c9

SHA512
a27a046651c051dae22ba42ba266fbbf6de4eb3d4a17be4d561f66d0ecd409463f555ba201635b911e6850bec7d7254b7fc223e7f3d51895d962b4287b1009de

Download Submit
C:\Users\Admin\Pictures\ResetLock.gif.exe

Filesize
726KB

MD5
0611f5b1cb16ff3f843fcffe6bbacfed

SHA1
d25426f9a29c0da41857054804aacee5902a5dfc

SHA256
30ff2a2f345d46408d93e92c2ea8377479ff23a51ae27a516520943f1c099b3a

SHA512
cbd211b7cc2d644b701e4bbe0eb741e773c3058edaedcd9602dafa3f3f18be5355891fbc1691ecc7b1ffbcf216d9a9f9753c72841578cf9c2d2f60fc4c750b2c

Download Submit
C:\Users\Admin\Pictures\UnblockSend.gif.exe

Filesize
673KB

MD5
513e84ddce20bb1eb3d65eaa39483f83

SHA1
cf5f82e585a3a41a7b18737ba1af76c3d952108b

SHA256
b796cd7d17b6cbc4c6144fb272faa93a8301fdebf77d28cad7c9d50a347c1318

SHA512
50782bf6217684d66e33edc08a7d0f91e20a5c76e1a47652e7acb0a3e9e668c2d55c4eeab4f2896a1d17cc8c644b570241106b9cee8c74671dacd325241e2ec5

Download Submit
C:\Users\Admin\lisQAgAc\sKIckEQQ.exe

Filesize
110KB

MD5
4eeb5dae958e812afdc9cc5222bf1d6e

SHA1
c89e91f5ea7f9ff9e250ac661ec58f9cbe0933d1

SHA256
2e1ce65feac84ff0788600c3f5b49879a334730f18b99ed1206cd37e230f3500

SHA512
bd44d4572bf131da55897813e08416966e7ae2a3785c447fccbfa1e5e2f3793cffdb433036477f7e5f37a15ee036f22cbb6eb542f15d2d4181c04f7bec7daa4d

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.8MB

MD5
9ffb7ab5bf50d77697075f7a2139a575

SHA1
2b6028920dd9bde70aefed9a0a7fabaa54879be7

SHA256
8985abb0b8810dd0531885d5a9f188bbebd81e8b06e1a3232a89e62de16b5ecf

SHA512
a639738fadaf4c19d9435a2f41a731ca54023850560926ea4d6d38634c1dcd51be784fbf4949340d4636bcae8935e602e810668fe5f739df0969793c6f7f3498

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
3.1MB

MD5
0d146d056217aa55eae38ee11c1d2a12

SHA1
adc8fd4df4474938baed6dd7d4ffb2756847f118

SHA256
def74ab87e12afd1052cce8fc7965c04d5e1a9c98ed3b4d43bacce12da7a0fbc

SHA512
16eef8d57bfbea324174d0f6b6090d1a4abc2bd991541ce2cedc985806c75e87c8ae3bae1032e78875b02ded15027888d685ac1655def686164e72ffd0672ab2

Download Submit
memory/976-151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1008-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1008-27-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1276-247-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1276-234-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1516-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1764-110-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1764-101-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1768-330-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1964-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1964-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1964-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1964-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1996-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1996-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2028-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2028-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2212-175-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2212-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2272-88-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2272-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2528-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2528-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2884-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2884-140-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3080-332-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3080-339-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3188-26-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3312-112-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3312-120-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3312-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3312-189-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3416-6-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3416-2019-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3424-51-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3448-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3448-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3452-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3452-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3496-122-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3496-130-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3932-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3932-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4716-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4716-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4760-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4760-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4772-222-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4772-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4780-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4780-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4816-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4816-2020-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4940-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4940-223-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5060-244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5060-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5076-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5076-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5092-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download