4a69753b4a4f7aaedf6398a20ee08d6f31c1f71933ee96aca671bc2711cf0a4c

Analysis

max time kernel
159s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
Size

117KB
MD5

21c6668b742da8f37daf73c866438c25
SHA1

8791036b5376a0e00fbfadf8ff6cbb2f7c890cb3
SHA256

4a69753b4a4f7aaedf6398a20ee08d6f31c1f71933ee96aca671bc2711cf0a4c
SHA512

3c68be2afbc04c460c4b137fe35ec18c1f75748ac8c261724f6e5996779fb00a5c5565eaaa83fe0e87687aa618b49988f37b7c03299bfce6f7647a28bb70a251
SSDEEP

1536:2HBb8I2gqPCwyj6G3XrWcTu1uZsHkxAvn5sCX4l+kZjGW8GWjI+IxgwWeGVuprg:cBYhEOGnrMMGEe/iPlHKGsIlCwgupt1

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 25 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 25 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	nGsMkUko.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	CCcAAYAo.exe

Executes dropped EXE 2 IoCs

pid	Process
3276	nGsMkUko.exe
2360	CCcAAYAo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nGsMkUko.exe = "C:\\Users\\Admin\\baMAAMAU\\nGsMkUko.exe"	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nGsMkUko.exe = "C:\\Users\\Admin\\baMAAMAU\\nGsMkUko.exe"	nGsMkUko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CCcAAYAo.exe = "C:\\ProgramData\\oeQckQAc\\CCcAAYAo.exe"	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CCcAAYAo.exe = "C:\\ProgramData\\oeQckQAc\\CCcAAYAo.exe"	CCcAAYAo.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	nGsMkUko.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	nGsMkUko.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4488	1724	WerFault.exe	396

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1388	reg.exe
4616	reg.exe
3588	reg.exe
4388	reg.exe
3480	reg.exe
828	reg.exe
5080	reg.exe
3532	reg.exe
4668	reg.exe
1896	reg.exe
1752	reg.exe
3280	reg.exe
5080	reg.exe
4356	reg.exe
2904	reg.exe
4356	reg.exe
848	reg.exe
3852	reg.exe
464	reg.exe
5040	reg.exe
2516	reg.exe
3052	reg.exe
3596	reg.exe
2400	reg.exe
1992	reg.exe
1752	reg.exe
4016	reg.exe
1628	reg.exe
3532	reg.exe
620	reg.exe
1728	reg.exe
2860	reg.exe
2232	reg.exe
3052	reg.exe
3320	reg.exe
3904	reg.exe
4068	reg.exe
1624	reg.exe
3228	reg.exe
4440	reg.exe
3604	reg.exe
1696	reg.exe
1556	reg.exe
3532	reg.exe
4836	reg.exe
3284	reg.exe
3852	reg.exe
364	reg.exe
2672	reg.exe
4444	reg.exe
1976	reg.exe
2424	reg.exe
4952	reg.exe
3332	reg.exe
1980	reg.exe
2604	reg.exe
1856	reg.exe
1552	reg.exe
1628	reg.exe
2140	reg.exe
4888	reg.exe
2504	reg.exe
3160	reg.exe
3228	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1580	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1580	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1580	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1580	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1432	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1432	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1432	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1432	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1424	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1424	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1424	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1424	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
2140	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
2140	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
2140	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
2140	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1692	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1692	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1692	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1692	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
3228	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
3228	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
3228	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
3228	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
4124	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
4124	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
4124	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
4124	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
4944	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
4944	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
4944	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
4944	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
4080	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
4080	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
4080	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
4080	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
2424	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
2424	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
2424	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
2424	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1492	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1492	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1492	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1492	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
3596	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
3596	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
3596	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
3596	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1516	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1516	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1516	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
1516	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
4560	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
4560	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
4560	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
4560	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
2464	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
2464	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
2464	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
2464	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3276	nGsMkUko.exe
2360	CCcAAYAo.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe
3276	nGsMkUko.exe
2360	CCcAAYAo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 3276	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	89
PID 4992 wrote to memory of 3276	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	89
PID 4992 wrote to memory of 3276	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	89
PID 4992 wrote to memory of 2360	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	90
PID 4992 wrote to memory of 2360	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	90
PID 4992 wrote to memory of 2360	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	90
PID 4992 wrote to memory of 4820	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	91
PID 4992 wrote to memory of 4820	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	91
PID 4992 wrote to memory of 4820	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	91
PID 4992 wrote to memory of 1980	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	94
PID 4992 wrote to memory of 1980	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	94
PID 4992 wrote to memory of 1980	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	94
PID 4992 wrote to memory of 4440	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	95
PID 4992 wrote to memory of 4440	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	95
PID 4992 wrote to memory of 4440	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	95
PID 4992 wrote to memory of 2604	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	96
PID 4992 wrote to memory of 2604	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	96
PID 4992 wrote to memory of 2604	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	96
PID 4992 wrote to memory of 1152	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	97
PID 4992 wrote to memory of 1152	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	97
PID 4992 wrote to memory of 1152	4992	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	97
PID 4820 wrote to memory of 1580	4820	cmd.exe	102
PID 4820 wrote to memory of 1580	4820	cmd.exe	102
PID 4820 wrote to memory of 1580	4820	cmd.exe	102
PID 1152 wrote to memory of 4124	1152	cmd.exe	103
PID 1152 wrote to memory of 4124	1152	cmd.exe	103
PID 1152 wrote to memory of 4124	1152	cmd.exe	103
PID 1580 wrote to memory of 4784	1580	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	104
PID 1580 wrote to memory of 4784	1580	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	104
PID 1580 wrote to memory of 4784	1580	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	104
PID 1580 wrote to memory of 3604	1580	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	106
PID 1580 wrote to memory of 3604	1580	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	106
PID 1580 wrote to memory of 3604	1580	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	106
PID 1580 wrote to memory of 3904	1580	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	107
PID 1580 wrote to memory of 3904	1580	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	107
PID 1580 wrote to memory of 3904	1580	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	107
PID 4784 wrote to memory of 1432	4784	cmd.exe	108
PID 4784 wrote to memory of 1432	4784	cmd.exe	108
PID 4784 wrote to memory of 1432	4784	cmd.exe	108
PID 1580 wrote to memory of 5080	1580	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	109
PID 1580 wrote to memory of 5080	1580	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	109
PID 1580 wrote to memory of 5080	1580	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	109
PID 1580 wrote to memory of 2180	1580	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	110
PID 1580 wrote to memory of 2180	1580	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	110
PID 1580 wrote to memory of 2180	1580	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	110
PID 1432 wrote to memory of 4620	1432	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	115
PID 1432 wrote to memory of 4620	1432	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	115
PID 1432 wrote to memory of 4620	1432	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	115
PID 2180 wrote to memory of 4028	2180	cmd.exe	117
PID 2180 wrote to memory of 4028	2180	cmd.exe	117
PID 2180 wrote to memory of 4028	2180	cmd.exe	117
PID 1432 wrote to memory of 1696	1432	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	118
PID 1432 wrote to memory of 1696	1432	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	118
PID 1432 wrote to memory of 1696	1432	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	118
PID 1432 wrote to memory of 1556	1432	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	119
PID 1432 wrote to memory of 1556	1432	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	119
PID 1432 wrote to memory of 1556	1432	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	119
PID 1432 wrote to memory of 1752	1432	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	120
PID 1432 wrote to memory of 1752	1432	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	120
PID 1432 wrote to memory of 1752	1432	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	120
PID 1432 wrote to memory of 4556	1432	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	121
PID 1432 wrote to memory of 4556	1432	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	121
PID 1432 wrote to memory of 4556	1432	2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe	121
PID 4620 wrote to memory of 1424	4620	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\baMAAMAU\nGsMkUko.exe
  "C:\Users\Admin\baMAAMAU\nGsMkUko.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3276
- C:\ProgramData\oeQckQAc\CCcAAYAo.exe
  "C:\ProgramData\oeQckQAc\CCcAAYAo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1432
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        8⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        10⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        12⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        14⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        16⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        18⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        20⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        22⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        24⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        26⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        28⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        30⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        32⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        33⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        34⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        35⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        36⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        37⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        38⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        39⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        40⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        41⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        42⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        43⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        44⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        45⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        46⤵
        
        PID:4556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        47⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        48⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        49⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock"
        50⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock
        51⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 188
        52⤵
        Program crash
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkkQIMIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        50⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqwQYgwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        48⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:1992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hycMsosE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        46⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:4888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCMgwoEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        44⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:4836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UyMQsAcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        42⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:4356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMUkUEoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        40⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYwYoUIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        38⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yisIQkYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        36⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YiQwAcck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        34⤵
        
        PID:2740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roIoUAUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        32⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqMUUIYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        30⤵
        
        PID:244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:1976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMcEgIwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        28⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NccsUUMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        26⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGAgEEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        24⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgkoEkEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        22⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQMIsQsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        20⤵
        
        PID:628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCIsYUYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        18⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKQwQUkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        16⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQcUYoMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        14⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmMwIswQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        12⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYwwEAYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        10⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQkckYAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        8⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4808
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1696
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1556
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:1752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMYAEQso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
        6⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2156
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:3604
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3904
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:5080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcYsUYwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4028
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1980
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4440
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWoAUMEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:2428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1724 -ip 1724
  2⤵
  PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
237KB

MD5
4e4c2696153d6cb39f7c70a7c2ece1c3

SHA1
58babafe69eab9c028f98c0aad0a815630d7d48d

SHA256
1e1805ba868fc3db0f2998dbdbc9f7ecb5e07d64e1b3a973d25aceb12b57b0a3

SHA512
b38195f255937924fc75cd4b4ee43d164634d4c71572482b09b5149f2d68fec01f8b32df39cb2be15faed6b3635e979b39600675c8776f2d89d035ea3bc051e8

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
138KB

MD5
5f013bad7a16b1dcadc1cbb3f27299f6

SHA1
e37237934ff4c27c7a423cded583610f6d338bf0

SHA256
9e803e2db97fb0a39b13050857b02ccdac4c809576a2a7a6acad893d05de61a9

SHA512
61de064739d40eec7eafcb931c5741b57414f92038df16a5066ddce765cc976df120107d281b864249ea423a5314685bb3b927078b2bb3b796e4a203ca7eacba

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
140KB

MD5
f95d62a2fa118a0411652d78642f405f

SHA1
5186874a32bb29a033288d260dcb355cebb72344

SHA256
f07796a85cd7175c04ba8c6a21d85f4e7e37705c46090b7cfaf26b675f1c9541

SHA512
4b1e54a65ba1bce7ab9c17c1f236d8b790ff23f9d007e23b5cef114cfa3d3d47e7a3b431f82212c4e299e68b8ebabd44ad70b682233c235510dca02a882a7b44

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
147KB

MD5
6616b93b502c9ed09f160f890ab199ea

SHA1
8764d86f25283fc85287e1d341b369690a56ff3c

SHA256
3da1b9efd1082b4e82f636bf4e8141d30a5100c7ec9c117943fd2160438a41b4

SHA512
aa0e7c9d4247c4bd66a6c528b0ff812fd29d6ab62d66f21583b10a9a21ed495fcf48be93e848badb2feba062f8cb5cf0bd2f7296257f6a01a13c8a81db92eddc

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
149KB

MD5
5f9b834b388883dfc243168fac5a88ef

SHA1
95517db9c0402cadea7ed3f076d56e70e741e7cb

SHA256
1dc0e856a8cb5e3c588944a73ea81c686ec80db9a62215328b66a0b604527504

SHA512
4439b46ccbdc17c30c32f22a10ec772b17803f23404f3028364b023a59acf566f8a99fa2b79c9cdaa9faac39ab4d87867b3afdcb6a4a4a66171640e97d919920

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
237KB

MD5
6481733715cfc8112af1f11ddec59a98

SHA1
972997e9d28668d8f8b5c98d544ae7d867c44845

SHA256
a91982997e5dc329e10df4da81f19794d03dcc1c587529b0dc95f4653c63b7d4

SHA512
638878226ad417f1346300e9d632afa86f7beb8ff3c16c373e8674b2bd661468e513cd9d2b1c0c3a402a6494fa3c7f4192cbce8c9ab09447df541e1744439b0e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe

Filesize
118KB

MD5
bddc9087e787ec8fa23517bc82b8d36c

SHA1
ecd9bd294f7ed5448367f62645de86f966135713

SHA256
bc0e0cb884e0ea6047c3a3bd39621df637b2d8dca530aaa61d283b300bdcf81d

SHA512
6a773493fa1bb26bcc6aa817014c6b0a249c8114aca2fb9d44f46562b91d31815c9f660c14c3924d465edc582d3748bfd1443eef2bd3549a2e34ef8a24c41bb2

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

Filesize
111KB

MD5
889044adeb4b50decfc4072d41180485

SHA1
11e43406e209e00821a506c1b2c77c729ae8214a

SHA256
554423622ab69461e7498e4d00d8627ed8aa7b7bd32057ce69c2c3dac793f8cc

SHA512
9a5b7b32271eb8b1be1ce3308aa816bf12b998f38be06c94b49e9cfe10481181aac0b101569d6f3289978874062dc2da6b3ae8d25a430c4e699e7afa4a18b989

Download Submit
C:\ProgramData\oeQckQAc\CCcAAYAo.exe

Filesize
110KB

MD5
55a2b4da33a1eb21efc5957735d67601

SHA1
91bd8986030a8940f3ec69cbe4495ddd0f9ca63d

SHA256
4e5d3cf1c61223d584c94a1498213c587e99ee8c7355223eb9e934f96acd9420

SHA512
afd68e7889f416df226f16bc3dbd9fa3834bfe3c73980b37d98c2e966afa1aaa26127492ec566ef8f6556fb71613fdd7e47295dbfa6185c75abcf4ba239350bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
120KB

MD5
2aa59ccd92ace33d09861c0af7dc366f

SHA1
492a5547e22ee89354bc8be4d22a001804708aaa

SHA256
366c1041dedf69342ab91e4a4ff7a89064153e7da13b52b40c7ab3f0e0f777d6

SHA512
b65360e2821fa1d40c913aff24e8cc0a9f4594b7a350257500cfe90103fadc827c6d106b8b7bc8ec634ddba21ef37c44f9607efba04bce44790020e665ba6a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

Filesize
114KB

MD5
8b1048d5bec7c7f0b8d9f1624c38ce69

SHA1
967a5189bc1dc1aeac60038763af686be3bdb96f

SHA256
544dd9b79ff596af1645121fc2ca546f51d5b1308238c53deb45c1b324fba015

SHA512
476b52332c73a8aa2aa6b8c8f6d852e9bac69157a9e41fb956625f4c552b9d86b3d13ad4f967669d1baf615a79da6734c0b0d400d629a582f2b5dc17df05844a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

Filesize
119KB

MD5
6c06b2fb175af3198e7ff9a8b1534a05

SHA1
d6bfc738dd8e63e3c895efa8118617f304ee9607

SHA256
cbf85ce1b8a3007226738be6755f0f411e85efcdec1498da678ebcfacfd6e484

SHA512
14fdad9659e7fb7ecaa284567580113945fd0d2b752267d0ecc832c875713493205123e53162c3f76b9272df7b4f5cbf7de85e82372ea6f5c5e63b437e6029cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

Filesize
116KB

MD5
ef55019582235d7f65be50aa90d96b97

SHA1
0aa800daa79449c9f2ae37d6d83a2d381ef81dae

SHA256
e0cb2c910a14d850f6eb82217b7d781cc713741fa9b296791d5323392c871cc0

SHA512
b9e60242aa7b2a66c2461241516735b11d1037acbc5d6febcbe1f6b2c4d006ba2e3689e393724f685391821b76ba77302828cb307849d910632916c7d2dba185

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

Filesize
119KB

MD5
b9e34c2f53dd88d7971eaaa8fb050945

SHA1
e7535fbff2b406e5fe773c7ce185197dc39138f9

SHA256
20cac93ca7f4460f2779cf0c149b01b7dc415eed03bcc1056cfbe553f145f581

SHA512
87e785d0b56dd1a74cc62a5eba28276e7cf320a76bf2879c61af3230490a0d988d5cac32991b3801a391edf8c43675963d0d7ee2d4645969a07cc1679fda1613

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

Filesize
117KB

MD5
e61d28915ed3f3f3f269680e8c6ef1a4

SHA1
0cd986449b4a74f31ce3a66131fe4c8e3d6c0fe9

SHA256
652786f0b2771346ac9025940921336a5883327d55a8fbce76f5753ee77c8c89

SHA512
adcaf61dede205c0d1e0f5a50ff69257d6615436a6aa0a876e13e0c8e26e5e7efb328583363adedc668f6ce9fc9b19f3d949081f85c0883bb2199c183a8bbc33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png.exe

Filesize
114KB

MD5
2b6720176c156259f2fda6c5d6a291f7

SHA1
8ff62e064f03cfbd8302970a9e419b5018594b8a

SHA256
0939adce921e3dde488414c70baef567576292a4c0da07375d9405e84213bf0e

SHA512
ee38739a1f91630f16ceb2065bc2bc787a0a6407d3b8dda9e234d1d242a0d9c7b835459e443af8f7a82fb0bbcf12540e0a75ed9562a11929fccbb447c9cacfd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe

Filesize
111KB

MD5
c31900909953065ef25e3e516897b08f

SHA1
73179e1dc697fe3136722c2ed62c00314d94e4d3

SHA256
8bf449646e975642f48489d2c1dd79636381b6232fbb14ad40aac795aa133219

SHA512
1617aad35fe770d35d243319091179e3364ba4210c183c7f3119d63be29b684d324887d350e525975d974d025dec705e8c193cf4ab5a2239c35d9d4c65c377e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe

Filesize
112KB

MD5
00d44cab4729ca13e1b05111202ff4b8

SHA1
de4d741aa55cde18d125282fb1c28a9f54d78e54

SHA256
9ea860fd59a7714e28ffa6c90c278d4a5736fa4834fa780575c4d7bd7dd71d1c

SHA512
bef6708fc34bc6b70be3e06d219aa88b6535405b87b0b377e581f4d1cd1426c3de6b2ccdeec1150711dd787cfb0805d81fece0ec252fc9e8e20808e31b205910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png.exe

Filesize
112KB

MD5
ce45684c69e3d4ab29193765e0ac33b8

SHA1
e9d60f2c5366b6f6e7500c6887b82d090195b0f4

SHA256
73425a1ee62ae6fc089fd1fdda0f2fdcba97a6e2fb480adecbcd9c75bd48dabe

SHA512
acaf88691a95eb4210beb0dde7a6d788104a0e50e8797d40710ac7dafb9dfd02d4b2161ae2ce1ed34800c8849871afe19ca2195551c7093aea12f8d2aa08cab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.exe

Filesize
111KB

MD5
67b4102a1ce3908e0c8442de4b7cc1f4

SHA1
b23ce57e1536cc5928676bc82b1dbfc063c4b1d8

SHA256
c5e551676685a2817c0b3752a6ca74dc3e153f0f62b2ccc810eae4960c22c9a6

SHA512
5cf7f239574fc0aa4f429a7d7a4b48b3f62bf7690b39c5d4cb330098c4c5ba364300547fd9117489d3ee6bceb790416f15fe4d4df616a00e5903fb87014c048f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png.exe

Filesize
111KB

MD5
cd7fc3d79035b84163ffc198fd9a1f3c

SHA1
5821616d5f4dbcb399143a9638988e878ee328af

SHA256
18dc38d279618323e81b0e613d547ef652d484d1ef4a00d490da34088d603457

SHA512
40a34c5fe32c63df26c307bb68ea109b048e65c5da9c331809eb49f98e957b8bfc5682c1c5788c89373df472b1fcc9f99de3ecbe3cd32e76f7096cfa4f263b49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe

Filesize
112KB

MD5
eeca5662fb7b5d4d0c42508c871aeef4

SHA1
62ef9a3ee42d0457ea126f48aa6a9e76641d823c

SHA256
4ab05b125a9c6bbacba5918cae80309fd4d4cd1ade1a48abe46d44df13a9dbb0

SHA512
83e2d1b4a47a05df2ec375efe52aca70b62cea00d65f347683c327b3e021e7615b4c0ff2496cb982593c333a8eb631bc9f0ff871e221b45a941b76f8a2652c69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

Filesize
114KB

MD5
39ab3149d38c9b5ce87315dfe40e8f10

SHA1
38aaa3672cf1377dca601078535ec3e89747f970

SHA256
7586a866f3495986c5f1422649d2af5be3e299293a4a851a66bd0cfee55f9f11

SHA512
a72a08dda4b4469c48beac41100f201838e26c766e4acf0b135d6f5096ebd1597a1ef6fca333f48bd139f4781707e13e90f94d2f7768cbebfa423975fa8fefc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png.exe

Filesize
111KB

MD5
a2ecb34919de00436582a63653c0f435

SHA1
d4e1a8ae2d78cba4facdcb9a4bd23a62119fe896

SHA256
0eaaa205f9a09176cf37324a9e6ab6f1caa96c8461c998a7e112d589996777ed

SHA512
20d3cade14099b2c5ed5e4ac13091affc243fe5b7ab11abb0952a2a80919df15c488d8489c5728359c5fefe4ff11a9f3247ee115b26b03436965922bff6229e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png.exe

Filesize
111KB

MD5
bf969a5d49f5d88a9ea881ef92f4307e

SHA1
3ee8fcaaab5876c777133dd6ea2ff020b5825302

SHA256
63ebe4126f491ddab5874be48e6b8ac7c5faf55b43b114167883437ddcbe0a7e

SHA512
52dc9a2cc109c45fe4d3a287c489893d4cc09261269203df886290538637e9d31af9a2cdcd5816312c4826cf030eb9adb0cc10b55504768e5fa9d3002a0d9d5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png.exe

Filesize
112KB

MD5
45584e3d5d31ac5bf99fe125450d1fec

SHA1
db463d9240b1122f597939224fa51a99411da7bf

SHA256
18d9095762a25f067f092ec7dd28289a5940ef51ca77648d8bc028b3cda1fb84

SHA512
06208708f8749b92a95f2abb0b632702296ada0eb723aa44b26b937d931b24c076f56485042973aeb34b68a9879b51daf74ed6e3fb2bb4b80777d4850a41b24a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png.exe

Filesize
109KB

MD5
f9bb421ae334d9b1d09e00784ba14ca3

SHA1
99d5c298abfc863e8eb8a97e904eb73fd260d8ea

SHA256
6b1b2a48c9070efeadd9e48f8f7385bac14f65fceac8f8c51d72f68f4d8ba7d6

SHA512
b94ec33e2e065b9c3de46d75ecdfba936b3bf7ef04f900cba871fab18c9e9f1fd7ee6b08ce40488788280bbc11a01a6f4c393f685b5dc81fdad347de5376f136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png.exe

Filesize
110KB

MD5
bc7a21905cf57f93ded99754d0fe194d

SHA1
e2885df96364011e25c5f28db688db34d9f30818

SHA256
e45d1e679cddacaebf0bec4cf99ff046d4c33fd735c6fd9fbbddd62af5df431f

SHA512
633a396d11fdd07bc20170c53455791acf162feea71f9f2ecd672454aca5ea4428c0ec5372885284fbf200df99449f97673cd3c9ae98a2853e22a0b7ac6c7226

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png.exe

Filesize
111KB

MD5
13c75e693fa4a2451300523aead48978

SHA1
94c2862ecded3c3f11fb90c16fe0325c6e809530

SHA256
294fc9ef4c78e6cc8395618907927c653e95c70a893f37c0f9efe0cbb3e60ec6

SHA512
57d20de4e60f3c93a5f12555f45c14d35290c194a8cdd699c8bbc18303a67cc5c513b8c127c7e724d5c4071a4e4aab45062dc45246d7810854e0f768aa7b1cbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

Filesize
111KB

MD5
9669efcd895f23b5692f0e7710e2eb71

SHA1
b5a6aaf9f5125a070dbc8b3ec7217ebd9db78e87

SHA256
deb231c3a9df6fec206f5ab33d75bb273243404472fbbde53fb69eb9c4204dbd

SHA512
2bb92b0c3f625bf5e5721e4610fa07e587b1e2bedb6e1c7fafa8fd9026f531724f939db50170291dc2aeb5281f92347a4c420ad89ce9ceea1657f10fe6eabb57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
944KB

MD5
f5375af4f8066ca521bde99df020c7d7

SHA1
067fbad5edcd92e5ce735a0d45ed33309793e164

SHA256
742aedb02ac0eeefc65a57f73474c36ea6bf42882a681459bd98bcd40e8c63e6

SHA512
088d709eee011a71503fd35745ce1e5eade2b4d8a643fec3d22a91bb9de2f88eb2d6e296824625ba8d803b037bc5f8493604d278139e1e471baa2833a7689ecf

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

Filesize
114KB

MD5
77255a67839b6ae493619115925a5ed2

SHA1
dfa016cc78514c11a7a80d188fb27ebf042e2d15

SHA256
798494033cb31f78069c9187aac69bf98df8c90b20ffa8d630a0c346686592cb

SHA512
a885f5787d3f9bcd42a4031da171216b5eff33e05fc13f4c8dd903e8561534106496a1d85ac2992fa34757c8435b31842deafe0aa53fb2f8017e40ea3f972c16

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

Filesize
113KB

MD5
04b339348e505d8d3d64b28afa3cd2d8

SHA1
9526d000f4c11ccaf6a31fd4b6821280489a9135

SHA256
b23a4c3cd6d955ecbab5834ad7172f3d47ea172a9d281dab01d6b64c5f607bda

SHA512
53252f6748673f2e57f30833a5d975f71292ae16207c298fff215fe6129c5c5e9d277649adc899215bc03f333d9de4316115a6ecf1e7a4023c8b5eb982571ab2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

Filesize
111KB

MD5
0f135cab6a6f5abeac711a96e3edf47f

SHA1
1f234af4ce00c0a42d7d3eff2049f74acc1bdb92

SHA256
13fce9c8a23811cb4b824d52c82ecfa6084d5f20c32346a799ea7321b46fc532

SHA512
0ab4d195a59a0c72b8646ae3866a4714feb2ab5cdfce3245c0fae065200c2150024d80fcf17b9c79f9899e982e2c39d90e30ab0360b3f0eb320aef3afcedb217

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe

Filesize
111KB

MD5
32eaad87d12462046a4ea7c3ef16c7ed

SHA1
c9e67f2de0e54196ae487fe7c13bba58cb2d5cd3

SHA256
eb591a5d2bccdc67644bf72c3b252871a94dee40422112942a92cd3932ed5af4

SHA512
dfa4d1add5e91a173994c93dd30cb18c5ec3d6845b79d9ff6d81f29faadff07ac66c7d81bffa487b0428cc8dbe41d883bf0f2181c664acd71e590d1fd8651b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-03-07_21c6668b742da8f37daf73c866438c25_virlock

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEAs.exe

Filesize
538KB

MD5
154f1fab63b03ef0f4a9dfcb46819d2a

SHA1
5d3e2b12ccfec494550cb96a1fb649c598124e74

SHA256
542d3bb0e5dd0075efb7144ce5599fb9db11a72680e94596ad53c1560f0118b7

SHA512
aaa4f4fe02c0795e8edefc9ac8860e71a75d41731d25a7f4096cfa615e0bbbfe257716a361d4d63e771bfad884943e9b0215ad0ce711fdad456030a540e8356c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQIg.exe

Filesize
124KB

MD5
a8622a45816ed14eaece156feed8b284

SHA1
197a4bb42a61015a81ab2368355776a29f6fd154

SHA256
00aeef25f36e47dba27b7745af3aeacb33b6b41b72922695dc808b2effcfc907

SHA512
232bf46dd5ccb1138d5b7647fa6320112d2e1c58c7d318923f302d9f0c1e2f0fbe93fe2b59110892338fab1070b10f14c8ff6a719530bff262dbb5b29369b751

Download Submit
C:\Users\Admin\AppData\Local\Temp\DggO.exe

Filesize
565KB

MD5
9b3a2774a6aadd33b28f9cd23c3794eb

SHA1
bc4cfa5416563477c3dbe3514c61ef7c7841b80c

SHA256
653b808ab884f14528a052823edbfcefe4a1ed9fb896fc3e9199da257cad69dc

SHA512
a6b5cb8629905ae74c6a490348dbe9a408e56bc8b701ff1d92fad4af6195a90cbdcada7a43f330298d63e21ac3a9f384aefa6f1484c84a5fcfa51902b2124991

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkMY.exe

Filesize
113KB

MD5
ff8554a67ddb10eeebd184344a9cd426

SHA1
a57ee7de79c5b1f9bd510261ac32f5c9aefe933d

SHA256
09c41c07fb4378b2b81a6638f8d35bf7a37bdbfe12045e52d126eb0d30cfd4a0

SHA512
d9f32d0b283207439cbfa8570dbafef8e251b46a88c02bbcc99a33ba31d3306c29e1c8020bd35cd4ff69ed5ae2149994fef143df43429ec585e5b4adda500e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eooy.exe

Filesize
721KB

MD5
f7e85ecca7bd66ac3b05b64d38b24792

SHA1
e0656961ccf3677986ecab58819fcddb1a58da1a

SHA256
cbd3346474141767375eae097aeddd729792ffb46d18385af1d08a1f66e98923

SHA512
8c58cbd46d53c6f4740082be8d05beef3e372e78871342e6e89ab4f862dcfa21ef4fcd996cc7dda57dbd154c3b6a54f172264ecaa457edd63dc1757fb1b7442e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fgcc.exe

Filesize
720KB

MD5
95495aa05203ad583098146129d27c15

SHA1
4acd57ab8bdd9befae882051d653fec3298b4cce

SHA256
735744223128c1cb9aa033327d356587f3545a25a21e177e0bac8db37ab5253b

SHA512
8fc97c515246c045023075ceb0cfd264288e85ff7cf9e077c547f4928c6f5894f41c3861bdca34cfb884488c754b7b91af2ada9f40ac9fa3bb1549789e7d4e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcEi.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gcsi.exe

Filesize
111KB

MD5
0d3af789cf481b7993ca8c4b4b7d1874

SHA1
624455e0f11123d5630f5a8f623153d2ed19a2ba

SHA256
82f2acbc07e76f14ea09692e0ab53b1122059f2a9ee0cb403187ed1a52974276

SHA512
3eeb52a3d17927c868fbd097ac436345cdcd792d2b2ca50996000a2678205c5cf10d01e6c2f150e6c42c1c8fe8fc43a99e2f99a265332952a43a76f67faa21c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQEY.exe

Filesize
110KB

MD5
851cbe201d3dfe679c94bb86d6e25bc5

SHA1
73c3bbd590d800c1e40e720e3067aaa6ac955fcb

SHA256
debbabb460e5b28607456bde71d3392a5ac591ef1ef0df0daf486c65ca1f5fcc

SHA512
f3a75b996b566ef55087f6413371a7823022371cd7b77dba18460c2c6587a5df6cbec1fa70a1dcb64bcfbbe3f5eb216ae8f00ef81e129605869dcf1ed1b30f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIYQ.exe

Filesize
560KB

MD5
d743fc36fd399779482921475a6e1f7b

SHA1
b706ee716125c2be1eabaae609abe1efbed18a45

SHA256
f6101baccdfb7303ae5c8aa7f70de29c5f19e258a958502c17f4e2113df97480

SHA512
0b6739d87059d3edcd931752938d2fd2a6629e0f315be4d66b69d9859df004e7f626696643886fe89753862a8c3101cbcc19d09ca2518c38bbf02ad756a18733

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUsW.exe

Filesize
391KB

MD5
6535bf6b4c0cf5480f1fd3f9fb6f87c1

SHA1
619735af4e3fe3c012b63f0b941fef850ee32b58

SHA256
04b69252ad4cfaab25010ab92573db44ef5a1dc0edde33e9c7d4694e095e0257

SHA512
73416c795e8c5edf27c2883d9a6a17a41310447f440c6ece4f4e3b0ef1d39d07fc15054f1f275b2a9c4f32dfca1f4743f80a29b4f3ca31584f90a1b8dea70583

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIUW.exe

Filesize
244KB

MD5
a29ba337d51f62f755db0ba9da647ef0

SHA1
71916e83d9051503d3e7fb549e440e9397bad8a5

SHA256
d829039097aa037e86a02ebf00f95ff9cb1b82b623a9a4261bbba52cdac217b4

SHA512
c1a578df7c6079e4c81f0358a2ef838bc48946a0d11b81dbaec6266b02519e57a8b03e0f62bdcc7f89bd5f9cb18d6c62fe533dee042b2bd79c5fa627b724eae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LUgQ.exe

Filesize
481KB

MD5
8f316edcc7fe2302e7211568b62b4fc3

SHA1
a58e26e35848d8f399e6352d73d663b03917ce7a

SHA256
070a844312ad8eebb263c6475575d5efe17236bc4906d82d1f671df85e851681

SHA512
0a3bf25b1e40ba5c50dc325176bdb37670e2c67faae44c5d6d320743dc1b2a7b059380a51a79803f44d460098fff524f9068738e4944b3cd84f506aef44ba128

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsUk.exe

Filesize
117KB

MD5
a38c0c0051b8919446812dff9e81d820

SHA1
5bbaac40c6f85f5fffcc77c0a8d703f3191d41ee

SHA256
aa3be5e24f1907914b06c7d8b837ca23ce70d39869bde96f8504ff985987b94b

SHA512
dc72f0870d1d7293a33aab806f913cbb3d8e0f90dda92d5335f25e884a480c9ddc32ab83de064d48f46d56bebee0dd8febc7b219503312ffef0decf055c92986

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAMU.exe

Filesize
347KB

MD5
449389ce715b481c9c7c9b8d49b7b964

SHA1
a1a5715dfd02759b3fe16cc9b18a58833ba3173c

SHA256
4de569a30b0ff97cf7e978be32c2b6b201f748400d2782b0e48aaaa4fdf694cc

SHA512
ab560b5bd309a7e30de1ff3e378fac69ea0b6ab6d3b4e3f0b1b089735f7ab86bea74b5b005b8ed924b1953a93e40dd7cf58b47cc642cf5ee6347113dce8c8b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUcK.exe

Filesize
118KB

MD5
d8b5d8d3afcea16583abb597bbdb77b5

SHA1
c672d020e465c0418626911bff91395686dc8fd3

SHA256
a50cdbf0702d7c38130ce9d5233a41580c943e206d6c7df1767b5a0ab23dc440

SHA512
465976fd68983d30189f8a4946b699d05174b464793a9efed212e6b400c572bfd1ed14e6725aea001633663bb4fdaa2f0ed85af9284f7c39a86207119963cf01

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYQS.exe

Filesize
118KB

MD5
3d63dde7e35548e5a8c78f107718c4a3

SHA1
6b5b00048dc37505553b1603061bfbfd155b7fdd

SHA256
a2810e26da336a8deefcd28a13118002ad2aa9002544d6c48344d858322e2ee5

SHA512
23f3f1fdde5723673de2c96d27ecf811b881ff690775f1bca4c5f382816310d13b2d0ec29115179d2323dc71aba898a3e33375d6a80d3a9b99aa211005a5028d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ngcg.exe

Filesize
5.8MB

MD5
d07435f1e070df83c1722ed785fad7bb

SHA1
70b58a61cffb900aa201e31387eaf07da74a303e

SHA256
cf068bbd9e57dca77c06bead6e3f52b7ddb84056b844479fb95364dd65114a0d

SHA512
ef62bba640f8f74628a5720dca7ab28e579b0153b4856b91ac6acfcb6f8601f0e15997842a3c0e62de40a2d7fcd7e065952a73d7f3e678b91863cd40fce9021d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUQU.exe

Filesize
373KB

MD5
bd7de55e6888d129d3ca10bdc656d795

SHA1
41b5492ed55fe98660ba6bbf18326d93316418d9

SHA256
d442733e5461289c1a96ff18e8c027c20ab7b893695b2317400459f2316782f4

SHA512
96dacb8653d44d2907eb1414c8cbdc5710c21ad34ebd75518d6afff17be9a07f25c4eb03f111be5c06c28e94fbd9bc264804b501c34574777f3674bcc7e45e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAsS.exe

Filesize
124KB

MD5
81c40420ffb483c4cff46e7c2ad1c0af

SHA1
0fff5ebb191553081a4cce9e08dbf6a57175cac6

SHA256
b9eaf311b51be1482b9441ae099cffea7b5275b9f338de157296345061e95738

SHA512
bd89549b3bc679fa9e7c4a8a1d7e91cf4b3e4acf7c39671b40cb0555275224eeb6dab22df629142c0eeaae0d1842eee3e4a7da6b275da8fdfc1bc7d954c29680

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQUs.exe

Filesize
110KB

MD5
10b0bd623bc8e9b7fb0f2bd5ad1e4abd

SHA1
4676863ad35c04703729e96f18b5bf8a43936531

SHA256
a88a2c2581e9237d25a41d5f7b3857c118d755a9f52a95f5e6ba524a24945f05

SHA512
ad50417ec84263738ca3280df6a0a5980432c88196fb06e12b8eae4a36f8a7b9934a34f9d37fe98f2082713f437de614d904ef1ddda48315e455da951b224ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUUU.exe

Filesize
112KB

MD5
90b80ed8626c4510bba8e0f2c4481d96

SHA1
2eb6f5ddc538bb187b7fb50830f46bf6a3f1cd5a

SHA256
71621063a35453bd5ee6614934b3160636c15b9f5d03fd664c0b11dbd333c69c

SHA512
2c3973b6207e317feac9ec49947f98ca7800e44b12206ebaf120b42e7e40672ed49286f7657f33a19055e517c4914b4dcdba5574cffce8bb27d2e829ff30e2a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUkQ.exe

Filesize
112KB

MD5
f57dffad9fb71d756fcfcff380a5f0db

SHA1
8fd11df321fa5b24c1fbfc7c48beab14fd1303be

SHA256
8416f5e5fd4ab342f31eb3be07abc6e3eb9b58a783934ef9715f8bc57cbfcc08

SHA512
2e9f32659b89b9adbfe5680c5fc8af72e3f3c324ee97784847863f077e2ca83beb5071b7914af66f04c5aa43cb13c5a3fe3778d6bab8e5fae4e2e5408ebeb9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkYy.exe

Filesize
580KB

MD5
ad5735956c5c7bfbd8c54c592fca7298

SHA1
afb5fa2707db2d3be32af70ab1bc35dda1929303

SHA256
1acb7333b896b8f8f037e98ec05d5f55a94f92fb3b1018409c67286dd63d20bb

SHA512
0b1f8f81824c977dece82053bc483d84e7290ebd9cb6ac163a339f53000dc7c74d3a5419aacde233885c6b1f05edd4a46d9c95445d0279048df2b41ae5c4d8d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIQE.exe

Filesize
111KB

MD5
e50bf3b7575f3ef9deeeff1684fa0977

SHA1
cbed1508f8235f6fa0da695dc3ae72f2f207f10e

SHA256
1088f31e1d493abed13c60affb5f9e4a37d3491778bbbaa5876eb39a2d6fe3ea

SHA512
33fdf2874fe831f77fcc558c69706f10be20edf78d47590c984084d59016061f25e22ff48466b821502d70bf7e34c966f259ed7a165ec32c28e224b4d7ed406a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIYO.exe

Filesize
111KB

MD5
e46e1a1faaf1e76f7489b73deb37aa9e

SHA1
77216491971a54f27cf4105072a8624a21f15b63

SHA256
b1d6fa8b276510bf96cd36115603a89fcf31c88b5766ebc54f4045a489f5c8ff

SHA512
564eea32551308f6ecc2741edb0b55b61cbfdc37c0324dd8f58e1866883beefeced0d29eab1f3281fe644b6af08a9b67dcb74d92d4c319b014833da8c84d3db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIoy.exe

Filesize
112KB

MD5
0002b2a4ea258139b153fcd3a677b141

SHA1
912ee799fd1165627785fee8027285a748ce946e

SHA256
bb603bb1b52683ebf9bec0db98f268191d8512d5ebae50def9211d8198f3d44e

SHA512
8d76a4a1cb0551f181b9e4eee32bb3e563c5f01c5a8446a82c8667f3a2d0ca1ed5dce18642c9c4f152f0f61cadbdc6eb48fe18f8b81ad41170aae283a0559229

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQwG.exe

Filesize
139KB

MD5
7e1100de6e16ae6b95b33f61c89baf36

SHA1
88ed5ad989a8d8149c51cef03e67d01b8f176751

SHA256
ba12021d34a9d238df096866d973ee773a1e29fcb2aae314cffabc9eefa931de

SHA512
257c2149b6054c5ebf0b98dd703868694afc9a394ba9e02f21f083dc45629608b875a62c1ff0ad829523d7913d8cca1b5bc5b584411295e4aa1ce3c04eace550

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgMI.exe

Filesize
114KB

MD5
5c72493e1188bf66aaf9ffd0ab45c068

SHA1
7fbfaad5e3815240a94f094ccb0966a7e76ccb60

SHA256
750f15855a86d4c3f3cc03f49f49beb8c88ca742cefde74f2ff404842a5be84f

SHA512
a5bac6ef3171fd2f9bb71ce2b9421a6b383059966516a9ca1ab9b5d2aa7382af307b59bd7b07f06ce1a28a556fe7f4e24776498dc7ce4239bb0d042d9861ca58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToYQ.exe

Filesize
745KB

MD5
0d7725cee7ca45bbaf9cf8d37dc1a030

SHA1
6a1993c24f339e7f1253b43af3f8d04e689a020a

SHA256
4a528ff9bdeb7e3df7bf518fb2ad41195ac0224fdcc0aa2f0568d8567f3c7947

SHA512
6c5f1ff25f6c9aac3793be06a4157f41c47332a5ff6a5c5765ee7dcd0530e8cb29008bb0b34c44f747fb790370b9e3232cb63cdf3e7a56523571ff740e5f1844

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMMm.exe

Filesize
556KB

MD5
bd9b534d0c4b2d2a5487f1dea8890d9b

SHA1
79392e77a4855df498c2b34db30668a5300f5373

SHA256
f989197849a2ca97c905f9cd381de9063fd6bba91b50aaed3734cd300f5fe80b

SHA512
2f695ede8cf3a1f7fd3529775e064e780c6fa53c3103c05524e0ba8cc73656164892a8feeac6843f7719d1748588b160ddaca34aaf7ca879764bf0e26f6de063

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wcgy.exe

Filesize
116KB

MD5
e30bf0c7c0638fc18600cb966221594a

SHA1
af118aa36592c3f66178819f281c0345f01ca0f5

SHA256
d09562ee1b869dc6ea17d049025c133df674db1a3133e832374fbac1c761bbdd

SHA512
800a900a0219e946012e4c7321987b5f9ac499a8a9f9178b3adb55507d630eb3cc6d5b5472966ee7a61c6dfc8d90a8cf94fc8372f1e0908858f19f5eca59ed7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEkK.exe

Filesize
5.2MB

MD5
fb235d3ca04165cd144c313dc47808a2

SHA1
648e4aacda63643ae61d98d6cc93c5e99ccd8e78

SHA256
98e47064630bc91ce9268b1e9be3d329f66e625bbd40d61a570eaad2159d5809

SHA512
c459c0548911e50ad6b8722f25aa1136714ceec3f42bb81d8741f235f28835c164b7fe425c3f11753076e3293d6f02dc281a4e12c690dc8d799c42a6af8172c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XcYW.exe

Filesize
697KB

MD5
51eacafc56188ca81c57caa5a057a11d

SHA1
63f4347c60b8fc248c7a3a963e4191990dc7bd72

SHA256
b7064c953cbd20fe71dcbb99ad30d3e722e2ae06fa1a1a1292cb6bf0be477a38

SHA512
0d0945de28d0130e297750caf32e092de9e35ac375c36cece2de6246738f10cc5dea8bd218e5dc1901898b7c741c8e5705bdcc7b88aa2c39e17aac560990213f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYgE.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoUA.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMsg.exe

Filesize
111KB

MD5
7c173e01ff96fc3e5f90a522e8ee1d05

SHA1
213219a93c5d37d4b929b351e2ccdbb91b091278

SHA256
27d40bd2b4114a42cc3991432b9d005f2a0eab3e43a928b08e9cf8c6b7fedb7e

SHA512
7e344b5f28c2dc57abf38fc7e7cdff7d39043a11a974beb1b4ce9398802bad54f1dd6f48111cbedcb0f69aab6d9fdaebb89305d2add5d0dbbd4f300f73729d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQkG.exe

Filesize
485KB

MD5
79a30d69870437520c938c5f174cf6b7

SHA1
eaa20518fd850dd073b01e037ea50ab75fa8a30c

SHA256
5c465998ccb7a5e8c6d656e3370fcd1f3d0ef0707059f6575f891c74199df75d

SHA512
f449ce990086b0c461400ae793877d400178585d48f69f1b9e46e7d360fa6619f7268005e66c2346e01297b55b8a220a378d4d905548f2dfc17764da390f67d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZYoY.exe

Filesize
142KB

MD5
57bceb0f4df64bbbeed2bd71c8a41ef1

SHA1
c60da8cd001a63442ed265dcbec3bf653c6d4110

SHA256
bda879155a99c23a3e58f181b3fd93ff0858bd8a85a550e606181929fad983ec

SHA512
8f117d76dc7879149e4d9652875c826247c41447d6a3a58914e15b5d684f8a3160c0c1002b13b885f16c5a684cc98e9a69b11c873260798a0c482667f5e11a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZYsO.exe

Filesize
5.8MB

MD5
0a768af6a55defdfd4c58a25b6112544

SHA1
98f185b3f3de7df04635d803fdf1e73ff2fc979f

SHA256
f438471df16d7aeb3a465a54593378ef1adafa6c05cc67ffa0229e5b2c3d984b

SHA512
13b7442307e3ea27d1ba5a2eb2d65bdb9329f2b8100fa1f90508402f8e4801a4c6b3229b9be4e8a1781e3d312554b26b4cf9cdb9bb27a3969d12032be8c3e209

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIUU.exe

Filesize
155KB

MD5
de42a49c82c7a3a465bb1fe28d400437

SHA1
18e1a7113b77e7164aeac2ec23f1d84858b520ba

SHA256
c5da1c70b1da0bc01ff6a012af8db86787fa0733096aaa758d4d37e18cf6b2ec

SHA512
59e936972ed6e8287724fdc60504aadd4708bdca76d8a35bfade01e3f484e7497a80215f30951cebdd2d755df22a57f70459d3e0fd15931e49f30c8f27049973

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQks.exe

Filesize
115KB

MD5
a0daed6f42a044401ff589cb30dd747e

SHA1
ef62155a5d4001bc291cebbfc677c1edf4122ddf

SHA256
ff5fea1fd386220b9656a768b37ac88dc7b406c24d1893b34fa946073b76946c

SHA512
2d3ecee96af83f49b086342201cb21c4510f66ea49fc409a2830101c2edfea7b3c052f1503a8d854a3199012ce15f50ec25a51610cd6fda90a86b25d4b800650

Download Submit
C:\Users\Admin\AppData\Local\Temp\csUm.exe

Filesize
609KB

MD5
58439cb1239476b88f8af6316e2ac915

SHA1
42caa3330fefb04e780efaf3fcfe8f17247a4517

SHA256
cf8ad0f7ff91a71b7e0c2c50a0d1e4d1541887d4439c1f25514940b02eca2c34

SHA512
cd06765dc81b6add2f7330b0aa84c338ba7c074efd59d974da584a66c6ae6232336a39900a07ca55982b4414427a035207c8d2af26f0eb6f2cbfddd71984cd3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csUq.exe

Filesize
332KB

MD5
091056b362770fc442ae0a0d6fc43bef

SHA1
2b5124730a8d045d8cf8ab84f2c7e8f4ec18e766

SHA256
a49ae289a19fb4aea8d00f246a632af0ed0e034a42ecd79c5eebe8606eab49d4

SHA512
5218b83f7fbb29d96c8dd237798e6ae8e02547a7aaabb85b6466c46ce94a47d2ab7ab5c02eae71d8e8b4dcfc486c1e898f6b9332d6b088abc6e81561b0816be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUsO.exe

Filesize
697KB

MD5
cf56453a793665bdea04b6450e3c1ab1

SHA1
c4fe6dabfe9c5f8d1e28b1ddfb517072701ecaea

SHA256
6d679a5d72f04b5bcdf8bbdad4e8c82a97be8e868edc71e37acb11ee7b1d0652

SHA512
113ebabc772d851cd2439406eca445d75c246fe4a45defc4707038ad02a9314a802f84b0e608e8ae542366b5235e9c911e9e8b0aabb1224c1c6b884335c6962f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwcS.exe

Filesize
111KB

MD5
42f74c6401bfaf234983b01b94100651

SHA1
0fa26caac1ba5e2470b80b8df879d855e53ad6c1

SHA256
0be4ac256e3c54f26d190512c1a51768a5fb08548190f2e83556d2480c43dd50

SHA512
8f4dfe522a71aaf5ddb98c819d9fa9eebf4427b029ec39539b7d84e080c8bcb6f68292a3ad00332da03904421a9941bb3c31243aa0a307ff5df0102f84d59ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQME.exe

Filesize
110KB

MD5
690948a9ea634cae4aa99feeec585b38

SHA1
d3b1f5eed58700070f341692e4d61b2d6de73408

SHA256
1c1b757ee2868c4a4236dde655c0a37a0f3cd48f1d5bf082f5210fef0407757c

SHA512
490911003725dffb6ead2e54e6b40c5a03971234a52e08614a1bb80d1ecba0bc68d1268fa561bda556e4f2da8a55571531bfd8b452cb3639ea0ccb83840aad13

Download Submit
C:\Users\Admin\AppData\Local\Temp\fEYg.exe

Filesize
110KB

MD5
44dfdf90cff902ddcb88b96ee02fcdb0

SHA1
99fb5dd8c6d824085487dc81c971a1d297d8768b

SHA256
4d7ec4682383609eadd85af192f2aa10e36270b490c6d374921a915da44a010c

SHA512
4158fb81ff4d63ea971ea9321999401581d32ae051cdc63fac50e2838139ceb8c8a59936249a4db32fca7778a53fb86c201ceb7bbc2945632027ed6443e26226

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUcc.ico

Filesize
4KB

MD5
a35ccd5e8ca502cf8197c1a4d25fdce0

SHA1
a5d177f7dbffbfb75187637ae65d83e201b61b2d

SHA256
135efe6cdc9df0beb185988bd2d639db8a293dd89dcb7fc900e5ac839629c715

SHA512
b877f896dbb40a4c972c81170d8807a8a0c1af597301f5f84c47a430eceebaa9426c882e854cc33a26b06f7a4ce7d86edf0bcfbc3682b4f4aa6ea8e4691f3636

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIcW.exe

Filesize
112KB

MD5
7a5138cd749dcfe4b3ac6e6697a7fdc8

SHA1
160febb2ed41317d66c074f9bf6652c1aef111db

SHA256
028e68dc40ae66de2e505e028d012cae72759d15b33756d3985193f5c5afaaac

SHA512
2c4931043538624715a2a6921e94fd7a53a732a26cfccd725757e60af51292ecbb8deff1a1f188e44776bf13f1e536ee46731e8d819bb5389cad957bb869d061

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoEy.exe

Filesize
110KB

MD5
c5a924be47c2caee3c7f238f388bcfe5

SHA1
6a41b419a38d182efc0603286ea975e9bdae767f

SHA256
354eaf3790fd8e9cbbf622aec90103f3a4cd885cf0d9db970859f98163330472

SHA512
e90784224b441b54cb3017601c9300b6ad93baf8207e534da97d5b36e6f9bab482d639f8dfc1c580463867ce3d4bb7d41f543b31452d3d2238145578f5802034

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQIo.exe

Filesize
565KB

MD5
98f5f7f48f7a27bdda280ab9aa3671c2

SHA1
2364e81662941d8665ca3a13ed670fbfde75f24a

SHA256
c917991031952a31a61df6d8adb54eb4c4a3cff195d15e4fee68f13a4f193eba

SHA512
5b8c08fe87f7439307dcca1d6375b7a7dc47ffc97a79c64581130abf0432c0c0e2ebdfc67e09e51b363ba9872ff394ed22f18374ce19d17e5a42401e025e9350

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUQg.exe

Filesize
118KB

MD5
1907a730ee4b2fb2d3006a4e98bbe2da

SHA1
666d7a1cc617a44fd74c91a0ae412f26fe105b8d

SHA256
d932f5c4900af5318af40794fee39c132f67a48a811d5bf76f08cbfa0b868fc4

SHA512
80c51c9e91978de47b451911c393777b7d17b719515d408a3fcb82f62a6fef55e1f1ab33c682c94c42bc307ba1fa923fd2a1315bb8fbb901514ffbedd936c362

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikQM.exe

Filesize
114KB

MD5
9d16c57debd3a9303f844860b11a7270

SHA1
c0cb6ecb49ee1061d8200ecec30b161bbf1a635a

SHA256
1404c141d3dc938ccbe37982fbf023b7c55126735538fa4dc5b0ff313e445c6f

SHA512
f43a4a134c5761e8a008b285ad88d752253af1bd67705ae5b3ed7472607d7e920e7213d8b3fa4bf33ef290677f8f820b5bd119704db10efe0d897ad96233cee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIEk.exe

Filesize
119KB

MD5
e65e0b26cec71f528b8e4391bba57f33

SHA1
5bb1626243652b403d8f98c89facc3582497e8b8

SHA256
3f14cd7465493c5ebf2e0cdabcc977f7028431c1c8d93d6e4e286b148ea6a39b

SHA512
2575757117d02fcc8bda187fb458c89404046b9a307fc1fffa923c23393c90652b1d7c89c78996fafa6a1982b4a4b56f6c1967d5ed39db8435b9dc33ffd2dda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsUY.exe

Filesize
115KB

MD5
b2812343e0704cbe2732d7ce03b0cfc0

SHA1
e4d1b131f4868f99950d7fd163141d916bf00f9c

SHA256
6671bf335fbd06d85fac907007f8ce9a70e6de3ec19bb5c4d279e4600ebf96d5

SHA512
70939c9171e721783bc469474743b0f028e9b29ccf21d408cf0dcd5a2e1a62320508bd7828e392c6587b0713c33ad420c6e35f15d08af7f93f7acc8f08151738

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwIG.exe

Filesize
115KB

MD5
1ca3737093f313c4e422dd1425125b67

SHA1
86d1d5f3aa4a90a4f653756d5b579424d78c50bb

SHA256
65762a4007a6eb8cf6d74a55b0a240a1e57a7ea49f3f5881b6ca5e0175ae3e1d

SHA512
8006d68d659a2db44d9fb01bfc59da642c6f337845491680b645254f221a63e16ba3dea1c86d5c9b5ff9d236a75a4bebb6de806fcef856d5b14558f4388f77cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkAS.exe

Filesize
235KB

MD5
8e4f97b8e34e3bd530794f2d60b6ec5f

SHA1
d9653d1cf6004f1d5fd90362982a37dd5d731958

SHA256
79d9ffdb7250e3afad07512381fa6afefb9ede8e7fd8193a2a79c0be4c05aa7c

SHA512
cc7db940fc356c7e1d9d4de46e23347b5af1a0f473c06c257215f4d8b5177604339d6038c97d3d7694450e6f78df489fba39ff35d3918b941311b276e43f9b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAow.exe

Filesize
114KB

MD5
504877cf9c9a5239eb187a57b3d5ec15

SHA1
a0409081393cb54c966d50478bb5b556e050d197

SHA256
ceab0ef1a35563c08a5f9d57168680cfa67073a7086f814210ccd574b1ba7203

SHA512
7b4c117cd707533079709c07c58fd853fc194097071227a3b01d7996966ddf94116c33134967431ca1f9da57101dd2e24197efa3a28a9fb35a73f88f5625f052

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIsA.exe

Filesize
742KB

MD5
d87fe39bbfe30f03664ac69d3481ae41

SHA1
0da48f55762ef2ec4a3bdb10d17117eb759398e6

SHA256
c9d539ac4e14197477f036dbb951bcfa9b379b4d75ae263f53b84671a71bb441

SHA512
e90d8a418e53c543d91708803968b0a9eecdbe71ed280ee3cd0a4f1c70fa6aedeae9bf0bd78b9f97aeeba096474f803085c965234b9583e7a20d5d76de84f299

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkwc.exe

Filesize
110KB

MD5
2b5d8c0a4a5f0fbc17653dfb85649558

SHA1
68bef922b30c67906eadea811a8d871a724aceb8

SHA256
97ed11ad54b1a95b6b21786603043860178186e29b60fbec7ad43797640bff95

SHA512
71983d4704f201da339e14f88db8dda20cb39ed7d44606144c879727676238b687b6a4d634b0650fafbb109c781d25909eb76d61c13259ae738163ea1f528686

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswu.exe

Filesize
346KB

MD5
9c43780fe67e574020f889bf46b9617f

SHA1
439189ec7b798ab002cba35c5d1a11b02124a5f3

SHA256
d833e236693a0749ae4a67f2cccad24f2583750e848d82715c8b1276d802eb0d

SHA512
b53114c1a24f9c0b382dffe5c767ff1f2d0e2040ff3b62f05b1ea95a05c5edb8914c2c8ed2c591499eeed71c30e9ed943c504af53603dcbda41ebcad2e7bef1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAUi.exe

Filesize
113KB

MD5
33b5684aecab07752d2669e7598c872f

SHA1
48dcc682897bb7fc44920daa8ea70d937d236d33

SHA256
7ac6e2bde45ae8ebe8e56dbbd9131d5893df1fc9971dc8e0a42a5e56cc7d9193

SHA512
17f61cc176412c9a31c50b2a2af99fad4e4bf42133497f556e417d0a3a06bf00d96e4151b2e050b016305922566502cea01cd1cdc62aadc5d46225e70421c2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oWoAUMEc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYcK.exe

Filesize
111KB

MD5
94c4b9940b294c8c587a7a368a18b20d

SHA1
860a2977874226ac0a4fb08c481d15cb6d79ed75

SHA256
9b2436765ffbd8d869cbf87be822359afe3e3c4f7d3ed6fa2ecc57e12bee7e66

SHA512
848723aa659babc3503e00120c7d9322821c90e2518f94e5941c88475b19f03b24046a64bd6c836c666163b57118f90b2f2c135cbc391ef2e2f5ef238a58bc66

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcAe.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMgS.exe

Filesize
139KB

MD5
49c055f7a5e6f57348fc5d78cf031136

SHA1
9a6281fc40f9d6a4480fd388fa1b445b930791b6

SHA256
af6a6923122344d6b43c9d4ed53181c26f97e499ff641f9ed0c23fec5e287688

SHA512
2b6b9b9fdcea1f73db89db6a9ef3f7bc2aadf204a8f4c9620a3a400ec3b08cfee375bf5703a38bdf6c555c227bc1a2b99640512ade0b33b035186bec87e09437

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkQO.exe

Filesize
112KB

MD5
c557613348594ecbed382d9827f09642

SHA1
1ba674f852ad585ff7f3b9578f274f4e024e3fe9

SHA256
a3df40db8dd17b5e414823160aac810e2e08eb214aa5a5afc364cdd83f8a1da3

SHA512
8927f12544442df8843f0e50f5d993d8ada797d42689af95e8a4423a3f737976d72040753ec633d289ad59dc3f76b0e35f15dcfc5bdde453fbd58f5624e56b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\roUQ.exe

Filesize
118KB

MD5
074152f91d61f7fe9f2c73cf8ce013a2

SHA1
9eee6238199bb9000da45793ac7f21a75bbd65d0

SHA256
631d0b1f7d9c034190d6f559b358feab4a0cd1247a7cfb7688123bee0ad8e0ed

SHA512
cc05ac14c5391d449ab9005619b7958c267dc180d18df0737146a355c7982ad12f478e573d32168367a2932f316e3b2adea0f3bfa38580ab37fbec95ec274c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMUA.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEwY.exe

Filesize
153KB

MD5
b4f3594bbce70886f7246fdd340464a5

SHA1
f5736529c5a2363a0a7d6979ef3a262ce5ba87a5

SHA256
07ac5d9e32f94f55f6f48f4131f9e15aa10d86edd5bafe86eb9fd3a9410e8e1c

SHA512
e02d37eb6ad98bcafc4329fbb406b5e87efebd0a9718b5d9bc459bc169e60562979f3c9b24f4d968c755ac0471551c1a2749a75f4ccffac11fe8baa74c2ae7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUoy.exe

Filesize
126KB

MD5
3ed33cb0847ff2f2718744594e140b46

SHA1
f2faa2824974c4b726309dd7de2bb07dc11ca8fc

SHA256
3ce0af8ac10993807bc71bdfdf474ce81a33b9be75ac557833f344629bf58bb8

SHA512
318c559e49461174c58e128eab892f95a689a3581054fd27e25de54dac20961aab7423beb6df29a0d0376bac98c6327fa8d93914870ebee3f6e9d79893110446

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIAg.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgAU.exe

Filesize
436KB

MD5
5f2e6f38465ef1def9b35bf33555bfc9

SHA1
da424d30fcc20bfe079d8eae275bc94e60b835f6

SHA256
3af9ef0669397c77084dad243d169062757ccab8bb159a0f0c4c67b0508c3d26

SHA512
5f7c24eb5abb3d737624d5308149518632df5e48fa9db888ba8c63eefde37f7d36061d3be7c9a6b71af8023b74559e8085d4c4b3e8c3f1af6e8770455fc7ce99

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMMo.exe

Filesize
114KB

MD5
ac59bb4f90adeb6dce8b385202eef57b

SHA1
b67079ef0e45ac442e4c7536cda93cb4d23bac55

SHA256
1f2356a567f3a8d5d911ecbec218d50890fa188edf282ce83fcb356fe991cc0c

SHA512
8d4f8e75158461c3da5c5d2da539c143dfd0d34e35a3d330bda453ca8ab09dbeebd083528cc3e9df1196a5ec76979a7610a76ffc145f19209810cb41d0cc5dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEoe.exe

Filesize
237KB

MD5
32eed09a961d7e201f6ff480d2451924

SHA1
e8bc5fcfccb7af85c489b33ae13d46e39baf8c90

SHA256
83c0d1baab8f8efb378040c28309422ebc72a117037fe54f89ee3f2d522c207f

SHA512
b673fd4b3f0fff7f9f33071dda52b7fabdbcfdf6c4d5c39b018d54e13622c507c1e7d9e525af197b27e2ed366ab0e5ce6543ddd805d274c40075ffb1997b5dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsQq.exe

Filesize
566KB

MD5
b3287975fe07799d9df57c20b21e2586

SHA1
9f6ae12f3479be513820df90b96a9adbb0a63d7a

SHA256
5bc8ec101f8e3fefc22dffced511d5ef08cad806c7ac2976c8d5f8a6cb1e7ab1

SHA512
debf06814fbc4a8b9ee8fc561da2b39ec44095816bfe0c8a017f98aa4648bc42749c59f4bf7b60c21a66709a5baff4c289f279bb888f74beb1d58f4d79f5ddc8

Download Submit
C:\Users\Admin\AppData\Roaming\DisconnectDebug.zip.exe

Filesize
426KB

MD5
350006ecedf631d2b08b6dafdab404b5

SHA1
2e20fbf638d02a5dde5e8cdaef425e47d1673012

SHA256
444728b5f63a2bbcbd75cd956011801dc89f62dd895bcb777f85b5d0e326c80a

SHA512
475d73ceed073d9a3dcfc4e04628652717101a244e673c1ee3d9f86a1f85f8d4ca18f90889fdabe5ccabfb4ebda50b8e872447e4a6ae8cafa7f5f6741a3781f8

Download Submit
C:\Users\Admin\AppData\Roaming\MoveShow.bmp.exe

Filesize
554KB

MD5
ef8b75260998508028495396a4b109ce

SHA1
62d55f3e71bd073ea66693e2b89d9312aa2415f1

SHA256
86d7099e97153c1e4b8fb25e31aed204cc0d6035ca26a4acc16b92f775f0687c

SHA512
2eb749c7f30647d4770e30f29170af2e29f842dcf7b8530b8766ee5ae0075e0f6fe5111ddeb1a5163a1699a90d6fad0084bfb0fd6e9cf67462b243860abfd5c5

Download Submit
C:\Users\Admin\AppData\Roaming\SubmitRestore.doc.exe

Filesize
341KB

MD5
f971477bfefc5d18a60bd85b8871d999

SHA1
70f3540187872c9fe9abe6cfa5d17ec62c0c9420

SHA256
e81f39915eef1f0b905a5529da8380d748cd9e3dd1d22ceec01fef372fd22531

SHA512
b8a781fab3f6f2145e5c3d96ca123ee6d19addea5d3e17d413d6563a0d6625b158297af4b7941f14482a5331c36ac8e83f777bde393d56617b9826089949deb2

Download Submit
C:\Users\Admin\Downloads\ConnectWait.rar.exe

Filesize
484KB

MD5
4443169b5a16c853e97f00f69bdfafc8

SHA1
5a7216130e42ce9f87529b466b71587c2e580aab

SHA256
7a479221070ac77cbc731b875a606f86dcebc84ba6ed7605f3f492d0a90f51bf

SHA512
06fc900efbf9334aeac7999af67418193f542fbe3b0e4a071eee5854ad1862fc4020836603812c2a1a4ec588965bdfa0fb8d2b8172fd0ae0afd738feb1f5e183

Download Submit
C:\Users\Admin\Downloads\ConvertEnter.zip.exe

Filesize
362KB

MD5
d5932245f122795b9d0799bde6de3089

SHA1
def696b63970863ceb907382c4c6e7f01d31a035

SHA256
40baaea9d58f92b43f55c74882845b8bb3ebabbc3f694fc7874350c0e915f202

SHA512
22f1f1f10880bc1f74ad067223441fd106df8c49ac6e207322612500b9f315e6b4c96ce3d0d99060222c37ada6a509a427a00686ae7436475ab8bfb3752f549e

Download Submit
C:\Users\Admin\Downloads\RegisterPush.rar.exe

Filesize
803KB

MD5
ff54d9f98d7e4f028357bddd156bc866

SHA1
e1995ddf4edb6a2955e30a349ad40b9b2ec73a45

SHA256
0977f05c7de5a034e8a96337509b6f5487aa30fd06595ec8ba4c6aa4a8a5bf41

SHA512
758f32c9f6b06c2f46099a3b13ae2758d8e23a07fc4fe06e6d3797c0ab01f6dca6e44cf4116489cf94277339b19143277bd0644ff1023f0ae59353d443d797b3

Download Submit
C:\Users\Admin\Downloads\TestShow.gif.exe

Filesize
286KB

MD5
dafd0bbbe23a601d773e579f111445fa

SHA1
8680c8234a6b0f0cf3fd59a7f5a48a0936775714

SHA256
df08f9289cead6cf9a1ae502b475536422ecf1eee15a61f6992764afc356d76c

SHA512
f74c288ea8d60959b8b5cd7a40613620075b102d12f377de44157f7bfb4257221eb65ae7022fe9b6c672229209e5778d76c5f6ef737e370807636b5851c1442e

Download Submit
C:\Users\Admin\Music\DenyFind.gif.exe

Filesize
605KB

MD5
fa60b84629e28b42ac24c5ea7133c231

SHA1
d372e09c8fb990cb7bee1fba4c2d77a93a9f7ab9

SHA256
64ddb1adb9a96dcac1b847c07d42cfd26d4aa8d215eca58db516b51ef7e9c66c

SHA512
18888d54028283cc52a3ff41478924ee253b4ef12fec86e420dd2a17e0b70b3e15beec59cd24afdf4fedcf61c2a318b7dcbbf0003e2a202aa5e843338aca7e6c

Download Submit
C:\Users\Admin\Music\InitializeAdd.zip.exe

Filesize
630KB

MD5
70d576fd4ca85c73a7081a5a1144b082

SHA1
f52c5f45ecf2f587759c08b4bec9122c20638fab

SHA256
9cb14a96ecbc09f307bfc7940fe03d65f71a5b2ec51e9e4837d25ddf5d510ccb

SHA512
0f9c603217ed5e940f3a9e792005ec03aa5bfce56993327336c2535e450a6d5f33a670cf06d78b1c8c21db525aefe2e64f732eeab567822c9e19a18f54b22ac5

Download Submit
C:\Users\Admin\Pictures\EnableSkip.jpg.exe

Filesize
353KB

MD5
254f43551ca4cab54b523f8b7f1154fb

SHA1
ff49344e033c3739541aa7bff4588bd84567867b

SHA256
3c231e0e4df29112ee3860ebe00a782860d85c843c9df943729dd3c9c7577c2e

SHA512
a4293e9f12e4f8abacc6c6d5a02df1cc50748f4a44eb20fa5055d7b53ed201eacc2df867f507b2d975dbcd24efc15e0846526a26e45b374398657e6422eba122

Download Submit
C:\Users\Admin\Pictures\ExitUnblock.jpg.exe

Filesize
400KB

MD5
7bde622b88a317458c90de0a4ce0c5ff

SHA1
be3f85cacb6b9dd6b7457c2d2c32fd1793a52949

SHA256
4818ff8727284765525523c5411359b6044d5f87c89f07f0bd4f337492006282

SHA512
43f900ad70319b3d47363a24e190b7d7e2260cc1d6e0d827e03400161e82f1eee6fc7b2fa65b454f4a39145213f1cb1ac2da03e51cb2caceca9f4b413c60e909

Download Submit
C:\Users\Admin\Pictures\MountSkip.bmp.exe

Filesize
288KB

MD5
f9452954269e9e9dfb80a117343f9175

SHA1
eeacea944d9ff5264b5e69acd0d9e774c41346f7

SHA256
cc1e75e31202bc5550a6a125f03820d8b267a436ccc7c0f433a8af826afd2e30

SHA512
fdd1ec97353a5b3c57b2f5bfafbfacafb5969225ca196e053c18b51bfcd1f40466c648af45336d93b6bbba743b129b3e561fe34517e938ad67005d597a2650fa

Download Submit
C:\Users\Admin\Pictures\MoveRequest.gif.exe

Filesize
359KB

MD5
56d0d192f7c02c846e0978041e265350

SHA1
1e568da7881dcfd81844f4511ca8680ea688d99a

SHA256
f56a4f701c5b66c02d53ecfae1b682949f1a9b4ae2f4e0433b2f4fad6ee7e93f

SHA512
b44540eabdebd9f97ef34e5fad66c6e970a37cf0f1c1c8c73d0d929f1d9cf89497bcc57ccf8ce696216fb1e3209000fa666fdc880989ba75c52146764daa28f9

Download Submit
C:\Users\Admin\baMAAMAU\nGsMkUko.exe

Filesize
108KB

MD5
f26db60cd45601534c830d70d45f671e

SHA1
e9b6c51c64c8f8094cf20f18ffd37dab64e03c61

SHA256
cb1b849e63a282e252b4c44e49247f2da6b825e3d124c54b927d5fd5c6ea5913

SHA512
fc63aa407d5f528358930b0eb7ab4f600ccdfb6a9099506bb5aae9f19248f81bdfec24f9be15e1f23f3521faa0bb22f1d5af1d012c34404319edbbe28d7ceebe

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.8MB

MD5
20e7484fe0a0c3fe4de6813d4cea3c94

SHA1
666a8c77ac2b57aafd50ef9164c0fa9431a67925

SHA256
4c2814d4bd44b6a8f12b8da655695f2135bb3ca5ef4a9bd7e701843f38aa5419

SHA512
5d9732f68d6f975b910b0d5fbe2bdfa2a984e2554da08a99febb32c0fb874022bcac1e857502760afe102a611bbab7a8757a79525fab0cfe931c79ced6fa5c15

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.0MB

MD5
c99f53203ed94004d5a5e2384a1dfe80

SHA1
959262a48d5db3efb0741c96859c0e4629420539

SHA256
41788c4074c22ee989746ae204ec95814e785498ed9c597598a22e5380553e9a

SHA512
c4acef419b706917ec6418e4dce1cc4bfa7f970cd2ba353598c9e4838b6f76324b9f02066f2432667f0b0941cef05f23f2f7fb845337f3ec83c6b8e52601a3d9

Download Submit
memory/620-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1424-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1432-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1432-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1492-135-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1492-147-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1500-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1500-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1516-170-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1516-159-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1556-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1556-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1580-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1580-205-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1580-30-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1580-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1692-78-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1692-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2140-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2284-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2284-217-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2360-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2360-2000-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2424-134-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2464-193-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3228-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3228-89-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3236-240-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3276-6-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3276-1999-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3500-228-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3596-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3596-143-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3596-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3596-158-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3952-239-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3952-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4080-123-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4124-101-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4560-173-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4560-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4944-98-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4944-112-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4992-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4992-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download