868755a7eda59a0b5db15a58df3cdc78c6dec111e28c76a6928eb4ef3df7cafb

Analysis

max time kernel
155s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
Size

117KB
MD5

13f6d8509b9986f60aaa5d2651a02594
SHA1

92dfc39cb34688bee66f7b28649b79c3f7903bd0
SHA256

868755a7eda59a0b5db15a58df3cdc78c6dec111e28c76a6928eb4ef3df7cafb
SHA512

b42886a64e5a07bdcb9c9086bedffea02941b6d73aeb3856a4a1b0800e400401b639f94be53aef9e991c0ae506fd819747f0e4ce5c93f5bb4751d695cda9bb02
SSDEEP

3072:0HQdeI28ZZtEAJLj64a0FSs6o4NnVrrAUUQ/iC9:HeItZnjVFN6oaVrAUB/d9

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 36 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DwoEYgAg.exe

Executes dropped EXE 2 IoCs

pid	Process
4608	DwoEYgAg.exe
3948	NwsAYwss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DwoEYgAg.exe = "C:\\Users\\Admin\\GsgQwMMk\\DwoEYgAg.exe"	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NwsAYwss.exe = "C:\\ProgramData\\asoIwswg\\NwsAYwss.exe"	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DwoEYgAg.exe = "C:\\Users\\Admin\\GsgQwMMk\\DwoEYgAg.exe"	DwoEYgAg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NwsAYwss.exe = "C:\\ProgramData\\asoIwswg\\NwsAYwss.exe"	NwsAYwss.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	DwoEYgAg.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	DwoEYgAg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4680	reg.exe
3420	reg.exe
4632	reg.exe
4800	reg.exe
4684	reg.exe
436	reg.exe
1388	reg.exe
2984	reg.exe
3936	reg.exe
2460	reg.exe
4828	reg.exe
2708	reg.exe
3672	reg.exe
1984	reg.exe
3340	reg.exe
1388	reg.exe
1424	reg.exe
1732	reg.exe
1352	reg.exe
688	reg.exe
4684	reg.exe
2404	reg.exe
2068	reg.exe
4388	reg.exe
1156	reg.exe
3476	reg.exe
4868	reg.exe
2416	reg.exe
4848	reg.exe
872	reg.exe
2456	reg.exe
2980	reg.exe
3796	reg.exe
452	reg.exe
3168	reg.exe
2560	reg.exe
896	reg.exe
3824	reg.exe
216	reg.exe
3824	reg.exe
864	reg.exe
3452	reg.exe
3476	reg.exe
1412	reg.exe
2572	reg.exe
4616	reg.exe
4392	reg.exe
2632	reg.exe
4876	reg.exe
968	reg.exe
1208	reg.exe
3328	reg.exe
3456	reg.exe
552	reg.exe
4860	reg.exe
4160	reg.exe
1960	reg.exe
1240	reg.exe
4312	reg.exe
5064	reg.exe
1596	reg.exe
3064	reg.exe
3576	reg.exe
464	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2632	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2632	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2632	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2632	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3768	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3768	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3768	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3768	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
4468	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
4468	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
4468	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
4468	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1836	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1836	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1836	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1836	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
5076	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
5076	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
5076	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
5076	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
368	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
368	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
368	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
368	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2996	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2996	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2996	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2996	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
968	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
968	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
968	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
968	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
4680	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
4680	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
4680	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
4680	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3996	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3996	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3996	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3996	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
4192	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
4192	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
4192	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
4192	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3056	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3056	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3056	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3056	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3444	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3444	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3444	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3444	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4608	DwoEYgAg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe
4608	DwoEYgAg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 4608	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	95
PID 2700 wrote to memory of 4608	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	95
PID 2700 wrote to memory of 4608	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	95
PID 2700 wrote to memory of 3948	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	96
PID 2700 wrote to memory of 3948	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	96
PID 2700 wrote to memory of 3948	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	96
PID 2700 wrote to memory of 1152	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	97
PID 2700 wrote to memory of 1152	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	97
PID 2700 wrote to memory of 1152	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	97
PID 2700 wrote to memory of 1352	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	99
PID 2700 wrote to memory of 1352	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	99
PID 2700 wrote to memory of 1352	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	99
PID 2700 wrote to memory of 1960	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	101
PID 2700 wrote to memory of 1960	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	101
PID 2700 wrote to memory of 1960	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	101
PID 2700 wrote to memory of 2604	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	102
PID 2700 wrote to memory of 2604	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	102
PID 2700 wrote to memory of 2604	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	102
PID 2700 wrote to memory of 4476	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	103
PID 2700 wrote to memory of 4476	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	103
PID 2700 wrote to memory of 4476	2700	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	103
PID 1152 wrote to memory of 2632	1152	cmd.exe	107
PID 1152 wrote to memory of 2632	1152	cmd.exe	107
PID 1152 wrote to memory of 2632	1152	cmd.exe	107
PID 2632 wrote to memory of 3692	2632	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	108
PID 2632 wrote to memory of 3692	2632	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	108
PID 2632 wrote to memory of 3692	2632	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	108
PID 4476 wrote to memory of 4876	4476	cmd.exe	110
PID 4476 wrote to memory of 4876	4476	cmd.exe	110
PID 4476 wrote to memory of 4876	4476	cmd.exe	110
PID 2632 wrote to memory of 1616	2632	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	111
PID 2632 wrote to memory of 1616	2632	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	111
PID 2632 wrote to memory of 1616	2632	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	111
PID 2632 wrote to memory of 216	2632	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	112
PID 2632 wrote to memory of 216	2632	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	112
PID 2632 wrote to memory of 216	2632	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	112
PID 2632 wrote to memory of 2416	2632	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	113
PID 2632 wrote to memory of 2416	2632	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	113
PID 2632 wrote to memory of 2416	2632	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	113
PID 2632 wrote to memory of 4736	2632	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	114
PID 2632 wrote to memory of 4736	2632	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	114
PID 2632 wrote to memory of 4736	2632	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	114
PID 3692 wrote to memory of 3768	3692	cmd.exe	119
PID 3692 wrote to memory of 3768	3692	cmd.exe	119
PID 3692 wrote to memory of 3768	3692	cmd.exe	119
PID 4736 wrote to memory of 2152	4736	cmd.exe	120
PID 4736 wrote to memory of 2152	4736	cmd.exe	120
PID 4736 wrote to memory of 2152	4736	cmd.exe	120
PID 3768 wrote to memory of 2956	3768	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	121
PID 3768 wrote to memory of 2956	3768	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	121
PID 3768 wrote to memory of 2956	3768	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	121
PID 3768 wrote to memory of 4860	3768	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	123
PID 3768 wrote to memory of 4860	3768	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	123
PID 3768 wrote to memory of 4860	3768	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	123
PID 3768 wrote to memory of 3824	3768	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	124
PID 3768 wrote to memory of 3824	3768	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	124
PID 3768 wrote to memory of 3824	3768	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	124
PID 3768 wrote to memory of 2572	3768	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	125
PID 3768 wrote to memory of 2572	3768	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	125
PID 3768 wrote to memory of 2572	3768	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	125
PID 3768 wrote to memory of 1640	3768	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	126
PID 3768 wrote to memory of 1640	3768	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	126
PID 3768 wrote to memory of 1640	3768	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	126
PID 2956 wrote to memory of 4468	2956	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\GsgQwMMk\DwoEYgAg.exe
  "C:\Users\Admin\GsgQwMMk\DwoEYgAg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4608
- C:\ProgramData\asoIwswg\NwsAYwss.exe
  "C:\ProgramData\asoIwswg\NwsAYwss.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3768
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        8⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        10⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        12⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        14⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        16⤵
        
        PID:488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        18⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        20⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        22⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        24⤵
        
        PID:3252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        26⤵
        
        PID:1344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        28⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        30⤵
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        32⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        33⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        34⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        35⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        36⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        37⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        38⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        39⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        40⤵
        
        PID:4548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        41⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        42⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        43⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        44⤵
        
        PID:3596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        45⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        46⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        47⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        48⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        49⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        50⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        51⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        52⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        53⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        54⤵
        
        PID:4660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        55⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        56⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        57⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        58⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        59⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        60⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        61⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        62⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        63⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        64⤵
        
        PID:1352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        65⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        66⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        67⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        68⤵
        
        PID:1784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        69⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        70⤵
        
        PID:4476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        71⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        72⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:1208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWcUocUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        72⤵
        
        PID:4124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqAgYgAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        70⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKQIYgoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        68⤵
        
        PID:2264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:4524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsgUsAgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        66⤵
        
        PID:3704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMwUIcIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        64⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:3476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAgMcgQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        62⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeMcgkIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        60⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCkkIMck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        58⤵
        
        PID:1784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYUccIkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        56⤵
        
        PID:3888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imMEQYQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        54⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:1596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsQMoUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        52⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOkUkMAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        50⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmcUgUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        48⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmMAocgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        46⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywMUMssw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        44⤵
        
        PID:1436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyUIUIcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        42⤵
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqsoMwAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        40⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQUEAEYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        38⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:4876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fksIUQIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        36⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FyQMcAYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        34⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCgIoskg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        32⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEMYkwsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        30⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkgQYksI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        28⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:5112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCgYwgUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        26⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqUEcQkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        24⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAEMwIMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        22⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:1388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEcsAQcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        20⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwwMkggA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        18⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGookAgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        16⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEsEMIww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        14⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIgcwIss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        12⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWIgAAoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        10⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkQMAsMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        8⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:844
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4860
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:3824
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:2572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGkYAQgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        6⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4192
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1616
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:216
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqEsUAgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4736
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2152
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1352
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1960
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKkkccYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3992 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
235KB

MD5
9db07af6d83fce60e1807bc2cabab13f

SHA1
860a3641d0daf3f457754b3f31bbee619bd1c7f5

SHA256
ab246de116c9c149edb86f1df3541c77dbb4a2b3ff3477bca951afdcbb7b796a

SHA512
74786256d7b4d37a276e323de52b31fc80e46acf2e500b073c59efc21c8f5e92956d7f8cf5c1f065849cd75cd06437ccf61888cb508d5ae8927acf410211d907

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
158KB

MD5
16fdb13a64d4f037a6fb0ffd57cb35e5

SHA1
7ee70c6a93864dbad1fdfdcc3616936b741eb6da

SHA256
07891db220295f88224011dc9a17a63fa1a46072bef74fe92fe16ff474be136c

SHA512
223d758dee46ac603c8b5283b56c3ba46f9d7fd0fb820e1955f1d73126e69f23eeaa706c8464389d9576313645503b09d77e6059ad7108d8525000e3d15ce192

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
140KB

MD5
1f992cb8c7e2ee12938e6c5b60a65679

SHA1
d2117a1cf4f73fbeef40137e373c3f6f7fa4efa9

SHA256
2a123efce775849d3a66af6d94d47b50cc355494ea12b2e9e63b79fb717e29e9

SHA512
c2d78926ada5afd9d7a056ad53a0512a2e570ff5f9417990428cffcfde783fc5ca252b2da5389639b67478f6d8ebcac56c6852bf1ec6e6599ff237765bed66b2

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
138KB

MD5
d839345f1e5e8e7b318e9ba8bf8f9b9e

SHA1
b84ddc595377893d103d41879d2b3811577c3ce6

SHA256
4277b15fec1ef3273a1e8d69427b02ddfe93fb6aa38e9420baceb46e706e0651

SHA512
91bf3597ce50897ce617e06886d971806e09de407c45962ecd5923b471d4babf0b9349672c2dbde1ba8962a4bf0539a9cbbc1fee4e3980f39ffc934a4d51c7d3

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
150KB

MD5
07515afd4c6fa7f30bff0f3c21e833ac

SHA1
d13284fcd32370e82571f5a9f82364dc44adf8dc

SHA256
cf75f93695b157e32800ef409f4515c0b709a986edffc286472bfbf7f4d11e59

SHA512
694393a753b22233ed77569bac9e143cb8b974380bcefcb64dd5190630509efb4a282195bf1580835cc991ef40f7abba2bda82a1a14ec9edf54d80833b95a9eb

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
236KB

MD5
3e4d8dde83f26ebb8c6c03d4d8ec6e90

SHA1
656615b61f118e2afcfb4c965c9c5e50c77f715f

SHA256
0e20643952e61c72d3da1e330a3f4080476a65e351f7cb902fa418544e6f28af

SHA512
d5c115eccd9f0e5f60f75c492700d607c8d1cad76a78048b870ed098e49f4934ade68785c076c6aa6babc2add2e450e63ccff46e18cd084e088e9fa73324705e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-40.png.exe

Filesize
110KB

MD5
5006e90971dc1cc3bb3e141b196f827b

SHA1
2357ff2d51da770c01bf89971f4dfc852ab89067

SHA256
c4ff481bca1b1f617ba09383406afb558440dab8c1de0a9e9130f783bac60b54

SHA512
a023c5fc02b22cce9a506c1fa7fad3decde28b2ec94dc4e9f36fef68664ee530f949228621dde840ab31ed39d9b15131b53d4031b7f072d34def7abe062293f0

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
565KB

MD5
f46358ae8db542fd52bab7ef9dbe6ced

SHA1
eae24f1528a50af7e2a9d46599e4fa7924996ad0

SHA256
94b86e06115b980231433783210d413f1f2a6911b8d968cc94b9c3be8492818f

SHA512
8447dd2df5aefba6ebcf623278ab6ddf486f39c51163fd41dc46cb1657567bd0abdf51058b64ba1454d7e552b5b5dc9f6f13611d5cb554b27ce26d7735ad216e

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
556KB

MD5
108ac57777e2ebd70ba7b6e14042eb87

SHA1
776d10dc9f7ce22e060534bc3f38bd0b6b88f238

SHA256
eeca8fd17bece04326efbff3d7bb76c851da24ee2865f03f17e62476318ab17a

SHA512
9ccd27c14dc5fd8db0bfb2cf97d6f2506e3a40e1c44be6de1731dc361add5987e645b04fd5fce87e8661669fb1b6dc4ce762d8a6275ffbfbe04cac155450c246

Download Submit
C:\ProgramData\asoIwswg\NwsAYwss.exe

Filesize
109KB

MD5
3066de7a447622481fb1800b1ce874bd

SHA1
22635151aa5c17a0681094cfec106ab9384020f5

SHA256
dfe3fdb3c1a949aef659c17126b73b3ea0b4ce50d739e5d0268465664a6f0e58

SHA512
cba4afca58fef812c8917c90e04e107a12e22c116b0bfc473a8c6aa21bc4ac7320ccfa9312074557d05b9151dafd2394639cbd999bd18260808e8e4bd619cc2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
120KB

MD5
c931d9274126ee74826f673378947543

SHA1
fa41861fa04b81eee6a2789863e11e8fae8796e4

SHA256
4696f0ba3febde0acc9278ef1ad95d851760772047aadfd3fa9f6dc84de42857

SHA512
b275f52c8ce08e0db5d3da84a7e01a46740c36d623dce9640879374a09f066030813c02e4878a3d1c0e90a937df8d4de4334c92dfff9ecaabf8a295f6a1a3466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

Filesize
117KB

MD5
7ad5afc4b64747a9a433aa3fea5ab5a8

SHA1
fad01038e9191424f5d6900cbc4ad3231e10c29a

SHA256
b8ed765d59018f734a14801c8763f65d546eef7fa3bff6599ceb293003af19ea

SHA512
32805069fdbf2d98c743652ce72c608fb15a3e7fc299180080a9af75d4da4ea8e35580383317e29bc0478c40aa9851aecafb75b004dc12c49bf50591e33f33f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

Filesize
122KB

MD5
cad15527ef2341220c91de997a14dea2

SHA1
0c6189f247997923fba9e468cbfcd226a024c2af

SHA256
5615586704aac109b18124eac4fc62570bb2d474bfb2d1cb42addf774481b497

SHA512
9033bef20f6d5f09da786969fed2205bad7d6c95c677e07d1bc4a737d6bcac63a0f64f53e1c45891a8166f003489b3da4c41f6f0833322e07f71bfcbefc501f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

Filesize
116KB

MD5
42cf70c216d3599cadbf3f055863ba32

SHA1
3664ae5030c6c824493071c492798b35eda2e924

SHA256
93fd34442cc14283bd0b4b9b93dde35a0379a4532ba81e3b8a30ed60373c5642

SHA512
e056c38acb5fd13d2d01e2c9aa64d3ee191c0483cd0815a149fbe6a6ae8ad7816b5d99f3e6e31efaf721187aa2d19412f6b4543fd878d7703a7fa26109d613ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

Filesize
117KB

MD5
95a902aaabd9960e04c60fdacb433280

SHA1
c2d2d4747e4ddd575edfa661fb3e77a0afeb3d6f

SHA256
d04969bb2dc99f2f3073bb9beb6225148e5bbe83e41df4848a617e4541a56069

SHA512
46f429cfc279dffb7df7f233de823c5257a4885673a483ab5910005d656ed07e5a0a93d8943cb792a4c5d4c94257661e62492860d074af40be5b2c1b49c1827f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

Filesize
116KB

MD5
495f23b7830450983c0488016f5c9000

SHA1
1184e782e03a9e1dc1f9d95be84f197996a9820b

SHA256
1c4c238898b50bd665ab92dcaf779cbc7d54a01587a91f5979407276629ddcf3

SHA512
c8af38cd861b59024c564d3a99a84c1662456ed0fc4855b0fc29008bd2be15ece10a6576db00d556a7b05096958d243bfa13206ee8ec62d498e9e877481b6d7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png.exe

Filesize
109KB

MD5
1d350b42ad51bc4f07f9a1bae648f2f3

SHA1
1678a2844b8c5ef283ccb057153a9475aa578eab

SHA256
d30299c461d8599ad2b9976baed14673d457acc36d1cb7cf64f9a3200e81860f

SHA512
8b11c66615a260a88f5eacd4acfe5c0942518b1fdf1d366ef6658f68f3c5e397406764617e3eaf05c91be421882e7069eed30914218cbe6ce500107c883e1fa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe

Filesize
110KB

MD5
6fc2f80fc477a203d2ae38d8c63aea80

SHA1
2f2bee71ba7c1017295960d022bc00f5b996a0cc

SHA256
e09d98fb9b4624b853ad7145b0c8a2f8313c54586ccc42eca9ed37671db660ab

SHA512
a2cc1d3b078e7455efe3d6c8d3f8db235af11fe681e3041d9927757a87d326dd7fe4063cbdd4e77f1af5930b465807827d1d7a4bbcac1ab1e5b5b3c13f8ee3a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe

Filesize
113KB

MD5
3ad9e19beb789ab75f89268eb706c96f

SHA1
33ed2b2343a7518deebe7c385a4a51af61cd0fe3

SHA256
5714e9059d01e589944eb998008b380a33956dbc27b2389d987d2d19f6a46646

SHA512
70e92f91b6284ed04336b0c09fd3d14573203904a05c8f11187d346bf51deb9812281a6a2c78ffcc0402b28953da276631381651d9f5135dd20f84549afd779a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png.exe

Filesize
109KB

MD5
442175c32fafb92c5c8d36ff2ee5a84c

SHA1
3b22c58701e7257f1a3dd0b4b7c0e7a78953acbf

SHA256
f9b8558533570c2054d4d7044da13f9233b65085791eff0a9bf4bc4fac706bc0

SHA512
9c5204bd871e27e91ca4c140e0cecd6064cfa2799ff9a996ef2801cd4ce974348c02ef485eee76e49e1b81636b5c105576bd367a7af5014b793e3d0a0ea3c41f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe

Filesize
112KB

MD5
52d71bb3a19d91e34a0902564878afe1

SHA1
d8c885c1e090b7d0775f86dfd07960a03f23eb86

SHA256
923ac462e5961dda2e8df70c6ccdd1da275b4d39ed374c841ca89218fcb32b47

SHA512
f9f12652bcc3f3325b9cb443700a6de00f7cebef80fa4bd2eb859435feb2b8dd7aac00958bb0a02dfa70fb968ebcef2e2782f11f9a165cc5f3d93779ac849cf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

Filesize
115KB

MD5
02b91bc05cbfc57ed3a7fce5ecb76507

SHA1
24d55cb9f04d9ec02460c46d4c14c2355b404f49

SHA256
07325b3477478211e91312c13adf03e08581e17e13e6ce0fa741814bed21be3e

SHA512
4de66e24a177177fd6044dfe758c4682e05dd3821bcf1d9b9d61fd773b899eb31d1c56f403b7d21e5a85fac71d51228f845456ddd2d5c2403e1a45348e69f1fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png.exe

Filesize
110KB

MD5
30cf87e2d7cb2d2a4379d19215ddb2ad

SHA1
74d00a0947329c0f52ec67a903efdb73c70b16b3

SHA256
d63c480c1d18ee94ceea302f8b8c187e2f9e64fa7037a702728097f0c579886d

SHA512
788863f9c5d4eb58769d56737e6a073b2c003974c27bef6728cba4bf34ce0de93054d8a268c7302ad20cd0d233bfb7e77e6e373e789f44d4f12614f9c9a03d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png.exe

Filesize
112KB

MD5
33bcb9b4dbbbb8a0554772ec1283981b

SHA1
990ebd8712d232c830bf27a2deea29a7a797d719

SHA256
bcf7a6e364ad8d19e2bde71cd81dff7109b5eb291ddc0f0ea242c2995f9326a1

SHA512
7e7932ed552bc5dfde1d6e2bf5bfbb000e7d44d577b3a43b04dca9d5313b85c3bde0e6a339734dd5cd2e65c9126a1643790b7b116ee324c802e9e041a32b845b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png.exe

Filesize
111KB

MD5
df40b10fa61df73940e48a9c6f6f3b8c

SHA1
dd0926bdbaeb0d0572a2507403ad557a5ec0456d

SHA256
f8968e34c7b639b6de0d9c5e310aef1d56784343fd932bff58895e1477c74303

SHA512
c55d2700a210e7e72e0ac48fb189152ac5f1d97cbb946a18ee1433758a34cb3c3c3e37fe8f55c4d3ed703646e9db102ffb0a5c07bdffe67eeffa103f566fdc83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png.exe

Filesize
111KB

MD5
47519c7e9a370cff12f3c6baa587ef01

SHA1
cb92c7a8e93788bab965c937d68eed40124de86c

SHA256
6c7ae91abad4baa7ca915930d27fc39ca461e2dfd6ae951513424c6b7a97686b

SHA512
2b6d25ad259fe69b8660ff72dc7f6968216787b055c85694d4d453065ee8e72943f9b0630a1a8e20e8f0eeffb4a83fad7bb54a6ae00252a5d54d1ebd388b0d34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

Filesize
112KB

MD5
4095a67fd023fbbaf66ec048a80a4f74

SHA1
f0400b6452c56b92269e6529099d6c34915da15b

SHA256
c279b5221659306090ebd9d23cf0553775bd72613a1ea5b36940a13206784432

SHA512
987c4e90c860317b52c2de6310fdb116c7ba1ce83181234feabaf0ae6c031af5ce7ec5b67182f27866659364d291d056f37be00c63598ed49644ad832792d6d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe

Filesize
109KB

MD5
05baaa3bec3f46d1a190d1855aec12d9

SHA1
a2ed3c79ff6735958f04f430f57050071b9dc4ef

SHA256
c198cbd6c06ecbe787cb54c9065c89dffc1fa56a3bde80fd1ee9a81fabce4760

SHA512
933af507e1fc58d04288fcec57b9941e0676c6cb1ad0710a55e281959ba9d88a0bb43383944346f3fa503c82dfca543ee85167448e73db3a903c623b7f55ea82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe

Filesize
111KB

MD5
ba3ce11ac44ba049c8dc37f34edfc8d6

SHA1
43b1c26dfbadc60843cbd7f7a02dfff646373f55

SHA256
716e1c5b6e61a04b39e4696aaef5db5f219eabc168fdc062c8503301f4c8b0c6

SHA512
0fb9b995e4638c4b8f4efe40783cea4daf34bbb49431f0372b71153609f4e55a618ea6db645976e971e6aab8eeb4139628c20d46dc3dccdbb96244abf6ae3846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png.exe

Filesize
113KB

MD5
48213b3da74cf3f6bf4dad512342d2c6

SHA1
5e44927df6050bd5d5b3a7b218870c407086e144

SHA256
68b2ddf2deea9b4bdd3e07c8af4e1839ae188c809265e54c51fc0ebb79727173

SHA512
eacf11ce479c5c2e4fe7101bd245bdba51a9aa5ae452fa8a92d7cd86936c6cf6ba5d5458192a0a1ef1a8e58007a757dbcb1e420f1cb75a04184d97ef2c928c87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe

Filesize
112KB

MD5
d1e00e117de83cd847211a6c93f723fc

SHA1
13cb79c75499dc32d0f52a013e5b0229934e36ec

SHA256
385b67b94b397b08162156052e6a0c163e6ab49ea456eec365a301084ec0b3cb

SHA512
53ba54c6d06df29013da7e3ad8342944c18cdde546ed9e0aae06e0ed58bade3399d961fdcd7bfb3c7fdbd398b1d38a00d6c44fcd4e305d728a63d6e96ae19721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

Filesize
112KB

MD5
42827a0a6f2befc7a71acd4bcd216c0d

SHA1
ac8bffcab6d4494326c467ed11732f68d3fd9af9

SHA256
059ff1fb514e064d030a656047f13c0cc6ca50d49d0dc2d6a475803795179ef2

SHA512
48e85567547e99bdeff4087ebbcda98431e1d697f5d120eb3370c7ea3181b9794f277616734b785fe72e3616273cb6abc73ba8d4c9e144f7ef4519d9efa378ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png.exe

Filesize
110KB

MD5
31fd291616ec9b4f89f6e46a43b73777

SHA1
74335d9b143b1e5e2b19e148cd0d4f3679a19a56

SHA256
2a77e3579418d4c8bd9f62b8d1abfcd7ecdb4a10f69271e48afa6d7d2a53cbbd

SHA512
3772d11eee030e67bd14b6ac21952c28ac94e6572e3f437ec5bfcb00f90bc2be711e84547b7fd85380d0a3334974f17adea8c53d394df1d79c0a16b810bd9b0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png.exe

Filesize
110KB

MD5
82866e0460af03779745d19f34daa2d9

SHA1
0208088fb27fc916c9187a6475d0493e655efe29

SHA256
05f2f6c69da78f026420e871669e785df50cdb30e70ab34a160acba7ba06a079

SHA512
bd4cfa2553a3784557411b1ec92e94099d18cbdb503162aa4a08709f8a74bbcda2a6c0b3f1b0cd8e1eb78861da306502c3605840dea2d2164984bf792443e860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe

Filesize
110KB

MD5
f5adde59fea1662f169ee58377145997

SHA1
5dca4960bef9e6d1243dbbca17afba5178fd5c93

SHA256
e3e45f20bfc51da727e532d962932b49543b61b899363fd9c12fd90d0915b1fc

SHA512
bce05ed8f81f2873a21c91dc92157237b99f8bb36576b5c0d883bf596d5d0aee8271aff110629f88c25720ffabeee0b421499368995489d2bc89eaecd7e788c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe

Filesize
109KB

MD5
603a63b1bdf0210366117bc7cf6d22cd

SHA1
c21acc78a58b4121e21a2272fd067875c87ca0c0

SHA256
e2b6210306fb2cf6b89ff2423f761ab243692f4af8f614d8b9eaa8edc7be3e3e

SHA512
08a54723042f6d41322471fcdadec6befa70fc5f7db1117639caf0880795c7848fded6bf4d59cfb172e25fff315c27983da965e9af59c0c48a852577e1d48d73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png.exe

Filesize
112KB

MD5
23a0ac0bf1c93064dd2e5ce04e28f154

SHA1
75b84dda17f6d7161deef79968b171bc085c36c8

SHA256
e102bc6e028e23b78a9944ebfc864a7ced2c6431cfee4790af6513839bc1370a

SHA512
668ecac0dd18faed5948b3717abdf47c4139db1f843b231c37584e55877c9caaf6984c28b1daf2e073e22ead8c211fd2b43f4f140638698c59ff453e7fdf2e8a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

Filesize
114KB

MD5
cb1ea3ff5d3cd64375ac286f561221ed

SHA1
da49fd114338425344e06b0745f02c2e573aa38c

SHA256
0442af1a991d15b6772aa4df21b12c3a30022676b2b5b8705ca87bda288dbec5

SHA512
350196247db2e72eb9684b5fcd51689891eba78ef78011179fc3d170f28f4c0d7b8c06d41557431b0c2e022064ea66120e73fc70065d0377c897f4b5e0bba576

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

Filesize
112KB

MD5
9eeed309470dd9307cacbb48da9343d5

SHA1
e31338e86e83ac717c2d76223ae5da45e0bf05c5

SHA256
d5a07a400ff62c62336a484a6833454d19954c9303c9f090ec42ffd4acdf8112

SHA512
a861e60bb297398c5c46fa4fc23460461efa2fd554a4c44d17d66d1b939d20bf3c2d533e1cc483f022b45b72239c3d339437b347617e5b0353c313029e375d09

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

Filesize
111KB

MD5
bc7df7e9cd4bb62b8d209c7a58796b52

SHA1
160452564fcdc85490b78724821f62f41e5f5cb1

SHA256
107bc836955106032996a96720024e135c974a6d9f9b0cfd023dd5ccec048e7b

SHA512
e3131e0cbec2c4c47d2914585dd89130bf3a5f8b9bd4e86d60e1b17f4c0bbc3581a8d378f51336aece511e5605560d37991489947fbdb9bda4f9b526f547990e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

Filesize
112KB

MD5
cd236381e894ef50b54ba9acc4a8810e

SHA1
8f1cc56997b9fb4c4fe27b772ad943af8d80e032

SHA256
84538008ffcedd2db9003dadc1794a758e2260417163342276f0b9278548d5ab

SHA512
672edde696845f90da7d10a7e046c155c2322e1b34fda3c80cf6b1dbc0db97bd13c80c2099db613e4d4267956143ff2cd21ecc033f453905c3d5930e3d060248

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe

Filesize
110KB

MD5
94f705d2ee3ec4067f3c229b89f0c42f

SHA1
d43ff5a91dbb6ea6d54baf50f156c4be9125084a

SHA256
dfb0de0ef862e13979c6a7d7ee3d832ff4ed1ef22ca252555108b0953b31daca

SHA512
6afd51f30d0bf8c293a242f814d39e00e35b6320d7e41228b56a005b70c2c37bb53353c837567b251cc08769f9d9a2afa6a3fc65aa52e0b68a511d3ddd836d7c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe

Filesize
111KB

MD5
91727f0a208988f8c1619be963fd92de

SHA1
1ff25691b8e5d6f5da59813891a81eee211a2526

SHA256
c014aa2d8db25d13d3ed22f2bf80a9112346aa06131a23bb869f7f319047371b

SHA512
7269ad27fe830112ac08b81a9491637dd9e359ccff9458be8b7f87c0c23da6fa37f6e3d14a00cb2161667224336d2660363ada66062d861cde8e888f6be10b35

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\tinytile.png.exe

Filesize
110KB

MD5
6e37ed3a64a02b9a1d6abc0a1ee88052

SHA1
3403fff27c77dac78cdffd030d9a8281e413e966

SHA256
5f651c6d7753d305b6ff8a74a2966b975fde5f5fd2a500a39c0d08de03564153

SHA512
f6a9bc5d268f409d85a3953f1b04cd46dac3a6b6410c80e0d03c025e505e559259d08017afe875340bbc26f9916b8b4f3393b7fedbb0113a51f6e420df6e18ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock

Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIMC.exe

Filesize
236KB

MD5
19debf334034aa1c8a7ac2ca4ef57de9

SHA1
2f5d4fb2a6931dfa134f488d89b7dc834da32432

SHA256
bb1443c59f4262962cd74f70dcee81ad9afd5d1b10e05a0f32ca7e2327795a87

SHA512
fba166ad1ae0ec2576406ce14e443c4201d570a1982f9ab23a48d7c131e37debf08dc4826fe284bbddd3766215cc83ac4b5101e90ea093ea93967eb341a903f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYsU.exe

Filesize
747KB

MD5
1d0ea909ddb601939046a58ea95ba5bf

SHA1
4c4bb44ce504dfb1dceb79e4cf8f5c0637c432a4

SHA256
39841d96ff6c158be8fbf22f9ceed82be8adf0216ceec91c2e2c7def9e051480

SHA512
4e713f61342925a1ccdaf4ef2471798cbedad76c1fa9f59f80dc91fb5802e683e4220887b14b90beaaebd17e282834423b165f5cc13d0c08a1d5aafcc136f841

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dooi.exe

Filesize
115KB

MD5
e884e010a877d031e7ffbbafc17a41d9

SHA1
ad3252959d8dd0718acd73e776c437eb2b8d8ab5

SHA256
286451adb86b67b602fb8c65ee64b2865ec64bb23b68c33a2400d5834c537400

SHA512
4936e736983d7f357df141f326ea41891ea791264fc4875bd568f9ac3731c39f22dd018921e0ac554d2150650b3ce06ddb8c270eab093aef2a80a9d58f8c3b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAwS.exe

Filesize
113KB

MD5
0103de8b6ff8f161e082018d11e775b5

SHA1
7122f6dc41101fb32e43a72d3290a79d99864f25

SHA256
397d9f3063f2109de40c150bb9f74ec77c8b00731851559066d2cc86393e04cc

SHA512
70362233233a983d7a27d68939756be6e598c08f9209c22edc2f866f7db616665de6cf181ee2690605e47d5d18b909339c168c11906a16dfa1ae8373ba1fc054

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUsw.exe

Filesize
491KB

MD5
ce1902bb38ad1062467ef35daaeede57

SHA1
6809ca1386d41c1099b7126e60e3181c9c6ff209

SHA256
5eb4359f03971237f9bd17093706a905aad0ce32d541e560ba0fa141b6192798

SHA512
d10765f5b1ad7791c8d6de3888f9972ebe032fe7ba2373db45b511597b5ebc273079450d497e1d5f66bede6706feef407528ca6e88b4f7ca936e9a3015c1a5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoAC.exe

Filesize
154KB

MD5
777414a67204c27d0d401cf44d6c8661

SHA1
5968f7a5a368b086cdf912c0cc40e98a42697fed

SHA256
17293336655021148aa15d7a469f7a89fa8ba72e1450a973b8a2467110955a71

SHA512
921c51ada655190a1171e2cf04252ee6922054fe16f60d39c01844c2af620d84e65b1a599cc5a0ff2df1eb8fd56a15bd860270bb0c33093db243cc1966e85bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwQo.exe

Filesize
110KB

MD5
ecbc862e47d722eef8b8dd4aa943b940

SHA1
b86b5f91739112f800a94a05c6a2a0974d23e394

SHA256
3a73f9ed0676cffca539b34cb55555f1975187f54a1b4c99dcf7a5614bbbb2a1

SHA512
232e5df3dc5030daf7cd5dc902429d764f003aa2f2fafeffe0eb491f36954e0e9d39a150bf063c4abffb979ccc24ffbf46272c96ce36ee59fc8939dcd938c7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUce.exe

Filesize
114KB

MD5
a310362ca96dd3574dadc59173502fa7

SHA1
043e2f887cd51cf8ca682c182da32eea77eaa293

SHA256
e5f687682d4159efca15ececdbc0c316fb58b45a44ec89db806188999aa8a7ed

SHA512
9a769ad05fa50a3c52935bcd4529514b9ab95eed871752aa6a57e4664356443f62391de825909d905d7c7befbb15788e609c4b614901ae14244fa76fdee3ef1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQsW.exe

Filesize
720KB

MD5
9945c1a50c50bdd32237e2a8953f157a

SHA1
42521a37f844e40472bd98994029922ed9ae0457

SHA256
e317efec4079357acc8ea8b79a8358590bf27da9663e03e760d15ce5a95a0a5a

SHA512
1d52966af4a27cba8e3c8a7c2f6e0e76906345663f66812347a9f8c1fc9bccce56fcaa26368425ea401be3cf23e81dba9d1c40eea0eb40925919008f1a725e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMMC.exe

Filesize
115KB

MD5
6b6805f37af9739e7d223153528ee98d

SHA1
ddb7a5228180c03b16dfa860e48c263a710da92f

SHA256
f43b4e0a9da0241ee608732ac1c12daa43201e9ae5a5001d3882fd3da8fd571d

SHA512
39e2c6c0cc8e645fbf711394ec8e8cb40e81b22334e35f75f51515157ab2badecdc5e32700a9ee26564d2cb6312f1731b6cc6500ee80afe683dfd61019de83c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYMw.exe

Filesize
697KB

MD5
0b659ccb3c7fb9c7857b42596aa66643

SHA1
8ec967cc59335003163a403158f0c3ffea513d0c

SHA256
3dd3a08c6dc757e5824c05ce7115b558955d3c0743f2e9855c84034b187b4628

SHA512
7917c5d81a97bdaeb900126c6fe550fed6bfabd368c3da34dc26fb089cace5fcc9a822f9db96ec84a396a487b070f8ec26dac8663ce4e1c80789fcbfa8f3062d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgAO.exe

Filesize
118KB

MD5
ff6b61b8880c07f630779ce33b174cbd

SHA1
628465496bb42ab203f0aecd26313618d35fdd58

SHA256
1c4d3a0b860cf07761382e2bf64e989b784087bf858ba7bd34d1548f40fc23de

SHA512
50f98cbf73b5d7c6e76b3ce172d71f5c6fda63bf6b9466cfbe958d76ec6f640557a113ff7d68545ae178e33e16d83b25e6a6bcbd076acc689ec2c7c8d27c79e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NoMW.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoMq.exe

Filesize
110KB

MD5
dad58137102616b7b7ee43791524346b

SHA1
f7103478def76e49b7b45b5d045aa2da3182af12

SHA256
4702c6295a95cd03891cf4d09de3bde5ef2a16a0913d6ab4b10f22cca9c16f93

SHA512
0c3cd8aa627cce4f863d8416bc40b5c5ea8f3456055748222dc673bded1e4af309c597cce2861d0536d64bae9cc405aed8f9d5eab766224b3638315af0be36dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIwM.exe

Filesize
118KB

MD5
cb85c240eb6cad58a0fe73d352716423

SHA1
0725ebb5abb60803e61baceb6775ff414c6128ff

SHA256
6650862343274b673d0e981ea40eb25813d7a8191378fe1200454bfaee7a9523

SHA512
6d3c775803dd8984618a4a2dd882c863f4587d3697e11804097f7be2323365e52d0d16ba5311cfc974493968d4231e63cd7a794de95dfdd8b193e65462c7741f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rcsy.exe

Filesize
142KB

MD5
c2a6dba0965bf5bbb2825764273dda55

SHA1
22df0e588d88f91a4add07c56c4ddd1a064696ab

SHA256
c16dc8f945225409e977b2275384fdeb7f10a0d5f71d558ef79dc1c9836f9e49

SHA512
df0576134a25966ae7d381b9bf67b54c66de7b911f4a69aa4846e744fe0091ee77382ae8beef0057872a1904644af9771d87c6d87ad93f1566b864261f8ee103

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rwco.exe

Filesize
118KB

MD5
c8967b90f438b62b1c4993402aa73975

SHA1
04babe00c18850218bd845d58444e9646c9d5f3b

SHA256
4dcd2294b7d1210235d97951b71fdcc14f0baeb25d9bfdb585597faea850ba3f

SHA512
4a1aecafa2c0b282d9c9d7a9ebbe9e1438895be5b63cc3269bf8ba8a123297ac02fe6cb8f461a45907a49b1f3189a22aeb60e7b074ca3d43b86936040a0d3d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcUI.exe

Filesize
125KB

MD5
8362a435366273987f9c277d0a8835c2

SHA1
9802a8d0b42ac638d10f06a7a1afb884f078286a

SHA256
00522de9d83a162f2e58a4f0d3f230e697324d37d6be6de39ec10a028df1d07d

SHA512
0fe07566a0bbbdd865368814e6aa811396628b6ae7a9d8535de0bcb0207f9e86f9b06449720f0524b3c35b461a30d0048a4ad82292d806e280e8a6d5e5f213fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUUA.exe

Filesize
116KB

MD5
7c8590befdb7451fbbdda6d2916940b0

SHA1
5e08a3b702135f5bbc89f1cbcbbb349f19843782

SHA256
cab79e19f346ca0a49dc9a38d2e74757f3003ccd192417e7072388a1617d7d4c

SHA512
7d79b4e8829fe73f3e77945330a76ecd2753abb735975d838f17b0ad01f869786ab2508f5fb011748921d3439ebf37d72ebcc3e8dda787a7510fd25cdd8d0981

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUwm.exe

Filesize
749KB

MD5
58c01ec1608f9441b87168466f1f3875

SHA1
0c5d6a60f59934a7c51e101459eb013c10d6684c

SHA256
0316c2ac250b2a4d5e8e8a53f08eefc7df5adda9d86808c676cef00c2da3e117

SHA512
3a09ecf5901b9c9d34d477ad24f76da702842afa431d41ab0d0de28eac14d7d1be117448d02bf4b4460e911bccac255427fbd8bbb98d82bd2b8f30afce8e2031

Download Submit
C:\Users\Admin\AppData\Local\Temp\XAMA.exe

Filesize
110KB

MD5
92cbcb4a63dccf0a825bae147c2e17d7

SHA1
b919574979586f8735ccbb20ee2eb09b6fc0712b

SHA256
804cc672955be091f930249c8e85e3310bcda1897a5f2811ea207d903cda166b

SHA512
d01df4971583095b3ff92159746ba383c72904f5ae5c4155f4ffa439c4afb748a4cceff621a0c6c5a703977ca27d9049baf869939fa30d00770532b17ffbfa2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUou.exe

Filesize
129KB

MD5
5de0aa32dff2dfb42349188f3adfa0cd

SHA1
5d76e718e3a1674efe02c00b14118b79972111f7

SHA256
9e7079c932ecb04c3f45ebf970213f8de532d82202bba894eb1b61c4fd7d1faf

SHA512
5ca66cea9ff43d4590de6da45dee306e06033edf2cf4fd0f2b380396a8f0532423c65062333ffe499fd5d8e27477ba9c90ba5538220591ecb75469fe4ae9c19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgQc.exe

Filesize
116KB

MD5
5a2553a5b0b8f96f8bcc0d306f41f44f

SHA1
58f55f2b20cf8e18e38140ca982a3f25c7ba9a70

SHA256
125bb89090afdbfa135ac15f8b33d351d39dbb07e1881a5d5f57f3460237d54e

SHA512
b4390d772e4b8683431d2ae77abd68c69e7480ec6533993cc6fa3860e56aeb8b9b36cfa37ae2dfaa419cd8f863ae0f3b5b6c155e1555ea706e1d9ae6c6a56ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XwME.exe

Filesize
5.2MB

MD5
53f6430cc0e09ab1871be822cdc286fb

SHA1
36615183cb8cf170f38ecff1f05a31d54e02f0d7

SHA256
54c1fd932867b7e2ed29c7c108446111ec0e0afaad0b69ea466f2d6410c66ef1

SHA512
29acf1a7596030a99472975da7b63f01f1e74afce94aad5c77036d74ac7ca1152e03f7dd968a50c9ebb16f1f482ad849f2f1a71a4ff725f247d0cb561d058c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgQe.exe

Filesize
628KB

MD5
aa18b6cc416a9ab1bc7ff82a43b1ff5b

SHA1
c85ab44244551809487e408876b857c31ccf2cad

SHA256
b47516d66ae688aa9dcda35656e222aad8062ef7aae178e0ccd86d8e72dd72c4

SHA512
506d8eb71bed1269b61b3fe59aed31f2289c662bab501c8402fc2d45e51528fc7e6e9248f6ba4ea9fe36d8564f59adba610e4c0627eecec8735b7d3435599d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zgom.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bAgY.exe

Filesize
120KB

MD5
97ab3ca558ec1a25b43a02182f7850cc

SHA1
3e7a5d2a3307a61d4eda342858453e934c72862b

SHA256
9a2406307a79feff57cc495642f98e4f1a6465f23ec76fc46bbd35a4c9086c9d

SHA512
1ec7da31abf92c02da6083e6f3b2a99f6fb29464a19a2ff9e33b283a2ae9cab6426b8ecaf7f34c714978c419b9040d4193d565a4c33b4ab02a36f450f67e031b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMIM.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcQo.exe

Filesize
116KB

MD5
18d3394835f0c8714d7c3877f52ba7ff

SHA1
0b9d22c549a478f31fb3c079350a800908001a56

SHA256
1d37c416e2726e958496c66500c982c0314a89c4b83d213e6e695220f642852d

SHA512
c2ab70e3d001c785173aa63ddc2450e1d64bc65315f359dc685c986a6bf17938802218e6ffd518115847d0028f14d8119c3bde4480a56fc29ace8201169c7e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcci.exe

Filesize
113KB

MD5
24c8446618eea6376c672e053320ade0

SHA1
2bb8de81cbe0df214b3e348fe374a5a02081c1ac

SHA256
59215283a1a00ae2ed1c007887fa31bfac152f4eaeaf3493473a4efd3f478fa0

SHA512
4f58329b8aa16f2ca98a83a52f79035791572dd080c7266136b5972a6da3bdf0dbba2116fde8fb2d8aa993192560e0e5c0b1ea694c54a078901bf9c1c8ad9fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEQE.exe

Filesize
120KB

MD5
1c61f83dd520dc6c6d5de56253b1ef2a

SHA1
1b8012859e4d683d6104953bdd1216f1ab103e1c

SHA256
342015884572c573529ec2b193bb23c5b9add6b34bb189d744d9d5e68698fc79

SHA512
9eef3b20c2800ba3fa5a9ad06b634d046abdf7ebf9c7f1008dbfd039e4dedd76455983983348cba9d280b78e5ad238df8a8165a4676bd0bb2e7d11262c851a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIYM.exe

Filesize
352KB

MD5
75af1198f7b7860bc22ce3c688cdc618

SHA1
4fe584d5aed46f5c636f29adf5162287eeed2bc8

SHA256
f3d077a5d5ad1b6f35dcd0aaca2c631e514eed6fbec5768d62bbb8eb30f92971

SHA512
9264d19121cd2920536b2394460b4d038882b491d678b6f25367c0ee4507026c20d8ed984949877bb9e06423fc6bffe5e63335171d2844c41d5274a5adeb0be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cscA.exe

Filesize
488KB

MD5
2c61289e285655f8eff8701feaf63bd1

SHA1
395c93497d39094240db5e9c17f4faf22cff32bc

SHA256
b9ab03982a057443bda0b615330112e796e7d6fa10bbd6a64e1b695d4d4ed0ff

SHA512
78c8cbf41d3cfc16a0c977a81dac075ae3a6caefffd4d0b26726207de7b09859635624d282009b481a2d96f13175ffe08c0f3d17d4f0e03fc9390ca7e9ba5fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwkM.exe

Filesize
1.7MB

MD5
83a473ce971a1478cc760df416152c6e

SHA1
9d2c8be2230fc58a700ca5d2fb99db8defbe9e17

SHA256
f60fbd8fac8a0fc651f75b219ecdc5d4306947add41876a76b86af5abd61fe9d

SHA512
847b9eab1fd94e00bd53d441b21c844572bcdec4291dfbc1de63204419ee8ef9e3e42b518747fc1b24425d65c230720cfaec7a18b866eb41a2274dc01eead76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYMQ.exe

Filesize
143KB

MD5
c2e7bb403b05d7e9883b64e69f7f346d

SHA1
b25b265bf3882cedd7feda62d0b7db97f5934443

SHA256
9c45495a85b6e051b160aebc46f6159aef17361042eafeb4d1565e8c1c653517

SHA512
70cb500786cbe967101ed1fa6dd48add00a797bfc2c669885964f2f6e3882450052e70f2dd3cfe314e52422b8149dd03145c4bbdaf4661127d5ee7efc24b6d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAYC.exe

Filesize
564KB

MD5
39cdefeba5fbd2d306f934c9bb32b72a

SHA1
a16d9cbc15cea68bf761c6b8a42ae82bd06b486f

SHA256
49eb54ba53c542a3051537a0cbb3ecb4504d1dcd8bca36fcafa533936e0f4f41

SHA512
c843bcadbc8041f0542d6954061e3c6ff77c162acfd17fc03c9b00b96044195a56dca14dabb66c97e60c6719ab0a86afa932cc4036dff91d7190afe7ce267dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\hEYC.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIwG.exe

Filesize
122KB

MD5
3f6354ae54ee95984961205804dbcdd8

SHA1
376506768b4da875c846d20eb2c4ae8c1e7268cb

SHA256
a0a4e397411a9e6c216776c9ac7aa5148b52bd15084ff2ebed941ce2beab9672

SHA512
e9fffa1c183cb22054908b092e171bc7d205bb0d2b36b3cd4947e562a6ddf9b94614e982c95a080a9944a541f3f99099b80eff9973aff62c70dc4c53b2283ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAEs.exe

Filesize
121KB

MD5
93b94c11b5a34ca4bbce541bd430b892

SHA1
244786702906dc2436ee798c3bf401db1f16226f

SHA256
6c21e2b638693e2b3bc247680ba86ec50f2b66f94c4be306c972c4e89c55c765

SHA512
1ec0d37c4061425a3815baef73841b5721484379a06b6a1741d58da7baa8a2ed0e858846da1bc0b7b43c502d09ce7c9c1d54a445097c9525668140a8fbf55a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAMS.exe

Filesize
242KB

MD5
4b2ff09325a88022959ade18e0f2d01e

SHA1
496fb4dd69d08cea888c8e50568df7ca1f260391

SHA256
e6a4ad2e52dd7252d0ef4b4d80bfd9e716e708c8ef29da24af42ac9b1dfb5355

SHA512
a8fb0fb81cee4e43996b60ca23104b3a7f9db6f41c1b7b878d60bb5a8b01b708f78b550a4ca278c06e9b6abe980476d8e85c3de7ec3b5ed04408eca267e2a95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEQQ.exe

Filesize
874KB

MD5
1a8a58f5c8c860549edadde7d7560be5

SHA1
bca672465c829b7ee7a2f7f81b46f5198984eea6

SHA256
e3f6842fdb7d0f1fe7b491defaed0b335ca34433ccdfda508f23c7063a6213a9

SHA512
59a404da836f43b3c766d2a33761d1caa9811d30dbb47764e50b6d1157d253fffebfa6d7cd397fd449f77f66553c9da37d079758f92a99f05e6ac60fc3e3ce3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\joUI.exe

Filesize
117KB

MD5
bdbb05c6a545db9ff6de8afc4a608e5b

SHA1
fc2a87eab05732767495511b1f374c0d02462a75

SHA256
9e0b3938b3facfdd9f060384f8deab4db1f5e77e8d6f533db67622022c61e41d

SHA512
a0ffb1162e830d8fc25c5168527f9eeab2e40e6cdd952cd5388fd85c29d45cd091911b8c4eddabe386ca6eda313cb21d788edf0b289d1f083a26dac3e57e7d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAYE.exe

Filesize
111KB

MD5
809db5d7c22b28a934f42fcc4fbdc830

SHA1
114f389591437cf5f37b3009eb59917b57b8f103

SHA256
56543fa9901547a80c26864a64cd5489c065eb631584143d42473ff27aedcdda

SHA512
321f103592e0eb62ca2d5865f84be85a5dce1af1e849889de12fb8738f55cd3702fdb86e6dc0547dd1746bb5a8efc977eb6a57dc4e06c3b7d7c4e7c240a72c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwQQ.exe

Filesize
119KB

MD5
fb0db61087bebf6787efa26b09b7ec04

SHA1
4e4aac907eda7d5da4968c1bd2cbf631c1b58e20

SHA256
2780da672174000a020bed8f05e2428af81e5acd1ad8f5a0842ebf3e02eb83d7

SHA512
9926b4bef0df4bee1082b5ce2f5692d61c91b14b952e478f42f384050b76101fe1d0d4b471a3e898bf7d21b102fb95298583d48e0c981d1a70f511adf7cefaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEMs.exe

Filesize
567KB

MD5
a7498fc56e3075d76bb44c2fbe71274c

SHA1
2e288905d8ff1852816ff61e0f88d7af42e9088e

SHA256
efbd9385bdcc7cd42732bcba96a841df41bf1a7fec19dc903b967809f2375a82

SHA512
b4feaef93a0b789ff6de1c396e476d1ba04ab0a76230466a2ade911d69f66761661aed73910b1aa3a6f38b9693b06c1f3e83bbe6fdccc1055a7e2215fff731ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUwe.exe

Filesize
115KB

MD5
faae9e5e658ba73d2d2531f6a8399ca8

SHA1
a62ecd69f47befa60a927790f2645e4acc09ecd8

SHA256
f7eddaf4b88d75b2d0b38d5828879efe75302fc43357ac5a8fec1c3df168caf5

SHA512
5faaf4df471795d69c68bf8a3bd08237792a38dba9d1352625150d85d990776db94c6de63562f19857a2a0049582fd559e89a8e50d7e107eb656aecdfd8a3516

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkgQ.exe

Filesize
555KB

MD5
63b0726bbd4f3561e920b22257a14dd9

SHA1
f1b2c55203702b2f71ffa02719a2319b92090070

SHA256
c14e2fb369f8937a489b93505b46eef9d106c58d4e7141893ae072494b432ed6

SHA512
bc903a194d15f649ee10ce7e4ed2cbbdb8809767db771b599ea36339eec884fee38812f989372bdcdc88b7873b99e540148be39621917316432da6cc32b475b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQQs.exe

Filesize
109KB

MD5
76118d2dd803a684c582d889d5c23c47

SHA1
9c218b58a9e6c343e420bbe0c1f1ab09144d3bd3

SHA256
372882c310d37b5442bcddbeb43dd96aa18a1597f7b606be66197aafecd23cdf

SHA512
90b1e2bf493edcff0edb96a1f759997202c27b3a303c34eb509d82908c8238310abb03c13753c53ebd4fe70b581a713ec3edc64df5a7c121a0d6aa9efc1c193a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rYks.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEoY.exe

Filesize
331KB

MD5
a8ace2dad00f5d82ed65f9dff0915d26

SHA1
50da3240237bde5f2cfd52470fb9fad14510aeec

SHA256
6b47d1106bf4dcd8ea3729900530348599e19976674a65a99caa7a01947bd7f5

SHA512
da83e6f9c581fe0ee4de17b6744f8e919975d4255e87c9f6b71d51801ec45623dece9fec88b024f162d0cf106c6e38c79955bf69a4d61bc205ba6584f8476fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tscO.exe

Filesize
697KB

MD5
9fb598c4fab9e560c8f1ae12feda81a7

SHA1
8af467b88e8a4bc454d90cfb2192c7f6264f63b6

SHA256
97a7feb37d2d093327cc58fa95b6dee53e81bc6199109545747761cd3da2a428

SHA512
310966477c62687846f6511ef33aee4ae64fd91c6b033c48a924c85fecf3f3a077c134ad069eab6fc527d8a9a972eb4790fedd311f997db134ac44e4907b95ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\vggQ.exe

Filesize
118KB

MD5
52e857932a977ee1ad50baa13179e0c8

SHA1
eb1814ab8a36298bd96e38192e116968f2030173

SHA256
14cc926c1f6814d1500076f1621fe7c5fb78a119a32764bf09772f43b3902bf6

SHA512
c0a409bc81a26934049bbf6fa9a220b094c8b8ed9cd904913787486e98384fa01361a8ee28db8a88e0254f705cdcd336f811155886278f7109e4865f90ca45ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkUi.exe

Filesize
117KB

MD5
73a56c1a773b86bb09b645a5a1b23e93

SHA1
39aa1ef34f80c3aaad503cd28cbcb2bf149c1124

SHA256
c434cb247c7cdabfa33e28fed43c38a2f3c4b7e89b36a99bc6cb1f55311871cd

SHA512
12e511c9403b9e91bd6a7679ab41ed57985edd714a70358618a20cca167bb672e2b4efc93fea6932657639e3e15cf5fb5671f3feb9b0f452f4b3306f22ab6ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAUo.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xKkkccYw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoUS.exe

Filesize
725KB

MD5
d7742c0101ac615c5be336b74ce6b612

SHA1
e546eb739ab86b45289f24fa86d53658d304a7f1

SHA256
86db1a8074a701670070b1259f6b23692f69e28b7200b0dae64617039c827ddb

SHA512
f9c33764c38520f8bc344e51c63b7c8b87d68992fcc4ce95899d321ebd396c7c6356b458299b46aa3b5865db7c3e7c6b3a23784f14ebab41d7f83eb777dbd766

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMcw.exe

Filesize
111KB

MD5
2e58cf713c700f5cbb6e4739614662b5

SHA1
0e481540b770408fc09d3d3f33a25cdd5e1350d5

SHA256
1c4488ef90d8cb3a924b53726d051f65c7fd6d9cbb64ca9669f13a97da4dad44

SHA512
4a3e60c2c056dea86dde59ded85e7e0187415d217e77f05008866d171e82fcebdad8b184c95eb7528c1e8d973491060ada881494eb6d43406cf574b059cadb3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUko.exe

Filesize
150KB

MD5
a18fa6ec12c318495fb1fed874592013

SHA1
ec8852c24a2a76aaaf428bcc809037431018e7fe

SHA256
d4508558daf386801248fa6cde73c0645b5876bfb4cd98608f6107e25b7b9d6f

SHA512
fbd4272f88b49bcbc4a7761cd8b56dd4c89a43d5e02e7f31d1f3a434aea79d9a0f54dde0a9709f5ffdf0ddfdbd6380864a3a0451c3469d158429e55de4cc88e0

Download Submit
C:\Users\Admin\AppData\Roaming\RepairUpdate.bmp.exe

Filesize
462KB

MD5
c32cae07a5241ccaac9f8586df87aeb2

SHA1
5fb75b0767fc6fb8f787485738cb0e72b41d78f7

SHA256
f2bd163cad5a25d7aeda4ae639621ad67c8635d557029e9b1a1e3b61860680dd

SHA512
b143baa5fc388a0dbce6ccd5ac2fc4451e3fafc439978f94bc48a814de8398f8f9152d7b1a9344eb97354e390b714b723f5bb8323b4308659aa6fb1eeae0d40d

Download Submit
C:\Users\Admin\AppData\Roaming\UnlockGrant.wma.exe

Filesize
580KB

MD5
7b4bef8376598b47f9c8dc5397991973

SHA1
44144be6a3941214550b9fd85d3bc80852a8030f

SHA256
dd7fdb751cc7a5fccb40238d0c43884a7cd14277bb450b9b6d34f785279073fd

SHA512
df50b40c55ef72d4f8f8f9d0a1c2953a91807ed82fd5f436897ff9e3e770ffa820527aa190d6ae532c1d9ad8c8470077852a15957fc6398008cb672586c64c8c

Download Submit
C:\Users\Admin\Downloads\GrantReceive.ppt.exe

Filesize
866KB

MD5
f99cf4cf3a20bbcc0b03c57e960d25a2

SHA1
0dbbb4ed3ca73e33c0440b9711886a09d3200793

SHA256
8407256135c3a269e8feccfe44b5cb32b9033d09573aad4ff4f60b2ce9eca5ed

SHA512
116aaae3385bcea16fb3522a66aafefeedc510c89e172284b30c02ecc2d090bb98040eb5e7e7e5f9a30a87eebf4d849e81e0f1c98cf4aae9ced1538fa2c51b35

Download Submit
C:\Users\Admin\Downloads\OpenApprove.gif.exe

Filesize
1.0MB

MD5
3d0f240413368dbbf5dddf24b3c9eed1

SHA1
0e86e2bffdb0d4aae3c96f09208e7940804f3f75

SHA256
88bbd3dcbc4db892d6012e0f23603c21dee9ca4cbb2fef56fff3ec8d6a6d9fcb

SHA512
cc3c151b4d6d9318e0a10b4f90deda967ee4ae674a5f7ca019d52aa61a6c9d68a7d5569d1a8690c3ae2d6ff054d5ca22212ecc0eac735148f424d0b2305b4e25

Download Submit
C:\Users\Admin\GsgQwMMk\DwoEYgAg.exe

Filesize
108KB

MD5
ab8a42c55d7551cbda99c4dc7d3a596e

SHA1
77649f5696675abaa2f39aac4be69ea8450a7986

SHA256
58c119c2ef1d63ff560af8f4c4dc577709c7e62489dfd75ab6feef3c66df894e

SHA512
fff02c57ca2211582c953181913d0b6e9b9ad55dd31e7ded1f61ece32500f551f72a5b3f41281a15f287eb68cc38b8a0bc61e3b3b17f73d0a49448bc2ff10290

Download Submit
C:\Users\Admin\Music\DismountConnect.wma.exe

Filesize
863KB

MD5
7f09ae1a42e036e8e6ed692ad5edc1b3

SHA1
936fe740df2eed4be903c458fc89fb7c02a85eb0

SHA256
13050b22199258453ad6aaca7230e73ca70702e4a14672b7f25a39f848bcbb08

SHA512
023edfb8e9f4cd705299af4cf6a5b658dce7b0b732e953085336c0a7d2c2a853405d11e129564fe11a14caefb78d96bbab22d1fbd0ef0cf9a6d5127389b18fd9

Download Submit
C:\Users\Admin\Music\ReceiveFind.xls.exe

Filesize
1.4MB

MD5
09d4e1432cf38caaebd4e2b7cbcafd46

SHA1
0b7167121443236eac6678c8b4a70e17c8888b81

SHA256
fe60b411eb1f3860ad8710caab923917e398cb386c675755df7faaebc9722307

SHA512
40272d51ed0aebf92d419003856765aa20837eea989243efe3a6eb3b20d36f888e0f6dcf70adc738f638348a221d8d00d54dfd0eff924bd0be3bcc38dfc6fe4d

Download Submit
C:\Users\Admin\Pictures\ImportOut.gif.exe

Filesize
559KB

MD5
085e0de15429f8fedc0611ffeae0bf6a

SHA1
f4699217eed32bb60bf9910c7e6802e25a1a9f7e

SHA256
c8650fb3900bb855d81fcf9f2e3621dbf8836f8768232f2a0bdeefa5f1208c55

SHA512
f47506b9dda2d12b886bb4dc8ee8aaa0423b1a19498ea186923e7e8b7009665a099a5f853833cfb58ba73661b3501be3789c071ccc579443db491c92a0f812ac

Download Submit
C:\Users\Admin\Pictures\LockSwitch.bmp.exe

Filesize
413KB

MD5
9f94801dc6f7c8056d9e4367334a86ef

SHA1
b2d5bfd9bb312d1a83f21fac743bec87bc8743e6

SHA256
4a092d8a210f702e2dd23e23c2c29a88c59fb36b9d79ac43c792d7e4e9b6a159

SHA512
28e5418457c566ff9bc9c58f57db3d31dbe3ce46b6ea1436b596286990edcbee2b8ca3bf6f4b37159d3e5f3cd73ec55e278235cf6850901e1720341222fa510c

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

Filesize
133KB

MD5
9a532a8196951f4a75cc80161a223049

SHA1
77fdb86a70e24efc98906800efd058d5a49ece88

SHA256
a29bf80d94a2f46ff1a95015298199c2e8115c3d3cdddcfc1d835ad19fb18b55

SHA512
835aec8f7917214eaf2b298b7c8ad580cce58461479cb240cba979bdd249def9acf49f8134a7a0dfbf609e6adad12451261f57b576fa1a6c87685110684ae552

Download Submit
C:\Users\Admin\Pictures\TestRename.png.exe

Filesize
612KB

MD5
43f66e85606380e97a25fff624221d70

SHA1
19e456d8df55cabd5d80677156645ccaaf9c96e1

SHA256
cea7d1b99974f01efc8668b9f169a7131587a7123ffc346a113c1a05ea24f329

SHA512
5791382cf0c063dba26bb79239b4f3afd63056909536711ea73b0e3a563e37deb566b94e29161f9be3960a31e86dc2138d9cd8e2caee3b002a7796817b3680fc

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.8MB

MD5
4844dadb6ffe29bb43bc76faace2c2b5

SHA1
81774eeb3f5cd752b17b105eee93047696fb6cc6

SHA256
7a60e3c7cfed18423a5c2ec354a29b967e713c46f9fa9a0e1e005a9fc6abeeea

SHA512
2d381e168f7194546856dfe4a6b557c04bf1e7f7ffc3ddf00c2ed3891171afd26ae16275b24729bbced01365d82a86cf0b1e5eaa4d12d1c0d29c8f8062cad9db

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.8MB

MD5
fe374b5f618a75c1b7bff8416005be69

SHA1
d71c053d22efbc18983229222d1c0e74224058e1

SHA256
5acaddd275c147813b5dcbe38970b04bcc0fdcaf2b2051f8ecbf382b0d66f28c

SHA512
6b83451cc26cafe4af8e8dbe287e79b15fb0d2116164e9181d8f615997e8d9200a89c26c96804c47af21098c71672865cc6aa7e0c09c87fb650495cc61ba0ac6

Download Submit
memory/368-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/368-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/436-234-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/436-245-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/452-119-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/452-110-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/452-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/748-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/968-98-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/968-107-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1412-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1412-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1428-372-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1428-379-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1508-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1836-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1836-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2068-264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2068-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2284-370-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2632-30-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2632-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2700-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2700-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2708-355-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2708-363-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2876-396-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2928-233-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2928-224-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2996-97-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3056-331-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3056-173-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3328-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3328-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3444-177-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3444-187-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3460-209-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3768-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3948-13-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3948-1911-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3984-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3984-221-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3996-141-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4192-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4192-144-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4312-346-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4312-354-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4380-404-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4380-397-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4468-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4608-8-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4608-1910-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4652-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4652-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4680-130-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4972-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4972-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5076-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5100-388-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5100-380-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download