bad6a5b82befc8bb82bf7010221f9a1f047dff4c44c46113f6a7cb4fd969b094

Analysis

max time kernel
152s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
Size

165KB
MD5

401dbbf4b8f35ef9f4b5fdc9ffc5ffe0
SHA1

0a777fe216b7e5489e1955274510465b1a2a911a
SHA256

bad6a5b82befc8bb82bf7010221f9a1f047dff4c44c46113f6a7cb4fd969b094
SHA512

40a663debb5642b38fc7b2a6ef560842c455410441bbe9f02dd8ca38b28604fbb41cdb15252bd7194c4e598df85d37a135c7dae4c315f6c71767c84fb9190e9c
SSDEEP

3072:jRDc4/N092Bi8NhWIBCoO4gN5qq4eN7d/wXfa/FI1ey0j1C:NDTbBi8NsIBCoOhblN7dJivL

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 25 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 25 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	TawccMwk.exe

Executes dropped EXE 2 IoCs

pid	Process
4048	TawccMwk.exe
1268	KCMoUMkA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TawccMwk.exe = "C:\\Users\\Admin\\nMYgkQMo\\TawccMwk.exe"	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KCMoUMkA.exe = "C:\\ProgramData\\VQAwUQow\\KCMoUMkA.exe"	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TawccMwk.exe = "C:\\Users\\Admin\\nMYgkQMo\\TawccMwk.exe"	TawccMwk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KCMoUMkA.exe = "C:\\ProgramData\\VQAwUQow\\KCMoUMkA.exe"	KCMoUMkA.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	TawccMwk.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	TawccMwk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2244	reg.exe
2648	reg.exe
2960	reg.exe
1880	reg.exe
3496	reg.exe
1988	reg.exe
1448	reg.exe
1388	reg.exe
4428	reg.exe
4840	reg.exe
3608	reg.exe
4024	reg.exe
2640	reg.exe
4940	reg.exe
5052	reg.exe
2860	reg.exe
5112	reg.exe
4480	reg.exe
3248	reg.exe
2748	reg.exe
3152	reg.exe
1468	reg.exe
4184	reg.exe
3240	reg.exe
456	reg.exe
1492	reg.exe
2612	reg.exe
3784	reg.exe
2144	reg.exe
3516	reg.exe
3592	reg.exe
2092	reg.exe
3248	reg.exe
4324	reg.exe
4960	reg.exe
1556	reg.exe
3708	reg.exe
4584	reg.exe
3752	reg.exe
2516	reg.exe
1824	reg.exe
4416	reg.exe
2472	reg.exe
4940	reg.exe
4608	reg.exe
3248	reg.exe
4636	reg.exe
3704	reg.exe
2148	reg.exe
1956	reg.exe
3032	reg.exe
2756	reg.exe
4416	reg.exe
2268	reg.exe
3828	reg.exe
3128	reg.exe
1676	reg.exe
3428	reg.exe
4104	reg.exe
1928	reg.exe
4368	reg.exe
2092	reg.exe
688	reg.exe
220	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1944	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1944	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1944	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1944	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2168	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2168	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2168	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2168	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
3128	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
3128	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
3128	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
3128	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4420	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4420	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4420	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4420	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4940	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4940	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4940	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4940	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
3752	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
3752	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
3752	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
3752	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4424	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4424	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4424	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4424	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1460	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1460	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1460	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1460	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4212	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4212	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4212	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4212	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4576	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4576	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4576	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4576	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
3716	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
3716	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
3716	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
3716	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2188	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2188	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2188	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2188	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1540	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1540	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1540	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1540	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
748	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
748	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
748	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
748	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4312	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4312	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4312	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
4312	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4048	TawccMwk.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe
4048	TawccMwk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 4048	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	91
PID 380 wrote to memory of 4048	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	91
PID 380 wrote to memory of 4048	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	91
PID 380 wrote to memory of 1268	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	92
PID 380 wrote to memory of 1268	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	92
PID 380 wrote to memory of 1268	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	92
PID 380 wrote to memory of 688	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	93
PID 380 wrote to memory of 688	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	93
PID 380 wrote to memory of 688	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	93
PID 380 wrote to memory of 5112	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	94
PID 380 wrote to memory of 5112	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	94
PID 380 wrote to memory of 5112	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	94
PID 380 wrote to memory of 4988	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	96
PID 380 wrote to memory of 4988	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	96
PID 380 wrote to memory of 4988	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	96
PID 380 wrote to memory of 2756	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	98
PID 380 wrote to memory of 2756	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	98
PID 380 wrote to memory of 2756	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	98
PID 380 wrote to memory of 1452	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	99
PID 380 wrote to memory of 1452	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	99
PID 380 wrote to memory of 1452	380	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	99
PID 688 wrote to memory of 1944	688	cmd.exe	103
PID 688 wrote to memory of 1944	688	cmd.exe	103
PID 688 wrote to memory of 1944	688	cmd.exe	103
PID 1944 wrote to memory of 2472	1944	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	104
PID 1944 wrote to memory of 2472	1944	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	104
PID 1944 wrote to memory of 2472	1944	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	104
PID 1452 wrote to memory of 228	1452	cmd.exe	106
PID 1452 wrote to memory of 228	1452	cmd.exe	106
PID 1452 wrote to memory of 228	1452	cmd.exe	106
PID 1944 wrote to memory of 1692	1944	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	107
PID 1944 wrote to memory of 1692	1944	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	107
PID 1944 wrote to memory of 1692	1944	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	107
PID 1944 wrote to memory of 3608	1944	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	108
PID 1944 wrote to memory of 3608	1944	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	108
PID 1944 wrote to memory of 3608	1944	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	108
PID 1944 wrote to memory of 1492	1944	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	109
PID 1944 wrote to memory of 1492	1944	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	109
PID 1944 wrote to memory of 1492	1944	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	109
PID 1944 wrote to memory of 3144	1944	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	110
PID 1944 wrote to memory of 3144	1944	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	110
PID 1944 wrote to memory of 3144	1944	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	110
PID 2472 wrote to memory of 2168	2472	cmd.exe	115
PID 2472 wrote to memory of 2168	2472	cmd.exe	115
PID 2472 wrote to memory of 2168	2472	cmd.exe	115
PID 3144 wrote to memory of 3056	3144	cmd.exe	116
PID 3144 wrote to memory of 3056	3144	cmd.exe	116
PID 3144 wrote to memory of 3056	3144	cmd.exe	116
PID 2168 wrote to memory of 4088	2168	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	117
PID 2168 wrote to memory of 4088	2168	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	117
PID 2168 wrote to memory of 4088	2168	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	117
PID 2168 wrote to memory of 3752	2168	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	119
PID 2168 wrote to memory of 3752	2168	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	119
PID 2168 wrote to memory of 3752	2168	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	119
PID 2168 wrote to memory of 1628	2168	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	120
PID 2168 wrote to memory of 1628	2168	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	120
PID 2168 wrote to memory of 1628	2168	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	120
PID 2168 wrote to memory of 4964	2168	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	121
PID 2168 wrote to memory of 4964	2168	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	121
PID 2168 wrote to memory of 4964	2168	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	121
PID 2168 wrote to memory of 3700	2168	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	122
PID 2168 wrote to memory of 3700	2168	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	122
PID 2168 wrote to memory of 3700	2168	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	122
PID 4088 wrote to memory of 3128	4088	cmd.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:380
- C:\Users\Admin\nMYgkQMo\TawccMwk.exe
  "C:\Users\Admin\nMYgkQMo\TawccMwk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4048
- C:\ProgramData\VQAwUQow\KCMoUMkA.exe
  "C:\ProgramData\VQAwUQow\KCMoUMkA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2168
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        8⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        10⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        12⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        14⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        16⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        18⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        20⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        22⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        24⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        26⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        28⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        30⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        32⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        33⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        34⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        35⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        36⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        37⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        38⤵
        
        PID:720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        39⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        40⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        41⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        42⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        43⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        44⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        45⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        46⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        47⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        48⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        49⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        50⤵
        
        PID:4308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:1988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkMcoAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        50⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAkUAYIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        48⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSEAQcko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        46⤵
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DesksgYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        44⤵
        
        PID:3824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:3032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCowMIQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        42⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoMQkIUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        40⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qaYEckok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        38⤵
        
        PID:1096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmkMQAgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        36⤵
        
        PID:1380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWwwIMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        34⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCcAAUcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        32⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCAoscYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        30⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCokAQEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        28⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQowcQgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        26⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEsIMocQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        24⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqwUgIsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        22⤵
        
        PID:1556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:4940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcMQMIkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        20⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piQwocAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        18⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkcckoEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        16⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqQIgwAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        14⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKcYAkgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        12⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOUAQYcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        10⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUwIgggY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        8⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4412
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3752
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1628
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:4964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZeQUwYwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        6⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3924
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1692
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3608
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUoUEEwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3144
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3056
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5112
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4988
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIkUskMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3780 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
241KB

MD5
9287f94205ef82eb818660adcfefbda5

SHA1
936b9aa0a3530edbd9223fb24d3b962c84acdb20

SHA256
1f8cec43b07486863d5562dcfd6b1f21c318acca882170137abd410fac7b6543

SHA512
586883184e919a6d14859c18f6613d7caefd04b3ce5aff7436be77777e3360494f8d2fb6622feea472289006bb6aef2fa2475e4302539df437f29f8d537771ca

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
158KB

MD5
3a7740aca61f645af0236f43e5c15ded

SHA1
b4c5baeec72b91bbd96f7c3e458d8245198b6290

SHA256
035dc1dab7fba74119e5d39565b94e93afdc70db0904901d8a3de3d45531b20a

SHA512
003d5132881a3f688508d6ec263000836e4b3882b56487734dd0d9eb03cc07262c4afb59f305ca0b2ea736e9f1fb6544f00942e46fc3b47676ac9ff0edd08b3c

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
140KB

MD5
42e5711a1ff5d1a278f850e56d06b0a1

SHA1
92629ceef7cdccc4e9796734bd3c3668da9760cf

SHA256
7ab97b212250ddece2eb251b5c3d9b41d1cc7821dda21915954ba79554855a74

SHA512
ffc4454932860eb4f6add5d750f8c3735b9c3dabfc0c85f7d108908231e18c28ae21bfaf2c56a3b5be270e0cf9e084641fab8dd38d95a93cb2387ff37e44ed10

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
241KB

MD5
7823867a76218dd39977c5c58729cc56

SHA1
b6de71c4630089eeac21086daac7784fa9e7f089

SHA256
7745c10f8f3af0339f2582bb3ce984bb6744de3cfbda65fdf106ecba63532ade

SHA512
823bb0eaed04a15c3cb46f48a0d9e5021e853719c254f7549f243772d8d8aafebb284dc0fc14d387639568f68d0493366e6f8ce12b7c73015831f2e5a98ec1f9

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
237KB

MD5
8dd88c7eb47d75024df6f98cd70baf3f

SHA1
b44608db198715bfae3848cb1d3c2bf3ea8d9452

SHA256
b57dd543d6fb4095e3fa6dafacf6ebada22390611922d362f0325aa81663f46d

SHA512
815cba5279d4fd7db44a0c7510ec680597d065c6e38397f94c574c799761e8452281277be32a78c13622a3f0fbc19b33b0d68d7ee2ab8a503d25e91315526fe2

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
144KB

MD5
74dcf575526a3a7993f059127117bee4

SHA1
c35e3510f753c03cfcbe17c644c98422551b2508

SHA256
62d520bc18b4e007b622faded5a9f3ca2fde573314c4a2c00c35f3fc6a99653e

SHA512
8b4a08955a8b01ffd7c36c00e19705fdfeac0d6072a988d02156f9cfa840f503d92b00e922654872f6b8bef30468f5b8a038a59042b9c9d959880f64bed0516b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-48.png.exe

Filesize
112KB

MD5
9fb4ac46cc54b4260f9a91c2b827487e

SHA1
363c73ea96b41654a0a56edaaa77fa82a9aad16c

SHA256
64049a8cee854403575abed4d340f461e79e23f409a5ec3c8b6abd6e5dbcd0b2

SHA512
60594aceb0f6be0c0546ae995dbd265203eac90a69a745cdf1bee08d7308708f20e97ca324fd16855bfe80069cfecee56e84f2dfea9fbf471f10041f24346b1e

Download Submit
C:\ProgramData\Package Cache\{17316079-d65a-4f25-a9f3-56c32781b15d}\windowsdesktop-runtime-8.0.0-win-x64.exe

Filesize
722KB

MD5
8f8e9786319920f04e8ff41584726434

SHA1
d3d9066bb9fb521bb319060e00365ca1490a26d6

SHA256
739b94523109d38002618c942ea38fec382d9fe372b35cca57503de28077df00

SHA512
c571b89e6fe2d84fd8915d97217acc7052cd5f4d80c626104082a25a2aacd96d904dbee8c80da468965a6c1a78812d24e35226f40bc7810c912ca090e26d372c

Download Submit
C:\ProgramData\VQAwUQow\KCMoUMkA.exe

Filesize
110KB

MD5
955d51e5fa7cde627fd64fa5797eff88

SHA1
cd2f4cee443ec0d5f561d634b58c89d7577d3c4d

SHA256
a78c91bca33de46edf7f88b29fefadb24f818ddc9ccb85af72e0ea5e1a3fe62c

SHA512
929133c8fad7cb5af35e2a4e5ddefa391a1915ad54cf3462634b26a4016d460255fa19131315509bd20db89a7246f8c2bc9717bd870d7027afdf2a95a06eb7b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

Filesize
119KB

MD5
264806612fbf365fa678e0fa425efc3b

SHA1
3d9e77dfed46d41fdf2fe52d81321cd69777cbd7

SHA256
574384d2be3772104969411b7e08afce5d8a623ee9481c23f5a1f101f2527759

SHA512
021ca23a82b90fc864e2529810ab5b99430bdd530ffd1c2bb0f1a9ec21dc5612dc1149023671ce37810e9bdef02490ea69e36d1df899958d4e6f4d3b0d818b5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

Filesize
119KB

MD5
a684b5b25adb340d743e2419845df1d7

SHA1
2e1f46da99a68fc8f4750c5c7566a08ba9324dc3

SHA256
06d9bb832e064a041af2b03c487bff254bda701a2a4c6df21375cb1d7ef24188

SHA512
1dd8b8148d864542ae38826eb46657976b7e15f43d41effaffa1e8e1dcebaf049f1c6dd7003fc46658ffbdf3862ffd800f07f37d43900314e2c7d401fbb8b908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

Filesize
112KB

MD5
749f551f1fa244459dfee5ed8d88b133

SHA1
9391b2406f04c57a8dbebf36cbdc44f4349ca13e

SHA256
cdbc6b0480c5454a3f3bb101e07d8493f5d52711d9b67af0cada50bc5b875cd5

SHA512
1cd4b5c8673f66af6e24d5f182418eda2d64159d5e3373c91000c11ee40c586e4250a2c893cf9e1cf5d6b7e013afb6de92aa737574975fb7a94f297959968eaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
119KB

MD5
efb8697e84a567e465dee0bfbc69aa7b

SHA1
f60cef3068728c1e7747b464b5018a4d0923fc6f

SHA256
acf4d69e8f57de50f4f6792892acebcd85dfed4230117b76837a4da8f7989b00

SHA512
502a13f105f839c3d8c176631a424c2cac91f618d11382637662e81edd228810d952fffc842cc39247a2daf68de2616b3c10528c525dce3f328cbe74c1bcabdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

Filesize
118KB

MD5
689adb219f07f1ebee94a0e89c3e1020

SHA1
e0923515c9eb8d686fee1d97aa119f2c1b8d2b3c

SHA256
f90ba93f0a7e66e40a331d451d2af3db49a7c2b1772ca75057e9aabdde6f09dd

SHA512
f15e1b4fc0b28be586dcc96c0bf180c807b49636e58e5314096fa60039f8b6082f1def6a559892a6f968fe33644ff82a98a360f5231e486ed283093fd5957ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

Filesize
116KB

MD5
b523ef848b2f30c3135de411859a1ec7

SHA1
71d15fe1ba3892eb3771201c651d6e8a2b89ea37

SHA256
baace04d2a4f9d3a70a23c20fbec81844f9e707dd67ddd7cfbf7046d6be77d5f

SHA512
b39a76a4c72272b576709e84a78a0515c71728b46df43200aecf1cc95429f1a73dbf2682e8de4441e0435e78c3576e0caf2029c3738e9ba0b845a3c497689164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

Filesize
118KB

MD5
c8872783c737223af32c9f24b6081a37

SHA1
56ca134978fc9fef7eb689a9af705965e2371235

SHA256
c9e81e35ef9432f403e5ea477e3369d4360431c8e229761f661716debbc20be8

SHA512
f303df8467976711f3bdf92418301e8bbb971f5637ba14cde76145422aabf02c17c51b7e86613e32de86db3af15b8035dbf42caea60dc95f3fba92daf23346c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

Filesize
125KB

MD5
bec6ff8717b631efafa53343a57b6aae

SHA1
6810475c39d0cb19c6d25e1c9d316fa74417191b

SHA256
fb3ceb7a0e9362cb1e6e8f086d0ab7948a0c335d3cadd9405abb208e4c80fbee

SHA512
cf00cb8876bc9fda2f79f5cb14251485d8baa8c554cde8d9732133498df8c8945e7a533be0a3fd3ff45f9fda3b1eaf90005e0984bbd715f6b7941ffc7c7121fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

Filesize
122KB

MD5
7760a8a058873f13ab430227645d999c

SHA1
7ea5dd2cd95010385a0eda26807ca564e0eb754d

SHA256
b8010ee9f77fde97ed14e9078286e1b766ed2623d8beb74dc811063fd368add6

SHA512
9e4fbda3f294932d5eb4d9227a3e3c46aec499b88dc02d338605601d07f8fee8af7cf06ded3dace69b190093d660e217b22ff71880c383f9eb90a8ed92a89cd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

Filesize
116KB

MD5
30eb460c9d111d600f1c873800a3ab1c

SHA1
979273e7406524a2219309e21c194349cc2d84fd

SHA256
ad42d5e0892809feb590f4d2176c6f6648b87a35cb4f23873922e09dbb3af6b9

SHA512
c9b93c60f39b94d2233240720e7a1d06fa4ece6f039b86c5cbe332fa163079b4ddd40f556809d45a0311eeac867b7d5756c113424c6a31c6207b19eea00a8d9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

Filesize
346KB

MD5
9feecc3815dbee3500268b0ed04abc12

SHA1
03feac0836a9303e6ec343e8ac7db4dc2f41202a

SHA256
8aa836a7aedb0d4bb3ac49e11293fc2f01a3ad40c1ecf55a291dd884a9274d83

SHA512
7d2e75b601ac78712a223e91a8b8723c46b44a2321ad3323465e7903456df31e7f3f77180e1c53e9f6969b102e07f26f011b13f36a26fe7cf684f0590e18b569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

Filesize
114KB

MD5
a12c5746e1222fd56d9d4626c5a20c8b

SHA1
0c3ae4748d438eb0ff71ae9c5b11cc7a770f2eea

SHA256
b1bac928597d83ca4e178e148e2d16060573fa5a87c022d46d15804997e14f2b

SHA512
52fbb2d2473ae63d2ac2a759623e154b7e6a450833dfc8935227659685d1d2a6369b9cd6d136c2980052556e639bbb16da824862c02c822be2bd13aeb6e79c36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe

Filesize
112KB

MD5
1187b17336c864e27a36f1cff37f6d4d

SHA1
0036d3972eb05ecacb52deb8a6828f527df2d21c

SHA256
97b0461784ff303e83abc8018580179158fa54716e1f8444668ad40caf79f725

SHA512
d76bbeb49ee0849ed18c80c3da2e14d7db989359208e0066d623e7cf72c85c409b4e62517c670d6a4dfdd7cd612d9f1267598d1abf68aa53fac161544d034f6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png.exe

Filesize
110KB

MD5
0bbf7e0fe17c5fd0bd54547e40312d38

SHA1
18b9b4246393def6723167711da4c3a5ec2fd1e6

SHA256
1333eb073e155ee6c883929f0af74567298d9161026f02cbdbfb1dde8f545e3e

SHA512
8c1dfe456392ea7f21727c2eeabbbf01dc736e87df6c2958252aa11aa9508e5a3a98e9f20b694d742b8edd35d704340fc0ff307d2513e935848fb19441bac3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png.exe

Filesize
110KB

MD5
b6ff4d55ddf6e5f686cefbc55e3ea132

SHA1
5ad8233c4e64960e98c4085c8a34e75b40e1a3cf

SHA256
7ecbd118881dea6976d16236db06eb66fdd9b536100ecb71a7cf5c98c4ced743

SHA512
d3180fc5a24a0d51cdf5b7e153b93a3228ffbc71dbf2d62379fb2961a1aa5ccb62593122f37d809f82896781ca4016eea30827e2db1dfdf9c0aeb0ab13d5bd6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe

Filesize
113KB

MD5
f38d3dcb54a40359d0ee3dbbd687294e

SHA1
9977be60c6cac70ccd6e76fac3464712e79229a4

SHA256
6cd222e172f4e8a5d4a394a58d8d22aeba3ad658a071f232897326e4725208cc

SHA512
65f00e0a5b55541939bdf4df8fef7dae6feda523954f80280dea21a620df54744fe26a358312a143a9ad93e4059ac16aba845d85a6d5f0bbaf07e70509a5c8dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe

Filesize
112KB

MD5
f9353777d6b3a3f48471fc6c6b1369a2

SHA1
162e603085d1a43b2bc6b07248dd47004b2c2711

SHA256
9209d47eafc4ea2d064b546fc5bebe00b2f01eacbe29082229814d1dd222f88a

SHA512
a32d359558df8ae172c20563bee1068364f245e3516631d1b0dde86e983f32d2ac15efbd77c42dda84e71809fe7d00cb0b002d960d7ed790b6fe8525cfa80889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
113KB

MD5
fa23f55d1cca7d306f1da7e399b28687

SHA1
3c14bd7b38377d1364b52d86efc622b354768b7c

SHA256
a3aceedac837658bdc9b740482478e069a0a4e83fe93d60e7bafb100d874e6d3

SHA512
63a84c183c309f08116b256ddbb0f19d1c3023d2ac04b06ea124390c7cb94877a74f41d2e337111e5e44f6b50b85b4aa50ce7c7c4370a2d5a24ede2658371e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png.exe

Filesize
113KB

MD5
bb3b005f314c149e656dd4ca4ec83c30

SHA1
1b130eb0f17bf8af6d93216ed78bd45f50176435

SHA256
fcd56267e5882c4b5cc2a24995512ac6a5f884ae3ae93fd71de50174a11554f4

SHA512
cd5c9a399b5b656df474815779b5228ab34f66bd784d9fe5cccfe50ca1e6673dc055d4fff896e0669009ec766ab03406b679bc07d4c9dfd29f44607067fd6fc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.exe

Filesize
111KB

MD5
27ebb87f7a4352ca1d2e4d5f59d80e74

SHA1
5770d0a422ddf70d8f3537cce9263bf893ff56e8

SHA256
aa326205c77be97b5fe3a070c038dfa218347549cef8d7b44f7f7687f5b303f8

SHA512
32178057292e5e113af10e3c26214a746863d6fdb50980ad43914a5c50edb1f07f8b8258df597dc0674a1372d70dff52be50e6ebae7465346e4859d5c0093c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png.exe

Filesize
112KB

MD5
7f226c6adce6de01cfb762c42537f414

SHA1
a70f683f6d9d82fe42bcb4a2ea4a2828ef145d8a

SHA256
62f3b8b15b572737e5324ee2016c9ffcd2a4a685d22ef6cc2b4982cc9557e3bd

SHA512
32a79f19de1fa8e75dc9b20ec34b810cedcbfff93d848437f3638c4280a07902ddda4c991428c1b934e5153ffb0335f366c3d965ee9e10b62e6ac1cca31daa06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe

Filesize
111KB

MD5
cfc34595b3b904f96576ee0094366770

SHA1
12bede224048bd718c170578c935d57d1362ad2f

SHA256
32392fc583c930f5f5548c96340066d947b77808d0c3f60509683dfaa153d84f

SHA512
8f6f111a7654a5c82981894c1da2b7ef4bb6fbbf0b20569b7f089eccb97e8090b896edf28c751fe97f87bf8c84a647aa8582f6341923f17ab9a0c63ed91195d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

Filesize
114KB

MD5
f9107809083dd121b603efa8a85db621

SHA1
4df49d52c3e6398aedcb2b8d60745b2769842e55

SHA256
9a671f1dc63285c967633f9d5829c520cc4faa09386a6862e5235c3689cc0e0c

SHA512
1faed2ab83840dae843150e97d14e6a5a895aec0b8e4dffb8c2274d7d40c18cc5d12233b51dfd83ef0363897e7b07ed63e4bb2acd44aa483c6484d2a4d2b6499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png.exe

Filesize
111KB

MD5
c30413aa7dc00ae33d87d522012734ba

SHA1
6f1184f222c9496811843c9e7fffd820f158bb79

SHA256
8ea4c0bb166760228f97395377f0f335e434babb7bf4ff58f35b641d01d80b3d

SHA512
0b5d51cf705a0156733a5d4b2a0561729083f346f777e6acd83fcc244e8276f1b3dcf85fcb91e0ccfc3d459f8eb295f57ebcb79a6b1103824b4189265cb8dc87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png.exe

Filesize
112KB

MD5
30593c534062cc9376058c2c82ad267c

SHA1
fdd0512413c572e1c4bb34af5e7f097a6ccd0821

SHA256
71a9602a65b3883f45b83512b24e378223d0fdcb7d9810d3dc4b89ca9d8ee4f4

SHA512
23922c6ff3e25bf4ced9e60bc44b93f7fcb41b8f461873cc66722ae27054ee8af9f41d4f203a472fb78a2b906b11bb46c1e72ce4b78ef15b0a8d2bbff80aaa66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png.exe

Filesize
109KB

MD5
0e076e16d556f43342bf842c8db87e1b

SHA1
852a6a8576d7f0288888de7fe6b962d1f5526471

SHA256
ce64518b819b36398929f230f50530b5b67c1bbba89df0ccee497188022e4a00

SHA512
37735d6c78885bf7970f5a5d9ace2f1c49afec7946ac6a86d0f2bfde0c6ed497e2302006ccf389928a885f276c66f6d8d91a0a7016e2f3acb555c25f94ae53b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png.exe

Filesize
111KB

MD5
1854361d089c3c385f44db964e45b002

SHA1
92239908fec015c3fc5ba34ebde1ac027cd7c416

SHA256
24dd8a68cadc54d06d7570b82fb4e758271b1c4a397b47fba74d183ffa552a14

SHA512
23008f4eebff7c3a2cdbd385413be434ac4b47d24d77123121dd3fc97c6ada34adf66108c58d4973a4f3496c1deb027ce14e66e6be15623115b0f6e8b3cbf516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

Filesize
114KB

MD5
dae2f9396fb37395eb414902b268c8f5

SHA1
7c2c55b52ffd183914b449c8bf998c1fd9b892a0

SHA256
40b3b7141638392f3df4a0f9a49e57e237ea088aea94b2c8d51322a646dfafe8

SHA512
c6e8fd05c2da853a9a3f58cfba76c75d3e771e34e93f92e12ba6b78ab0bb1613c87096e2727e67d5b46654ab16edf157e01772e96d8629d95a0b7f57859467c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe

Filesize
110KB

MD5
d37709070e2de352057c78f0f988c824

SHA1
acd72622c590ea8f0010b18f63e1829567aa84f1

SHA256
41b51f7c70bbab9550d949346b93415fd591a559f3a4f4dea6a24f2a39c94e34

SHA512
a58550edd8c2545e3aae3f20526e70fc2317379c38f31ea7bc988392f20b37152dd43e8947185d0eba0048a7e2774d23df2f7604d0739fb7a243c81125b74525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe

Filesize
111KB

MD5
bc7c28a0ede59a696479829d8fb44f83

SHA1
83e0cdba19051b0a61b6d32b4b0f605636e0ab48

SHA256
c6d5e6e1c9c4c3d125f7d8aa4bb79bdf231ea2a114851af66826fab3cb9f8d85

SHA512
dba94e90fadc5f848bb26f190f8c8a4f5a82bc911d2d6aff76bf20621ea92e057e53dc9367b8984d24b1014ea7fc7ad93eb13f550f016738dc64ffa6e06349f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png.exe

Filesize
113KB

MD5
831ffe0361087a39b5c427efe59f251c

SHA1
88c2e8adfb25799a35f49a31eb6ebee23d818c39

SHA256
4be85bfe6014c2d6de5dbd551e96195a6400e29177d666bd78e477509d0bc251

SHA512
e38671e8ba525d3e0844a195abc3b203f495d014c63fd9d90071a839919d73edb794f502f62ba0a9aafbea898dfa33959594ad0f64d067050f04a00f8817157f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png.exe

Filesize
112KB

MD5
4b529d9fd72f7d418fada8bd4f243de4

SHA1
d20f7aac1ce6378c2d5e49c20e957ce6419e30dd

SHA256
8b42a37acc51868e5e822fccd1813cd58e44237b40c454d24ae40cf2033a7268

SHA512
8cc42bbf2a79771fcf80b09c1c3a600bb19287701d200782c96e29d2058f34c964af23a273b40e88c66a97c3d5f008a2b9ab04d8368548832f6136ab9e49afd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

Filesize
113KB

MD5
de569cbefc81608225521732233c9ff3

SHA1
f2cb3ad9828d20f9ca1c1bb40a22705312f862ac

SHA256
35620b0cfbd8b99424f7453e871e3267c0ed61920449a995810f6b49b5e0b300

SHA512
506a601ff69ff9b396e64cbfcf156eb9d3d70bc3796a105301608310375a313edf60067c7d0be9ec7178635db739c352434a341adf42ecc6f79d0e999cf9d32d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png.exe

Filesize
112KB

MD5
5b097ea386f0121ad51d1fee3738535c

SHA1
1b88974ffbd02e1e4aaf632469dbe68cbaf6f25b

SHA256
39e22b76007c07ce670d4f1a6f1de777b52457aaa272e164cc0f4c2e80af9b8b

SHA512
6e2723eb9b96637f26f0bace85b5815fe9b866b991fb9175efe7a6cf39433b4460b99a1baa8067f25a1a6fab5866d1dcb0fae0caa38a0bd0d986a5a286ecca9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe

Filesize
112KB

MD5
24a417c2fc836cf1658607e67a090989

SHA1
b9124d083d968b13ff5553a0a52d7f9f7b3a86b0

SHA256
30c07dbe6a6a17fe02a6761ed77431bad409516e13ab399efa7d24f06b4c210b

SHA512
8b0913811b0bd4eecae854c903ca71a3273e8e8bf6594f3c8fb7dde2ccad2d60223f3eb2ea450036a6d034314ae175b3a3e2b0a9cac7759553b849cf7a94ae09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe

Filesize
111KB

MD5
aaad1bda8a7b08f7bd3f205bd4a19363

SHA1
893fdfa0ae6ec6cbd06dda22e6254b054f75f2fe

SHA256
b1d4467f8974cce6627c6d2bf92ce61b6899ff631c738b6bddfd0fe2675470a5

SHA512
60a0930963e18d11985d549f64bc3afebe72c13ed1d910fda056e5b1622b13177680cda948c2773c19d11712c67e084839e3bbd6682abd13c46c3edfff2218fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png.exe

Filesize
111KB

MD5
1508462cc78009eda4504aee951b05e7

SHA1
af9cbd5e2ad3a03182c3e4f40d8c3d9afef8a4c0

SHA256
052dc200436c778a92d05ce53cf80a2ca18d1070d4e662999c3f9ba2c91cc683

SHA512
c347e56920c76edaaed4dd1340e1903adff181964d3924c419c40543bb351082c5a7b7def2cdaa830160c78f083e514cf714b3bc14d371826c6fbd69c5f318f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

Filesize
112KB

MD5
4100b14f70fa628f9499ae9091d3eacc

SHA1
e2a09b7fdef18126390a567dd8115ea2041fee88

SHA256
ad3d53bbe4abeb4c5b12ed50624815272387e80d6ec7bc433ff2b4b1c49e701b

SHA512
73f17ebb66b89df7c60d7d214f965f348838a126d22efce38ac7ed8c9250e32df1ff9d403a19d9f3180722c410efa109645ea6cda13c7ccdf8cbe4874fcfe4bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
1c5b579287ec1116741c004e89222aca

SHA1
158e0bf705afab5b7293a96fc1c14e18dc3f0f40

SHA256
61025a16c818bc3a64eb8dd389b5470d78defeb1dcc58017a057b86afc366e27

SHA512
3de7fc9e604a039194fef726ea7b20df7bebb16eaa93e3bc626fc99604d1deb5415f457d9847461830e9ebd42bd24d71b891f53fc83fcdfab54adce365a425b7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

Filesize
112KB

MD5
8b95170ce768234c580b8a65eb946053

SHA1
afdc5b28ef41d1a5ebf918fec9173200ff1fd3c6

SHA256
de9ea62f1f940d66de9029d55ce3a158454b04a85bff822d689cf28ac9dd662c

SHA512
7901db3f8dcfb5e34cd95b5586c7576e7420fbabc3c55331ee8172ad4e18b2ef08fed3d2c9b62201093c165b67dca10401b194b8253490f1528809f4d3f811da

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

Filesize
113KB

MD5
9cf51c25d25a92e090fdf654d76d63e1

SHA1
ef59256c09606e837839690515cfb27c22292540

SHA256
06701d4548e463e96c8b985e71ac0061c42fa8b2d1257447b33d51c472db4d53

SHA512
456b627c17359ca1788e12830ea3161b3bf77b2ac6041add7849c466b15f4e1045b284ed7195e9ae0b0e9ae13067080ae5aceaa91011359270a3b19ebf77a358

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

Filesize
113KB

MD5
2335d8c7de2e011111ea883444820624

SHA1
0081db5e13ec14668b11db867ba183fc8912398d

SHA256
18bf6b74fd30cf7c164f6cef3e0799ec2784394068e94fd2c8f9acfb001b9a42

SHA512
6ce6e06513534c251d2ddea7675a92b49703e10a52db2023c13b3478fe782f45e354a9bd96e72377630d2b3391895e23c980a6c13dcc9ca057cdbe8c060965b5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe

Filesize
110KB

MD5
234f5a581cda94a26226a2a2ed835417

SHA1
4b281a60233d21ce7b7ee52983fec73387e4c30d

SHA256
f88fa362df31f124269bada7e2924cc238acb8f8187e9ee67e60a20976d73a28

SHA512
bc975c77c8e5a1179400a040ab3081d94aac370828575f723fd1c6607e94b7a850e96d32ae027ce29bf0a2130e84d21d86c48f83fed24a79f05392a254edd15d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe

Filesize
111KB

MD5
c9d640e6077607aa8b279e4428f7ad2c

SHA1
7325fed871411b423be0f7e010d9d0adc5289bc5

SHA256
4105585c07f835ebbeb37c0d3e39e25bc9069afb075b776ffddb25f84d8be008

SHA512
5af1535dfd20c07576f7f68b1c13958f48a3556917a531a683c518f7013d84fa85853b5ce91882640e769a92ffdcfc92286cc3ad81617bbde795fab12b6b0918

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\tinytile.png.exe

Filesize
112KB

MD5
ccdd5f21b291d3c265770968f324d37f

SHA1
d35e553233872f8e4294d8d60ac531748fb0bc95

SHA256
afb7a697b096e83527c1f81e84ed057ae975723f00c786761723bd24f67a8cee

SHA512
eccf579a777e0b7e12bbb8fe515a386d7d317298f9c3696deecc6f0607739f5eb6c16115630644c45c388a14a5bc092a6cec4b34e7c29cb224b66fd88ccbb65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock

Filesize
48KB

MD5
3b20f5e18b71fcd1d72cfc04349c721f

SHA1
3438a78d3c3b5a9c65a0f5f1d0110adda4d501f3

SHA256
8bf0705e02cfee4457efbaef3cc5f5aeb680d20dcbd7c8d893f386da85baafa4

SHA512
d7eed3b09ebcd4d9e9dacb4f306d5dea2283ac855242dbb66236547666a0699844a85b3edc21ef0b5313ad050465dd2b7184f8cf0b264b981fc85bdd455cde28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aosa.exe

Filesize
700KB

MD5
27e72422cea345353a33f4492ac5c32e

SHA1
071013cdec898cdbc7398a1dc2c65797ab7e9175

SHA256
bb9018a1edb7e8a54e61f203b5a01d074cec5ecbad092972eb3a368eb9f0427d

SHA512
3c96d3a8bd77fec809ec9c35572ab031894b5d38e6d243749d8903aed814c7a4c4010cdad15846a9c946262e4c205350eab07fe132726e434e6b43d7d1b8feb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cocy.exe

Filesize
120KB

MD5
75a0cec186213b6d20b15c6a398da74d

SHA1
3f3f09ddaccc86e947145de7778d1b3118855786

SHA256
866e58b24565ef59ef7022344f7f1c0b4160b84b2850286298b7097da2ca167a

SHA512
8e207823a0cb913360227c00a5525fa9e6a14a3512eda56cdf96bddaad22730c4ffbd99aeaaecdb590275e4fd1c49ffe86f95a67cb3d96a8c719dbe4a2d468a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cwge.exe

Filesize
111KB

MD5
195ce464897c4b37e60e61062e6c925c

SHA1
39640e6073bf2913fb9c7fb6a565a8abff310db4

SHA256
b0ab789324a32257dfada9b40750387e74a210698219a4b1c4e3e3eab6f9b01c

SHA512
938dbff61965da497cf2a0db1b013521f4c42edc6a88501f86399a53224cd0118b48da6e194b9bf91b63565199b1a398d32b2498b2f5dfbbb9383f7d225904da

Download Submit
C:\Users\Admin\AppData\Local\Temp\DskW.exe

Filesize
120KB

MD5
9059a25dd015e5bb6b335ff92a158ead

SHA1
f300b2f9d533d1bcdc565fa2ca62d155330ba8be

SHA256
d07fffc9186ec35229c40b85dee1f8fc3e13732d234b28ae535104367e382c31

SHA512
e6aaba83afa080af3b5449ba053b83b2af782d239b19957d2dc3337f724d7f947c0035a615381801c47c9e89690613bf260d4b85e5037d6888e35697b9ac869c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAsC.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMYo.exe

Filesize
119KB

MD5
c6e0023329f2e60a24fd535a8963ace7

SHA1
7f27d2980f688df0d16c11f2d83a3fad09cdc0a3

SHA256
261c6280d27be840e0e79a85bdae689b216582bb6db793913f0c62dd7480b4ab

SHA512
9fb1bf2a1e056c2fcbbe2b6016f6739a95593bd8ce2087d5396573cbdb3a555c3ee04f5fe31c0fe529a71d8ea5801969d58e979c696288adaaab71f8655f4102

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkIG.exe

Filesize
556KB

MD5
a7166f33d68ab6ac900df85915c517b8

SHA1
dbed71937c7f6267514399fca388132197e858f4

SHA256
04396693c853a0ee47d1975d06713d955fc318a59f33f77271fd9d1c07b252cd

SHA512
d994822be688a80f22336c092fb15a3d0a5da641291b6093bed8d024ab12dfd9cf12cd633b96aa8e02710392e046a2a1c193ffae96ac143cbe575f26c076d5dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYcg.exe

Filesize
565KB

MD5
1a4eb7d6900da1e57b5b840a857f5432

SHA1
dcd1767dbde44bbbd94896a71e675ed24e657501

SHA256
1ee4cd33e0209d33f000c2b3a6d6a00d232c9a816bccbec037a6a337fa5dd5b1

SHA512
34061923018cb4da371aa25fcde5b5e2c66b130fbde6a4d9d1abd20cd87d6d2959b2b04e5dc59172a560a5ff69314e0d64c3d8062675b3c694325424fa916098

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iosm.exe

Filesize
114KB

MD5
34de93875307f5f86a2cede97ad8be1e

SHA1
086f040f874cdd71d90c4faeea53da2ee5b1ce3e

SHA256
836c9483b91296b1f50f04835ba53bb48534264fafeb9762d9092c24a8338e37

SHA512
8fd08c40992727f4f8ed0a6e703416f16c5aeb772a5c01788bf6e03d9eb8ba18554289fb92c7fb509365c87d8e0abb12660f634ea83738de99e15814424bcc66

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIkUskMw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwIq.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\McgA.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEog.exe

Filesize
378KB

MD5
8117633b652984256811b7e8ef909846

SHA1
deee352648bb5715131a77bd9dc976bdf24527e1

SHA256
04ea8eddda3b289a228f1b32bbd103700fd822ecd3eeca6e2852fdda6fdc30d7

SHA512
f8539a1c8893c61a7dfb81ce90543d682ac4487525fb15a713e1e69396d5a9ab0f427f24775c68ea20b5e02c1787d441e79cacfbe9a75daf9749a6180afa6854

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUcA.exe

Filesize
744KB

MD5
1a3b8a2acb377fe8b375c578bd2cfa70

SHA1
23b4a473d6f0bd723719ad0c351ced8c0a3de15e

SHA256
7f982e8930f698ab6ea6f23bd19e135b8a9cf1ac2eb0e299f5fc343a8b7e1e6c

SHA512
13a771d9410100209e5cc0f78a751731fe3cd6b1079cbf22fe30ac1a2d76c070afd936fe6987b0edbdb8a66719cca134bf747d03dc2cdfc3dc7d450eb11fcb22

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAYE.exe

Filesize
149KB

MD5
25a43e49c922dc9a8e04a4b6d9bf2ea4

SHA1
2f862ce4ec70c175dd6376909ce5996eefc94350

SHA256
ee5d998dc16d849631e7af2bcd0f4a0612d6e74cde156d0953b926e87f80fb51

SHA512
5db2d9d14d50cd0a75802187718c66d6e3d5a4fb04b5c6b962cc04c2dce1defb0bbde86a7ef75c068f75147b10dc08d16d92072d5b0468294ce622e1d00daaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIcw.exe

Filesize
703KB

MD5
b743310d86a693b291ede11c88f77b0a

SHA1
8e6c82ad544189e94638defe227fa950711b1713

SHA256
d1029b2399aefd03c4a3ae97a0e411dfeb887c1f50c55ca2089946afa0eeae80

SHA512
0ab9133db650f7c398e54820da5fc2e539cc239950e52e9c084b756b23eefdb491db1f66f587b3858d91b372c44edd269f5353ffe4b411325f6d8dcb54c19095

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vckc.exe

Filesize
117KB

MD5
856215cf0633347beb79e52b255bc728

SHA1
f551a9fc1c9ebdb6b81043561c499ab4a79412b3

SHA256
1cd149118ee04d90b1c73e11e7e9a6888669c990713c22b7b9cf91be9fd08238

SHA512
01c7ab6d4c36d9a2f4951f0f26591c88d684006826626892d1272d0bb340a99535c7de17ae86048c4848dcaca751ad9dc1c36b11451ddec4275c8cf0c7a3ace1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEMW.exe

Filesize
720KB

MD5
5521de57f4b49db17be670649961af8f

SHA1
63bcb9a20c75faf03dcc8c889dd0ac2712f481d6

SHA256
d7745007236427a19ec0c72c9d522d0d6a812de9212dc2e2a0ddd93c988c0a20

SHA512
898403156a022629cf473f4dc6d09d31eb73ea8318fa551f6ff60eb501e63b60a911a6cc287ae4ba8366d142488d291e80def8a780988562f25aa81c68220f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIES.exe

Filesize
564KB

MD5
dbe07db51471192e47c6789f3d8f138d

SHA1
3cba4468e3447a2f4ca5d1ec40119f43931f7989

SHA256
7bdc97e5e7586afbe1e6b839df04a9ce4cb9defc43e37d665255800373cad439

SHA512
c3b35de452463d5d274f1e0c1e5e592f5940e23bfb128711d9b3d70033775cb8b176a9a313e061271027bbb5a5d5d8c4b57174a9abfd6a951660a68d0ec8a2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\XsYi.exe

Filesize
111KB

MD5
12202d13d7b6e669ee54f573c201dbbd

SHA1
d1eb65a147722c8765fa120fbae1483c6533c943

SHA256
d7f98d0bd8d39c4c9de90ff4aeff0525f46f7f7fb249c7b4156ac51b4f13c435

SHA512
4b49381acb5b18065ac4bd482ddbe3bb7209511a9d7f1585ac13102542108f3f3b622cf289996e45a2ffd27a50b359db8c8d74dd450150781fab2204c3bbc3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEgm.exe

Filesize
122KB

MD5
a20de4a713435724815c93f08164adf3

SHA1
5d72bf25e45af3a10c985371fe60f796d2d4824e

SHA256
5fcc790da6ff3014921fc2174589455c7c4f78a2cd2b555d17721a4385ee8248

SHA512
00c5b686a4a6d7bebbb7aaf58ed86f0e3ab93b487f8aa71f5cb5df1cc1e0f77e6fea22eab5776f2997108bb1c80f9cf6e4f1006fc16adbec5f7cfd60e1785272

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQgq.exe

Filesize
114KB

MD5
8a3c82166f6349019b64f4355a135bae

SHA1
c5caae1a8a9b7eacfb680714277b1f64fd43b589

SHA256
47fafc8ca38131f7266709eb26a2e15506442bb248eb82de6d28c1357e9f4fd9

SHA512
cec49cac670ad3c5848b97e4b381e2135a08ab0b6ce06ea00a00fb8b90ac20a56e961d96e5115d815c56f64eb7d41770b9aeb0619b8eef08874bebd1f247849c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZcES.exe

Filesize
117KB

MD5
0cf0a2c32eba8573d6542d7de338e1ef

SHA1
66ece5f9199037999059e2762a8c1f8b504841d0

SHA256
1a2fd9ce7a73063292207a16c079018b7c57fe273d63556a26574264c7b0af3f

SHA512
248a1bc8278e7870b7130208c2c80180560cbeadc035f83cd3a97213107822d5df2809c63644c3c38845c5ac8b42b29a0943ac3d7b8d0c6fd6b50f58e5d92694

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMYE.exe

Filesize
114KB

MD5
41728f574f45803f76744416e6d250cb

SHA1
50b3ee972905f6687e4bc65352fcdb2f1c4c1107

SHA256
c3fcfe5acb5d9538843236ae0f9f087c3ccf1c7d9f4046c5ad21e4f20180f9fe

SHA512
d9d6c262ff69cb36f1e38a71c9115f17b65e020f367b2dd9606c26ce9a71c1fe1b130006d546ef8f817e8409173f439d3201a28112490555badd0b8325119e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUEA.exe

Filesize
139KB

MD5
09c645e5d0055494538ae0e8f38dcfcc

SHA1
83da098b7a6cbf6a807c9ae0de3ea4b083d99cf8

SHA256
6788454ce8380a7b5de3b29b98150d9807244814a8954d24fd7a778cbcf588d3

SHA512
dbdcb8f255bbaa8d11b3b0ecd4cb948456f849dc1cfa68d532747704f6122de3c6786698bb1001a63271014c2bfc4b147efbb51746a083cabee8992eb1ff1e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYQA.exe

Filesize
115KB

MD5
439f703439d2a3184acb3e8507a54bf3

SHA1
d221cd160b88f3e08d24c7dba6dbcda25848343d

SHA256
819462b2215c57fa0684ad7d508fac3062349bf8d517c1e42d64d4002ec1fa79

SHA512
b38191647ea90ef393afb6112eb6aaadfb3af5d01b22072036d4c83aba145ec26e2e195678a529a8aae2060d9090e6d1bfc67b865abd717c0834bb57d4036e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgAE.exe

Filesize
5.8MB

MD5
f954a6a6f4dd41bb7da6f47a60f75efc

SHA1
596e3aaf56702a2874bcaed311968b5aff71511d

SHA256
23ed252f43daac12aaa586cb0283dbafdd89023e46d1a8380e32f85a62a617f8

SHA512
fa6f24fa01ce658d5e6b884a04bb9c14aa3d60f311f6aeb9d7ba01f3d945348453106486440f3eb3af2540c97a080fc48cb3725cf055d70cf60d92eaf6696e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\dMcM.exe

Filesize
116KB

MD5
488199232402500e0f7f21e3111f88c0

SHA1
9a472bd6a98a3e99819030bf088bdd6d540f464e

SHA256
1039f33f5d33996add0ebe5d6c5e9900ca23b47c6f351ea760ffdaaf49f9b181

SHA512
7ae207ce23695d37ee805a4ba85b7c3629c1bf96f1a573dafb86a39630ff690fb4bdac16d91ab73b54807084d8d7cb1e33c695d0111b36e9c2733cd5609cba1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIoy.exe

Filesize
666KB

MD5
44c827ab00d54ad01cd1486baff4a551

SHA1
cbd8b46820abbd7a4b2ed5f61159c6218daa301f

SHA256
e98a81104d76a46b5e3dd7295adc8f84d4ffc4cce59d58a1dad8eb221eb29ad1

SHA512
4a6b5cb944536215c03c232dad012be38e9916beea07b058d46632a073cf72aea2ae13a49778b8402e4a4c5a92196061eaa3351ad3f74aef87b261a1c03effb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggAE.exe

Filesize
148KB

MD5
45c6cdd9e52e9c6cdc69da0de6c5248e

SHA1
bccbb0e2e790e265c040e5e99a62712e3ad9ad47

SHA256
adcf17f7e03d979c67717abe4af7d8cb5bee8b213979838a0d7419139123a99e

SHA512
8053d81a6e7855dd32c4749fc46c579e9bc1243edbede2dc02f79f74af0fb32e4dd910287aac948d402b88cd903ba62d85d880c024a7e8b22fcf5eaeea3c79ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkQI.exe

Filesize
485KB

MD5
4c396736a7afec3f2ac0e3498e4229bd

SHA1
bac0eb649fd8af8ff643a95819cb8a8d4404783c

SHA256
7f6cda2dce35f0ac87663a550ad324a180a3097c2ccddc50acbe0ae6c66c9378

SHA512
06f727bf8969fa5ebd9146b00b5266e645dff3d413f33db5e9c0135c55adbda1c9ed7012cdc204b0dc35fefdb1ca536d8fb44cd745e422771cc64c0681702638

Download Submit
C:\Users\Admin\AppData\Local\Temp\jQIu.exe

Filesize
564KB

MD5
9822e573c09593f74509b2fd86840903

SHA1
95ce77dd82fd2bc0e50a0ebcfed34e49cb08d671

SHA256
1ed9757d0e40f16725b4bb0700f6e64d2b0ab531fca3c337fb37517dd45b3511

SHA512
39e79640d3174308d46bf02091b3fcc2ce97d5cb20c0f648c0e284dd0a5e20a2329dc2568fb41d3640f5f17fb8cab51f479a2176ffc05e28deda638667aa7b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\jQsQ.exe

Filesize
958KB

MD5
9fa50ff2b34af95aa7bdaf16d2513080

SHA1
010340a3a6a47421fe720a9fd63c9f7213e4e4ef

SHA256
f43fb75a9e45f14d71cfd52899f7cb86defde39217cdb9f805fc0e43d3766781

SHA512
c4f3240ab59b8ce4c75995ff5ed33a4b60301ffe2ba2bddb811a38b0dc932eaf7b2a875c99640261584e4c191b5945bfbdc252e17b56f56a4c868632e41794ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\lIYW.exe

Filesize
110KB

MD5
016a81188e75c359df064ad8ed7be623

SHA1
2d151d20891b1af196905ed1f7c2d87faed1b6ff

SHA256
43ec092e51f322ee68ba3b3dc459d402c7700ce849ed8c6d61e3b1cde1b441b3

SHA512
82d0bcf477f1c22bf55a24dfc94fa46958c9c30bf979674accd84105e4be3350966646150c32a91860b43f028b38e5e32cc668b0eb0939f004b6b95b030dd57e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lYgA.exe

Filesize
114KB

MD5
2705cbdc361604cd2025682856e03f2f

SHA1
e77efd9e07ba887f3514b2afcca90ef0fb703d90

SHA256
5724df1a0a114c45c084c79494e0ce626b847ac9a332d14b383ef3731e848db3

SHA512
a4399677df7227a27b1bdc90ffd4b553bebbf1ddeac2e61d5b61f5703533ee63a257f9af00448ee2c4c1d5822d09758621886e5325e7455306a54a8459b15bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwgk.exe

Filesize
114KB

MD5
69d3f48630341d1456367491076f1b94

SHA1
bbcc7947fabbc6bc9b626115dbc164d2a6f7dbee

SHA256
babb485d556f7174763f0504553aa81d08cfa3bfcf280e89113fd2e722e7b646

SHA512
0dd28e977cc719c4c7928c6aa83fc23d27afffa04e1b2a56935fa6acfa1fbc545880ca156ce729c71a3fb1f9a38332a8f036d67f310897d54cd01f8727736a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\rMAI.exe

Filesize
117KB

MD5
e1d3e27201508daa497e393f2fe61361

SHA1
4930251910db26e9d8418f63773db3255d140aa0

SHA256
b7b80eb7b5f1368097478d019c29c8dbffb7f376ba571cad614506869f3eb309

SHA512
2b8120e05c337078c7a1ce15d7fc97896ced7895698180dd2872b1f603a4cb7cd9fc1c9d29809a5a3f4958b8e832a310312e742088f23c0d37efd9f07be3e87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rskM.exe

Filesize
693KB

MD5
b8d0760729622b1c4618577b97b33bd7

SHA1
6a6ace29f519749df9ce97bd6a1aa118da2554a2

SHA256
4acdd711492f6cc45f1fb0ca812b1b468f6d93e9c27d36ed735da3068add614f

SHA512
9f76561f8625bb3045fdddb0ec4622b6157626d1361ed91aa284f479167ca6a66273dfabf31aee13dfac7a97af391d7284d51b1358a3b42638cf8b37dcc974a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQIS.exe

Filesize
115KB

MD5
0c9857481c0e96f1eea429f25e8b220f

SHA1
b57dbccf4d11c41d321d0aa31b490f2e324c97a7

SHA256
dd214b06d2075a181cc5e239c97638ef6e822bae16808b123c72eb2fa874ac6e

SHA512
fe7040c3f2a1e94e858cf83b673b95f9917c0b7f9663039ab50d783357c6de0ce53ea2a2ee73654a022b03dd38a4322894138a559b11bc21b14960f116c74614

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQQq.exe

Filesize
242KB

MD5
d6a305aeee9c3e60b063eb946dc31c20

SHA1
da842491166f1fa85a5051589188aa864efca01e

SHA256
563878634173e994301be49839420c67eb41162f2bb6b075b3125e86b8cbbc5b

SHA512
dd12a6bfa42fced68ad175ac61ecd00f8e500b75d34bf6053453f7970a6f92d28842a1ef87088a69a29a375c7ae9cc42d7dfbdd4bf3b033f8a0200c7e1cad107

Download Submit
C:\Users\Admin\AppData\Local\Temp\xYkI.exe

Filesize
141KB

MD5
6bb13083539cfb48fa5a6595148a0ea1

SHA1
cdb59c1a672e2f12f9f2d6a20223758320438c2e

SHA256
c87fefaa64a1692a2c0d838ac1f36e4d9ce8b41d30fa4e841e259e6fd6c1b6b6

SHA512
352ea054856ed02e4e05f5e9c09da5f0dfc127b5b99773faec707b40e1c23ed5533256268810f30d6d19f39d2ef200393959cd6f44251e70fc68b3f27ca01b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwEu.exe

Filesize
116KB

MD5
e7b062f27841a95cbd13f427e223aa5b

SHA1
d85d7762d18a5ef51dfc2fad009485eaa10d6aea

SHA256
e6c3b12ea85a0c3108e408ffc80c08f5e9da3a4afff0294450bd1f6c3c1e7c77

SHA512
8dd9567d0c0b922e2c858bf1956030e7624c044107890359edb31c7f63ae8114e22e5eea50668764575cdc0d2d577b1f0a33102fc7e792253d4b8621af6acc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYss.exe

Filesize
745KB

MD5
16d85abeeb2e3133ee5a11117e48ce69

SHA1
cda3998d4d4e1924a557edf9d88f2ca158d0707e

SHA256
20c1596b099eecc116f8b8225a158f5e4c9c2eeb364f5b8b40d07a36c3bdf860

SHA512
1f662865e088f681d56021e19c639b969054d7630a28a3ac063e746524441e51e5bbc4870470fabdb98fa6edaaa480025e16e4251a3debde4870c7f32d96b403

Download Submit
C:\Users\Admin\AppData\Local\Temp\yksC.exe

Filesize
558KB

MD5
fec903c3ab8ddb48ec3b01beb58ce638

SHA1
ef45a560a0c1087a73bbd08e628245af2197e4bd

SHA256
6c70025567c07a7a326781972c21bd1f85cce9c8b94efc1ea06426b2e80a5210

SHA512
38a96d0c4ec7eb03ed8de86e27ea20209e54e4ff012c201127a03d00b18a885624941449bdaf4226de87ac67e3cc8537fb250fa4424fd1f2b88c14b41d54f35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIwW.exe

Filesize
160KB

MD5
d17dbc0cbfb66e8f22fe6791083ed746

SHA1
ec0cb80de2056623680140144b0dbf062eaa86e7

SHA256
7beefe6705dd7e77d549151808a9792451b08ab47bef355384af8c72086686f7

SHA512
a09d20eb058448e48b545122fd2e91e1bfc15c07bcd90d84489efb866c906942d6730bcaa7234c4abe08b14b5626dbd499bf0eee49f85764ba0f27426da2b748

Download Submit
C:\Users\Admin\AppData\Roaming\ConvertConvertTo.mpg.exe

Filesize
577KB

MD5
7f712a81e14c55fde8ebd95bf331271a

SHA1
1ccb136c7e9b4fa8cd760e2ff3376b634dc78cab

SHA256
232f33d1c525a13bea441551a39d5e4432f654213464dc6b88f2658198ddf481

SHA512
5964b54c87250f69d37beade4dfbaa77b3e21c9f88d2d2769bd9fc067c4de681851fbca335b8fd74c10ea5b1ebd3a7691bc204e618a186544e84ae7c606a0e6e

Download Submit
C:\Users\Admin\AppData\Roaming\NewOpen.zip.exe

Filesize
357KB

MD5
c302a37d5fe50a0441b9a2ba4c8f7a09

SHA1
895d5e73b73f86a8e1a9426e4c35d0c2257110b2

SHA256
f2c218a0beb455fb224e343c23f5e05252b3284a3f71d58f463421e176a6b6bc

SHA512
e7efd0898d3defc37f5323cd642623a92da9b22cca2ccd73be50bf7da00e8e179cc19bce19d736b21104c1438d256ba4d2e5bb239fc89db580aa3844ce7b7ff1

Download Submit
C:\Users\Admin\Documents\SearchStart.xls.exe

Filesize
1003KB

MD5
8b2a0216b55e88235c6689dfa40b360e

SHA1
a89dc5bf0083f2e3b11a6f11c18c17f00f3e9e19

SHA256
7ef9c331c4aaa543f96c15429818d2c2656bff35c8594bda7d871a2e4e80af1b

SHA512
65d953d953dd1422aab25959b041df440b007124a5daedd8bfb9e861a3833c7ad183304dcdfba421ac25e3db200d2858f7a0351559ad18a0a160afed3b5abef3

Download Submit
C:\Users\Admin\Downloads\OptimizeMerge.zip.exe

Filesize
489KB

MD5
0a865c084ff438c7883e2ef7a6eeff2a

SHA1
5a51099d354dec312a5a6729ba42eba2eda85482

SHA256
33ae4794b0f118b6fbd91add951f3a5e258abca6ad73f0cdac93fa82e62c0db8

SHA512
8f5fb8616e15458fa6509638f650910cffa09b9e472a528f3ce7119761060ca583ea17a094ee11b4bb922035b858e78746569bbb7c1a7195a8f5a29dc8e80dfd

Download Submit
C:\Users\Admin\Downloads\ResetStep.gif.exe

Filesize
566KB

MD5
c8bec595f23aaf2a741ea735981c8bc2

SHA1
b204ec5971ac6c26731605d9daea4bb62756a1df

SHA256
0b10dc90b277376f678eac96164681c42116830d4f53a802b094c7548838bc0a

SHA512
17a71ee1fa3b3d47d8ead82d36244cb34b9184b38c20ced05c5e5ac9e7cadbbf701d4eca35a2539af50e3c37ff6c89e8fb9fe2145126d30793a4def354b1813d

Download Submit
C:\Users\Admin\Downloads\ResizeRegister.wma.exe

Filesize
604KB

MD5
db30fed6b092d1e6a822ed900f6b39c5

SHA1
93989df70dab00c14e99d03a2c42afbd2408f94b

SHA256
ead5109145935530692c670ce0cd4cb613a430745daade02a30115ad590f6386

SHA512
ba03a6f9e631c76748089b20748023650aa58197be0ad5f4a06a55225914432c53240dab8afe36a3043d93187a337185f7a42178bc366dddc58601cda39ee8af

Download Submit
C:\Users\Admin\Music\RedoCompress.ppt.exe

Filesize
904KB

MD5
dc6a62e48257185bcf11db7e37adc030

SHA1
1c6f3415f7167ca39c3240f05d9f48b6512e3dd1

SHA256
24e6d62cb1cfe219de9ff50e5320b4470cc8468bbe7114f893c3df8165df9c83

SHA512
4855c6a8e2b1c14e1645c08a6d9d7b91a82dda8a9beaecf23eb24c4aa81e0fef2644ec6315c8a0a9b4d2deda2db5798350e4c2a0e3cacee1ae9e88ca47be44c3

Download Submit
C:\Users\Admin\Pictures\DisconnectSave.gif.exe

Filesize
651KB

MD5
85f2729252370e8a8a6aa0d91d59b999

SHA1
bc10cddfdcea48aa57f16894def4761285c57f73

SHA256
239b8224b5c1480c1e5cb42fb9a15c4225eb235bc9cd06114f7ca5a31a7d3a31

SHA512
d2ef8ae89f173f133fe33f49270bd6e8fcafa1a16fe713c877403a9681893656644786282beba7f14c029c196de2e725dd3f4ff27dc05f8523e8ab58f70a96e8

Download Submit
C:\Users\Admin\Pictures\ImportPing.bmp.exe

Filesize
1.1MB

MD5
e06afb52c829d2e7dfdabbe4ef6de2e8

SHA1
96b8bc989f63003a9f18a1193269e4e0ce888f0e

SHA256
977f4084b5686f992341047ee8b73281e186332f9a1b7be422ee2daa0d887cbf

SHA512
ce167cfd22d690a310313f4e12ac43da53e9f16bebe16188cf7864e9c6fdc10da32dfcbe3aea645730e52b711ee0adab70d81860e70d955d10c3be5684b3776d

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

Filesize
137KB

MD5
fb8b38d02b1abd7f4b116d743b30b9fe

SHA1
13e83c6fdebd1437703679896c12cf39c97571ea

SHA256
6fd0ea2fdc1ad036bf62220d72fd67892f4c71e6c17f89a5d244a7fac4d64adc

SHA512
f7c5513c095032dbd3be53edeabf9cf15310035dbef30017d3bb78046b44979e5eabe483160e2bef313d49c6363649bf82637133dbe10a66f742d6da7f246757

Download Submit
C:\Users\Admin\Pictures\OpenReceive.jpg.exe

Filesize
1.5MB

MD5
f74ec2ebf12d86a1dd4367eeb9d7e2ec

SHA1
d1aa3906d9aef8dccdfa52da86523af6b32d0f9f

SHA256
f794f7d9cad281446929ec9229ae4c4937d7f6a72f1d2d48aa0fe29315b1445b

SHA512
b357f91bee82cea2fbc9c93ae7dfb28c16ed4f2e3e52fb134c849764f51c5ff021ddab20debfde1f896be7047f3313449a93f1ec36e77c6e441541b2d64971db

Download Submit
C:\Users\Admin\nMYgkQMo\TawccMwk.exe

Filesize
108KB

MD5
937c4b37ef6bb3101d16691ee40a00fc

SHA1
6541ea57a140c3b8b383b0741cd608e463b50aa6

SHA256
399500963039508cb317908d4e5ac1760dac44c33da6d7222c8d1277ea7297e6

SHA512
0ec4165924d95527f9a93474f4c223c654fc0c7c59de4436bf695ade5ed9d8dcb606d2e234407d654ec4ebdd6b017e847ef664d3b5fc2f33e6766d0f6fceac99

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.8MB

MD5
5c39f8b3c2b7ecab73c5c3cf4b4a74be

SHA1
8e77d889ede3caf8c1998bfed0c1a177e18a29d0

SHA256
e3b3917b7549e9bc143f348abb0b7cc98d719a0f9d9c14e37e946cdb76fd23b8

SHA512
e157de874d001e59d930cca77e931832732913b0177dc50a35231af31c5d4594c161519ba392ed503b9deff96e05811a0da5b61de222cb09d09d3a003cd9b0f7

Download Submit
C:\odt\office2016setup.exe

Filesize
5.2MB

MD5
6c30341b66419d69b2e7f78a36c288d2

SHA1
a318621ecc10f1c93937d5342c63bbb3d96f75c8

SHA256
2f0911f85b10c1f7c9ab16b884cc4686fd1acf4e877b09990e0a76549a11e152

SHA512
cbff1b1f93e2b3312b71c0af1e2d9b657f04a85c5d670c3406537f903315a3f1593dc237535b4e3f5e6f6c7d73de097732822cc1a536c1264b61490eb6a2f7c2

Download Submit
memory/228-263-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/228-255-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/380-19-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/380-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/748-183-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/748-174-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1008-231-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1008-221-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1268-13-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1460-112-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1460-101-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1496-241-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1540-168-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1944-30-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1944-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2168-42-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2168-31-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2188-160-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2188-149-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2612-243-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2612-254-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2760-290-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2760-282-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2880-219-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2880-208-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3128-53-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3716-148-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3752-89-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4048-8-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4048-1846-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4212-124-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4212-113-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4312-196-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4312-186-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4420-54-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4420-66-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4424-91-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4424-102-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4576-126-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4576-137-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4632-272-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4632-264-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4940-78-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4940-69-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4960-206-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4960-195-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5000-274-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5000-281-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download