40cabae518946bc901a841461bb17db9c616d70a0478db64a2862094ed559a17

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
Size

162KB
MD5

262448a316a87d4cd3b4ea7e85aa99d8
SHA1

ae5d091ccbd3035154d31c6dffb68637d8f28c4b
SHA256

40cabae518946bc901a841461bb17db9c616d70a0478db64a2862094ed559a17
SHA512

bde88a718290ea9c0ed4dd1ae113397cbde66f565cf9f85baaa712e8ea898cbf925c33484042a34aa06e6f2a4dad9a580271b1dde2647974aad5d1481b1977e9
SSDEEP

3072:vqdolkw0toO5xXSuc/qm/iD7EsLZBkDu2j8wsuqC8UQ7pRT3ch8XhlZ0Ev2IG/+o:plBUZcoEsLzkDZ79qzUYNcqhlZdeIc8I

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 33 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	EMMIYUog.exe

Executes dropped EXE 2 IoCs

pid	Process
2172	XWsoQcoY.exe
2824	EMMIYUog.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EMMIYUog.exe = "C:\\ProgramData\\JkAkMgwI\\EMMIYUog.exe"	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWsoQcoY.exe = "C:\\Users\\Admin\\uskkwEos\\XWsoQcoY.exe"	XWsoQcoY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EMMIYUog.exe = "C:\\ProgramData\\JkAkMgwI\\EMMIYUog.exe"	EMMIYUog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWsoQcoY.exe = "C:\\Users\\Admin\\uskkwEos\\XWsoQcoY.exe"	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2324	reg.exe
2324	reg.exe
2492	reg.exe
4160	reg.exe
4184	reg.exe
4364	reg.exe
1572	reg.exe
112	reg.exe
1500	reg.exe
2520	reg.exe
4196	reg.exe
3400	reg.exe
4420	reg.exe
4000	reg.exe
3524	reg.exe
3564	reg.exe
2280	reg.exe
4548	reg.exe
1444	reg.exe
4928	reg.exe
1984	reg.exe
3800	reg.exe
2888	reg.exe
2940	reg.exe
2480	reg.exe
4312	reg.exe
2292	reg.exe
2520	reg.exe
1660	reg.exe
4372	reg.exe
2480	reg.exe
3776	reg.exe
3316	reg.exe
228	reg.exe
2132	reg.exe
3084	reg.exe
4460	reg.exe
4136	reg.exe
3160	reg.exe
320	reg.exe
2364	reg.exe
936	reg.exe
2964	reg.exe
2156	reg.exe
4904	reg.exe
2668	reg.exe
4516	reg.exe
1444	reg.exe
5048	reg.exe
4392	reg.exe
3052	reg.exe
2932	reg.exe
3312	reg.exe
4556	reg.exe
2676	reg.exe
1932	reg.exe
448	reg.exe
2260	reg.exe
4996	reg.exe
4612	reg.exe
2420	reg.exe
2292	reg.exe
1648	reg.exe
2856	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
4776	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
4776	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
4776	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
4776	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2456	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2456	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2456	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2456	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1940	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1940	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1940	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1940	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
4432	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
4432	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
4432	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
4432	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
4176	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
4176	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
4176	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
4176	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
3564	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
3564	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
3564	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
3564	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
3380	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
3380	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
3380	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
3380	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2228	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2228	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2228	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2228	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
3196	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
3196	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
3196	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
3196	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2704	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2704	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2704	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2704	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
4588	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
4588	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
4588	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
4588	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1400	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1400	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1400	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1400	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2960	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2960	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2960	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2960	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
5084	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
5084	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
5084	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
5084	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1208	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1208	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1208	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1208	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2824	EMMIYUog.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe
2824	EMMIYUog.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2172	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	91
PID 1844 wrote to memory of 2172	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	91
PID 1844 wrote to memory of 2172	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	91
PID 1844 wrote to memory of 2824	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	92
PID 1844 wrote to memory of 2824	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	92
PID 1844 wrote to memory of 2824	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	92
PID 1844 wrote to memory of 32	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	93
PID 1844 wrote to memory of 32	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	93
PID 1844 wrote to memory of 32	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	93
PID 1844 wrote to memory of 2364	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	94
PID 1844 wrote to memory of 2364	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	94
PID 1844 wrote to memory of 2364	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	94
PID 1844 wrote to memory of 4688	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	97
PID 1844 wrote to memory of 4688	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	97
PID 1844 wrote to memory of 4688	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	97
PID 1844 wrote to memory of 4728	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	98
PID 1844 wrote to memory of 4728	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	98
PID 1844 wrote to memory of 4728	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	98
PID 1844 wrote to memory of 2952	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	99
PID 1844 wrote to memory of 2952	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	99
PID 1844 wrote to memory of 2952	1844	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	99
PID 32 wrote to memory of 4776	32	cmd.exe	103
PID 32 wrote to memory of 4776	32	cmd.exe	103
PID 32 wrote to memory of 4776	32	cmd.exe	103
PID 2952 wrote to memory of 3700	2952	cmd.exe	104
PID 2952 wrote to memory of 3700	2952	cmd.exe	104
PID 2952 wrote to memory of 3700	2952	cmd.exe	104
PID 4776 wrote to memory of 1160	4776	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	105
PID 4776 wrote to memory of 1160	4776	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	105
PID 4776 wrote to memory of 1160	4776	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	105
PID 4776 wrote to memory of 2556	4776	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	107
PID 4776 wrote to memory of 2556	4776	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	107
PID 4776 wrote to memory of 2556	4776	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	107
PID 4776 wrote to memory of 2260	4776	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	108
PID 4776 wrote to memory of 2260	4776	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	108
PID 4776 wrote to memory of 2260	4776	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	108
PID 4776 wrote to memory of 2940	4776	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	109
PID 4776 wrote to memory of 2940	4776	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	109
PID 4776 wrote to memory of 2940	4776	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	109
PID 4776 wrote to memory of 2900	4776	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	110
PID 4776 wrote to memory of 2900	4776	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	110
PID 4776 wrote to memory of 2900	4776	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	110
PID 1160 wrote to memory of 2456	1160	cmd.exe	115
PID 1160 wrote to memory of 2456	1160	cmd.exe	115
PID 1160 wrote to memory of 2456	1160	cmd.exe	115
PID 2900 wrote to memory of 2716	2900	cmd.exe	116
PID 2900 wrote to memory of 2716	2900	cmd.exe	116
PID 2900 wrote to memory of 2716	2900	cmd.exe	116
PID 2456 wrote to memory of 232	2456	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	117
PID 2456 wrote to memory of 232	2456	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	117
PID 2456 wrote to memory of 232	2456	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	117
PID 2456 wrote to memory of 3084	2456	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	119
PID 2456 wrote to memory of 3084	2456	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	119
PID 2456 wrote to memory of 3084	2456	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	119
PID 2456 wrote to memory of 2324	2456	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	120
PID 2456 wrote to memory of 2324	2456	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	120
PID 2456 wrote to memory of 2324	2456	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	120
PID 2456 wrote to memory of 4756	2456	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	121
PID 2456 wrote to memory of 4756	2456	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	121
PID 2456 wrote to memory of 4756	2456	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	121
PID 2456 wrote to memory of 4292	2456	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	122
PID 2456 wrote to memory of 4292	2456	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	122
PID 2456 wrote to memory of 4292	2456	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	122
PID 232 wrote to memory of 1940	232	cmd.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\uskkwEos\XWsoQcoY.exe
  "C:\Users\Admin\uskkwEos\XWsoQcoY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2172
- C:\ProgramData\JkAkMgwI\EMMIYUog.exe
  "C:\ProgramData\JkAkMgwI\EMMIYUog.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2456
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        8⤵
        
        PID:500
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        10⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        12⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        14⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        16⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        18⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        20⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        22⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        24⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        26⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        28⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        30⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        32⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        33⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        34⤵
        
        PID:1592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        35⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        36⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        37⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        38⤵
        
        PID:572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        39⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        40⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        41⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        42⤵
        
        PID:1680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        43⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        44⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        45⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        46⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        47⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        48⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        49⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        50⤵
        
        PID:4312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        51⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        52⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        53⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        54⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        55⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        56⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        57⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        58⤵
        
        PID:3160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        59⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        60⤵
        
        PID:4572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        61⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        62⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        63⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        64⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        65⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        66⤵
        
        PID:3160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQIQEIEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        66⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAAYIock.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        64⤵
        
        PID:3760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:4928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KasQQQMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        62⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKwoUgQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        60⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEQcMMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        58⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYQAQYAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        56⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:3400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aaAcoAAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        54⤵
        
        PID:2596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwwcYsgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        52⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\doYUcwMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        50⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cUcQYUkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        48⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:4548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\toIUccAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        46⤵
        
        PID:4720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOscMwkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        44⤵
        
        PID:3564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:1652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkAAksoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        42⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rioEggQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        40⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HoIgwcIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        38⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEkYQQMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        36⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NusosAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        34⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQggAkMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        32⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\taksgwIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        30⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogUckcUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        28⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEsUUwog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        26⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEkoIQgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        24⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sywIwkYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        22⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkgoAsgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        20⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ReoQQkIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        18⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWsAgskc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        16⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DewEMUEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        14⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DycUEckw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        12⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GuwEwcYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        10⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xysIsocQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        8⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3360
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3084
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2324
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:4756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aWMkcwIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        6⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2520
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2556
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2260
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUccooww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2716
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2364
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4688
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGQAIEsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3700

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 4c97eae0fa09ac1b664c3619fb4c875a mSwMKO5YL06+YRFpErBJDw.0.1.0.0.0
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\JkAkMgwI\EMMIYUog.exe

Filesize
109KB

MD5
3b238bbe10709171ef147e13e332e285

SHA1
71279cb929884bf1d228ac6dca30e8ea4503ada3

SHA256
22dc474abd70bbca251b1407076abba06a1b636bf73cd5ee557d10bd472829b8

SHA512
f0e349ebb5f8882130e5b31cf8faf0746781b6547a70de09bb609834cee82f7423f21bff7430f910595b127916a14c12dc879f895929ddc1302575cf028007d7

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
238KB

MD5
8a7f8de7170264bcfb18737e0b5f6fe7

SHA1
16b8cca9cf2cd6c565e1ee24e09e26b5a1883bed

SHA256
6bf9e0e22d439873f7ef4c048d301e660ffc51e9740277dde136ae673c2c3543

SHA512
be9186b1f9b7c70ee2270bab790c552a4223880ffc162562f646dbf7a228a1d749cdbda67576ea38963b7464860ffcbd13c5c77184bf2d88611e732f81639dff

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe

Filesize
116KB

MD5
5ae88c53027e64647012b45c5172b5e6

SHA1
779cc6a2a3b84b5af3d0e3c763c2c6280a6bd028

SHA256
adf56b7e76a511020752073606f5e566b3323e4b8126256b52111cbcf7e69adf

SHA512
7313b39187776d7ba6edb6824634e61ded64e33e8aa5c78087ff40915a07eace7604bdabf204abf5f073112d6741da0d11bc208efb3f015483b56ef3f2b27f5e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-40.png.exe

Filesize
110KB

MD5
072b94d50bc245babc77c95fca93d46c

SHA1
0532f8bed23aa9759b85529125d3201a7ff5f070

SHA256
0e677cd46e370ce17f886919283735d4c4e22f45ea23a22c8bc302d71b4f50eb

SHA512
d3925ea51ec4d14d7c161a427c3d1c1a737c95592c195ba89acb235f2abe1796cd742d66e8610eea04e035d0f17d0ad60b1292c26d7e9c2594b0df9308e08df8

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
567KB

MD5
f1dcee477455d5877697628e7a189137

SHA1
71eacf31559637ccd24a5d7c479fc2ba4280d6b7

SHA256
b6d83c58252f5af4fade10e5e9dc088688d1df4ca0293c257653d2d14b7a58e6

SHA512
21340ef6a66a54a6f72b0ed0d316f65b7a007ad0f7da05a465489003a51c2add5c336964657dcc909ac82d21af87ee4b275b6c586630b23813abb6a776ddd052

Download Submit
C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\windowsdesktop-runtime-6.0.25-win-x64.exe

Filesize
722KB

MD5
b9af5b3904f5e51349e804cecc39779f

SHA1
3fb2bda2a5682d9df1c30be50a9d52c10f628843

SHA256
e939a5942b06e6330dbd75a9c218fcb1f18b7d5a519e4a9810dda194d4195ac4

SHA512
d35a933ee484e8c45628ac60b3bbd453e79a686d204041b64b27ec7bd776ed0790c35993d2bddcaebdd1344f99bceeed5438973b8dc9a3d462cc74706f208dd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

Filesize
113KB

MD5
c89c0ac0e44016ca70aa87a605174c12

SHA1
fd0f75724050d5cf2e1023e055d72dab3ac2abe2

SHA256
0eb44d9922e759376f44b94a4d3a8989ce347f2283dd6b2b734f699cc9db4259

SHA512
257c6129148fa368e428d7e5a032b861b54f8bf5e519db37ae8565334d0d67c2fa6fa8c0519a981c1dec64a983899bfa79791c1201ae785be9f583111fe3f944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

Filesize
484KB

MD5
11ded47e1eeb88a688d70fcb4e912247

SHA1
0ac3a97e16e609ac1164ce12d3fa124ae5ce669b

SHA256
10a7d35ac3dc458fcf2d172f4f7fda120d2d201a0f22460ed7e9c6de2f9a2a2d

SHA512
05e995864e284948f548af5564d84211236a058fa142173e1c082ef6df0d5a22a8d672ebe6bc61ce9f45529ea5314828811e74ed0fd343783194fdae5f75fec6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
120KB

MD5
910408845df4da96bc6de8643986e445

SHA1
9358ffad60584ecd3f4aeb6cc6c0c336821f2cd8

SHA256
b4d85f35dbb1416e86b6333d56076e9bba4f655d45e57a3fe218b3512546fe76

SHA512
fb9aa1ab8d35917caac5241cf2defa386568c3895da1589a31b0965cb95220c37b4f014f7382b3b51ad460f962086b0247283b62f9b205dd92511370d3bac329

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

Filesize
120KB

MD5
2716b26d82a517f4abf9337ba848f4c1

SHA1
89292308acd8c285ed291150c0120126129a16d9

SHA256
b5f8ed054fb7591b930a010a6440f8b9dec84e4886fb25731e687d719b104064

SHA512
821dc030b3d37e2fcb3bfd0817340d37d5274f104df2e39e1b85cbf004b1d1bfd20261538a126b946ab29666942435394359eca288da30243d8b1b5964e92e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

Filesize
114KB

MD5
8197ae10b68194356f6b214101db026a

SHA1
5389c653c307c6c2f907d0b4f0f87f4e2069beea

SHA256
fd718cedffaf7f283aaafea7b09927f629a62bbf2dc92a461f7cc678e4dcbf14

SHA512
fc58142787546f2b9aef70088ad532e3d27f18e8b40dadf64daf8d66dfe4a91813d1808a1a331cfc6241cebb220c574e6cb4f55391123e84d908b1794f2ffe8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe

Filesize
110KB

MD5
0ae9dcdaa9f80845d8385a104168b5c4

SHA1
b3510376f11f605be4f2246ed0ff84237d616a42

SHA256
dc02a5d440e85b20db431b5efe23bf6dbfe6f52f2bae5babc762b884ddb64a23

SHA512
2be91ddcd8e640675dae65f2918b2e6d35332d58b51acd5bf95257ebcbdf3a78833894d4637b56a947d84ea5caf28253cab2abdf0d81266d4b15663bc1dd646d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe

Filesize
111KB

MD5
b4bdc00a5c9671baa3d9a83401f3dbf2

SHA1
d42bf5f691ef18a858b803a9cde841a47d80b58b

SHA256
1bfc24c8108bdb1410361430b3d486f5fdd7a15e6241b7e1a0b4083ab503910b

SHA512
505b700e6975095d2513a67e5c0c1348d86e57e073452cd8cb19de6866d5fa689856ed88f85bd93eb071fd9d3066009abadb4c334bf8a070d892772d59e8c505

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

Filesize
113KB

MD5
72be7167bdb78ef4ca5c19ec7f7c2838

SHA1
ef673b6bd39b58b221f57bb44551110542ae3602

SHA256
b1c726a174177c701955b355e74513af6a8e2d13df32ad256e3973065fa44162

SHA512
d22db999c6c0387d099498c7f6e20cabb902f22e6f874b5dd4ad70669128cd5fa8a4f60bdddad30003fa669bd0f79ab30b7f020444779302b66a8a77017b5f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock

Filesize
48KB

MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\AskQ.exe

Filesize
112KB

MD5
3ead346a34c55649ecc8ef0dafdb59de

SHA1
55df1b229f3629fcc66a903f508d3251d69b756b

SHA256
88845faa5f13a72f8c5a4249e833b8989cd6fc0226d66e721333a4839ebc0153

SHA512
e0b350d16e046b7ffe8d7d9dfb2a5215deb7cf8f5cbe20ea249d6e4d8439858eec9f951e1aead6ebb41a3bb9c1630d733bcc92e5ed23ff426371237f46fdaf83

Download Submit
C:\Users\Admin\AppData\Local\Temp\BoAa.exe

Filesize
139KB

MD5
9c1a58f31974e22bae71cf43edad4409

SHA1
a4aeb2bf2bcef695cc66bf953210e2ae2348b17b

SHA256
b3a9da04d559136ae85faf3116f9c624e2ca582ceea57bb79110fa172bbbf763

SHA512
f4b9267f8d6bc21866abac4baa28a03ff263072358dcdc87c860b41ff746ff55583e23e255a0a84116b89cac457b2a5b7f55f5ab97494d48d7ea6ad1b7ec5215

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIAS.exe

Filesize
141KB

MD5
2e374cc1da622f7dc64ed0e27b358c7a

SHA1
5a1f0c2682d4c62b5c022d805c784893d18faa92

SHA256
c8347857d3fdb028be6bece5be240a83b7031814b5f0c0fa4e6353816d97dd1f

SHA512
08837833c96eae7d043e5ec81ee91b3027916870c0a40af3364c0fb2e8c61e89829767e02682fdc34d412978fdcad0140cc6b92e09fa308a0df0a535eacf2a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ccws.exe

Filesize
279KB

MD5
fba89770430a62ec2f4c30f04a9d7b50

SHA1
476906e756607c1df089baa2ad9526fd5187b3d1

SHA256
c402f7c572e4b1beb488b046d233d4dd0e7b04dadb5ca0c5c56df033c3d00022

SHA512
8e91ef063bf5d0cd7e3879ebd1dad0dca599909d0065f3c176866794cb65197b8d4f519e849a08cfa9c0cbb0cd4bce32486a938e073b113e818d12a1fff45ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkAa.exe

Filesize
351KB

MD5
608bd74515a4b6c42d0040dca25c36ee

SHA1
e7b983e1fb47a72b06dff40bee2257bc612cb2e8

SHA256
62d14ec1d36f8104942834f1dc7ffcf2521feeb9c62bdf8ce1edc2bd8f810de6

SHA512
3077ff25286a7cbe766bad56e51c259eccc11fdf1ff9243596c1df252419edbf8ec7278e923a839972920492f657b350fe83c38c9a9b5086d0cd7b8b5f1307f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsQy.exe

Filesize
744KB

MD5
515f0b6828d5bd8b375c448e5ff367ea

SHA1
3d6d2c964aad91c5ca35be37ab586950423ddef3

SHA256
f78e2dad0c4a12b0e1942def537d5b7de38f2ea7766a241b483144dc160f2bbc

SHA512
2a657750fdbd393b9ca653e16999d514d0aa799347650722b9d94c6133db6507e9f21b616c11a95975654dc907498cdab6b9642bf6338b495cfa6fe8af68874b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoYI.exe

Filesize
111KB

MD5
67d438f6871076ef7d587d6c1a0cb20f

SHA1
9d2f789b324722ef3afa192e8cd39ad7f548550d

SHA256
4c5cc41a8936c5dd2f7726f251f0f85d909c1373f6549540e974a2926771a33d

SHA512
bb0f323539956b529d48485fe35f69b104220b89a1b12dff9c73036de60c7a052bbc6d01a5ef07e9820f650ae0f5f0e513d5fcd6e0b72c552bc1676faba9e753

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEQa.exe

Filesize
121KB

MD5
6f6cd613bf4b4027f73695fafe2b2b8b

SHA1
885549a5e39ab416b3c6d9d305b2104b44a04f5d

SHA256
acdc51603c3d79b57c1014e7603992dec6dc903ed4cbedc15217150f1f0e4761

SHA512
a3b806d39b1aeb7f3db569b58103ca985d2f1946e3b9872a059535748021498cea17e0c0fbf491bff5aaa6249443480891b6152ddbe2148dc4889ebfb00d8c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\HsAo.exe

Filesize
112KB

MD5
26436f1cdaf3a0f0baf955f8abe36923

SHA1
cc5ec583273da3fd7448e31a6187ace8e0d0c633

SHA256
d5bbbd09f55c69221101060844b3e4f2c60a4f585efb95b1be92354e6857a427

SHA512
d966abcd16f87f40d7a17faae21671a4328ae39d12c87c3ed46748d8096e617c83b67e22e3e1eacd9ab0da4986fe3833c356972dc4bec9b82fa5a250074a0cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwUK.exe

Filesize
112KB

MD5
1cfa34e58ee5eeed5e40336499bf60bc

SHA1
5e046178177bc6cb29c77d833e638ae2acd13488

SHA256
679e91fd23c96ef6142ff1dd8d5c3187acee1f96bc24a2e02c54bc96e909a0cf

SHA512
5d96b1a25381e09fb216520baab7000ed0fa41b634e174502bd4386ae7c8845705862b88071a0af26bc576bedbc864651489924e952ca337d412df857cf7ca6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kkco.exe

Filesize
554KB

MD5
8492e9aaf3e088dff74860cbed883383

SHA1
2c9da12c6129c76b461dd85b94627acf0051a286

SHA256
457b2a03d40a0470f596c81ce217ecf5f68599016d6787aa853f062166aaafe7

SHA512
bd339be6223f825208415468abcccb1d4e5483a5b582d71ccbcf4b1070c13ef3229af2683d9a234297f193b90844e3f4eb9383581a733b436abb3ccd3679e1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LAUq.exe

Filesize
153KB

MD5
92edb0f38ed2d17e7fff0b4d81bb3c20

SHA1
f298deda1e7f43c36e3bb35dc4505c351fe2f206

SHA256
73da73842da986d43507e2d1474880bfc3f0400841588f03333e54d8332ffd48

SHA512
c678465577248954b1d81c222ad29866e8c888fbb61a96023c2b07eff5fb04994241cfa5e057cd2a0f1dbe1dbbd90ea76e74a54a3786fa6dc2b04f479610be5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgUy.exe

Filesize
116KB

MD5
13fb3e081390f58c34e0e9e0958f4269

SHA1
91b11b24cb1dd5e640694fba3cdd823350ae4c3b

SHA256
55ce8f0d208d4016cda4844a0dc86282e4c1f532c9305f3cb20a50612844666f

SHA512
d660a15682a118b1695875e1af4937a26ca0d1d4587721b7daba68489f357d184358f06f1c03539ea947e1d55a1de976f6ad896dc26b30b109129d4843677e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkQK.exe

Filesize
443KB

MD5
7888068f891d7a0eda8c84b46fd51b99

SHA1
0af648e4ffbc73b9b183870708b04f9cec961614

SHA256
da5f3896fa11678980144906ccac8a0f7574eb899dd9c489b7531b76bc0d6345

SHA512
56a0aeadf930f7e3708f613f76a4241dfb64529c63b2b877737aaad6619f4289e515d70c65907b0176c0b9e5b06b83cc9042db3da559b048b406354fe82050d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\McsO.exe

Filesize
111KB

MD5
8ae8d3970e30ba89e8368d15a9293ec2

SHA1
605701523bf251fcf25135dd0329c62589484405

SHA256
347017fe743a119c98b9b731d78a5bfc80fcfb89fcfc0f3b76628dadf27c7762

SHA512
6ebd7810e95367a624d6443ed48152339147c1be009bb8a39eaba06bc04831f6c80620523ba73d222020fe95e961e445e212b517f6e9776188844a60df4190e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkoC.exe

Filesize
117KB

MD5
b36d1cecc00473eea81c56080a7f065e

SHA1
933f5008404a8b4318312a9a3d3dfc365eb5f29c

SHA256
b51ee43a776f4d9aaec9ac3fb16a044827691cec9635a47f2292a88283e6f63c

SHA512
3e22bd52d75eea8854f2f8d2e67dde90a5f6929886dd774373da38f3c8c01c288713f74af6307c841e73a0061372434b6b4cde3f2194c9b2847d81548c7b56ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwIw.exe

Filesize
113KB

MD5
61459bd3b83cda57d4b26edf603632f8

SHA1
0f3fa321ccb2b836b7797817147e98ea6c86a0d7

SHA256
8881d52f7091654cc61e68c72cf7155322763c373e03bf5e68e0793d4e7902fc

SHA512
d70fb4cb394357ae88061d7dfa0b3a14ea65a9cf49c91c5205ce02b2c8a43c4209677022c3369cddf9a74a84b27338bae1753e116db55cee5117083cad3d9ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAMg.exe

Filesize
698KB

MD5
159f882cf82829c300641cfdf323ad8e

SHA1
c245e018c62f3f997e6e786bd35f79be9ea29cb3

SHA256
e87f411707934c7aa4ab8f88904d02d6d763639659625ab883ab093743b9a144

SHA512
892da1c2219713c80c9c1f26445b24765b4fd0b0fcfa698748c3365a2f6ceb81d75990a5df2111d612eec3c20b0c8bfcb55bfa5d3f491203d087db6da8a62a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQUE.exe

Filesize
110KB

MD5
871538cfff751d78e86accb380507d8c

SHA1
c5af03c62624c669ede75574cc8fabf077e9cb25

SHA256
8a1a404d1d2932e5530f6da38d554ce01517c00f90c76e2cc6b5a5e38fcffc09

SHA512
a11cb7d5902277f2330b060aa1ae45b4047dcb2ff807c35db5da4fcc6f0f5c78905fa7bd056a12d3b6ab8d37df32fe3e1ec9e7bb3a1d73ab380c7c8092228aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQcQ.exe

Filesize
697KB

MD5
2a7f0c364b17789e091ab403e404f294

SHA1
fa4b585c3623eaed09c6a650e36152a5dfb97ac1

SHA256
979567525b8a0ac245179d0034be61ca33c2a6e0e8aa30824728e8cb27006bd8

SHA512
58b33267b09079b73202dae6a926072c12ab8f427e9ee52a09bbb17611ed93cff56245654fb1e465bcb6c379dc286bfcdcf1a54343b35f25b3eb898625e7bab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMcC.exe

Filesize
112KB

MD5
71b2c63d9528b3724cb28d2c08b7b687

SHA1
006ea00df276eeaecd135951634c1c84ab26ccec

SHA256
76ca2d862d864f9a40ff3ec45004454198f15c2c935f88a809728439bc6efe36

SHA512
286c983df6aa3ba25b76e5ff702120751de201f24a4dc25026c64d31d2916374c7d0d25f045271ab09683de5854e3f75717fa5804e70ca830f7dca60451047cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYAu.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUEi.exe

Filesize
722KB

MD5
e6152dd409f6bf5e4f44a740c005d9c9

SHA1
faa7e1d5cb4533406eb7b1264a7f59785091470c

SHA256
04dd5531276a965e236e6e8a88197c88d039e78db5ce32b280834f8e52eb2544

SHA512
88aac077fe0e5e6dfd9071244cf8d5b35b5b461950c152a7708cfecdde78896700e57ed16afa66280f9c6ae3bfd78e597dbc77c8050d4d9afba2d82c3fbe6e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYQY.exe

Filesize
119KB

MD5
e37f1c6956b962d76764c855c2efbf32

SHA1
640e32ed8cfba2f16da5978b13c6bbed8de9d567

SHA256
a8aa698fed92f0409820c76a33cd17b3806fd0406835e0d1cda6a57484580567

SHA512
6c80cc4b4917413cb201fdf7cdea2075d519598d3018f337ae6dce7c81afcc8b00c187d7027cd76e4f977efe64e0c4e1d2336df87f05db8e00bc7799672c428f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Towq.exe

Filesize
148KB

MD5
ae01b61ca7fb9e3a92b9dd8c23e5e432

SHA1
943e9364668d28ab38b48a50e6a1913b42126842

SHA256
0e0bd40b11967f2942ef639d0452e95df52e3b8c49c2810cf09ab2b184a7a4b8

SHA512
2572a70b46a7b7f154357fcf2e6f62d8dcec684bfac1c8f9ffcb6773de039fb517f2520fb239ffc36d677007a7b6a9b9b8ee4deb9f5e429634c72dd8e20a44cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TwEu.exe

Filesize
111KB

MD5
4d2d65edf138c1fc02e768a95f942b6e

SHA1
1af44dcc34e836e4ddc284440ec38eacf59a2e52

SHA256
cfd7cce5d7d65c357815e082191b66ca299c381e91abe3f466776f0f1e57e916

SHA512
6964bd5bad7711afe19df0a9dda5b49d365aed2787cbcee2594a5fa99b62554b4f0518c93d416e30a0cfe1b5c2f548ff6086169784bd1eb254fecf3b789aeb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwEo.exe

Filesize
111KB

MD5
1b198fe16a7eb32dc32f6842c3f644e2

SHA1
d62e5d5aee8cc8e5ccd3145b22f4cc050b837174

SHA256
16c847f50d1b9d74d1f1d181b58389140e1ec898b86f5981505318c39442e7b6

SHA512
ad303da4942c2c700ed1d4445ac657a537cfc794037ddbf9cfb2ace7a740a363106eff553108193020aa9d3641f2cf4e112ed8fde2e6cef16e4215d233e37883

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAIW.exe

Filesize
138KB

MD5
4d1a66834662191444bb679acdd86429

SHA1
9690205a71b99e259bffa23ca42e136a31e5450f

SHA256
079f433f127a826e6c1c341fffea9a911450766c0a66a480b2c71bc190f91925

SHA512
f347eb3c2c775fe3944be774aa39e0cec26a6d0f0027b8af11e55a24d9e578bc94591c43e2b5ed778a9a810c601e605ee8248537cee01b626fd1b2b2ebe93589

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIgy.exe

Filesize
111KB

MD5
f3afe6e3992dfebe4a48feb10d065902

SHA1
9fbcefc115e359131e8379b9811374250bcfc47c

SHA256
e587c23826d5a8c51d1ef15c8e310d77a526badf655873d55054ea5c2ad03ce6

SHA512
56c7bee64e1f8fdb7409e9f1dd3d096bd368635a06e5566e564340ae765ff051f4aecef675791cb26e15b38982abca3c9d175fa663a4d5c37f77fb561952f5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\VcwQ.exe

Filesize
119KB

MD5
56b9bd23a3f458d31e609b387b12954e

SHA1
ba10cb7e03b0289ffaea9f90d6ad68078c5bd439

SHA256
1ff49237a13c55b0239431e48496ff28c0adbb4151bd837a3b3ff66beb7d07c0

SHA512
4aede420d5e4eb8c13579831ae67705c2150dfc8805c938708097bedb1d05b90d0dca668b6b00b2894ff47fc9e0d2c3cab41ad1fd3872345c601ee0d21469374

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIsY.exe

Filesize
116KB

MD5
c7ad8b886797873d474ca200ed988beb

SHA1
fa7968e8d9d1837df69a54493c2e34b34c64302d

SHA256
fb5b2c86c5edd4d3eae8477ec4eb8c789d888d5630022b34578ac5654b54aeef

SHA512
ecc829a28ce4b3f6881f49f85071e97a6962f9e05683d72abe3609f3742627f0def0857ac7c4b193817c812ce0075d2d035ac4eb62502f2c14c41793a0097297

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIwS.exe

Filesize
147KB

MD5
b8ec64b554830b3085b7feabff3ee9c2

SHA1
f5e563452d27f00e0bdaa56978750d9d6ebb10cd

SHA256
77727173e18762ed6ff2dde245605efbbe4207d7d80bf0a9035af6548ba330c4

SHA512
5f0c27a45275575c3e8b12bb41d2bbf532990e24117b94a5af59a91271a11c01e626cc2a563449d31fbb97dc623574f044b61600c64a7d62c594c97c029080a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XAwe.exe

Filesize
111KB

MD5
be636c92fecc279b7b798c956f748767

SHA1
0ece9486dbfb1f0288e09926dca4a4544360aeaf

SHA256
66ac3cbfd5c74ca2e86b0a846d89f36299911b4ed39fd02c93606081a698ee4f

SHA512
b21190aa5853f91712cab7102e9921109b05e100cf904bb3cdf440dfb839256d6b12f656449f2959c94b9ac10f7f51c919036743dfb718b5d1e322b7d10e7a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUcQ.exe

Filesize
118KB

MD5
2f1d31a4ceb90a2dd650a6505a2f4de8

SHA1
56ac0fa08a9165dc1910d87b27e4acffccd71bef

SHA256
75332363022a0978f4903c0715ac7a97d3c02176fc84937984248242da5c1f72

SHA512
37683b3d9c792b1a02fe70bd340f387991a5f26980f7b17385cfa089328d920eabeba150d41193b26e3cedf4db512e63a83a3112e60b3975e226ac75eb643f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEoo.exe

Filesize
119KB

MD5
dc74eb8fb9ab4da16d4ab3401f87537d

SHA1
60fe7d6b0afe79c156f894dd5c85a380626519ec

SHA256
f5e06472024c9026104b7a915fc83c60495600d896f87e3adeb18317c53ddaf9

SHA512
fd9508153fe471c4965a946e7166b804be4dff6440ece6895bf6fd3a0a7533e4979728f62d33b372ff36f025c0535749047fbeae29d4634dccbec9c3c164cd63

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQIW.exe

Filesize
570KB

MD5
677f031f25b4ad2cfe7aed6835e44772

SHA1
0475a9b7a3c494d8675e96a8f782ce1806f0ef12

SHA256
a40f4f43ec1ed0f966a89fa752570d1c24384073dbfbf3589c99e99f69ba4c61

SHA512
b126c00129e1e4fa28610e5585330c6f797d5b6101e49f7b0c0cfd1865f6f94dfffc8ab5715c9af9c768fc74f4666ab894c89f6efe123cae0d98a763394f8cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUgI.exe

Filesize
563KB

MD5
856441e544094e605e7c4be79633eff6

SHA1
52e2571bd34ffd633a987aeccb380f72af74ebe7

SHA256
013deec86919f1c06c2eb5718ddd27eb81f15a3320db23c505c51c965b3f4bb5

SHA512
9317b3a7aba39c689e6585f951b41244c456c5675b86a360639e8e6979c8ab33c9d27e3717d9883719d9484b2ff58a46ff0256f4d76fe004073b18ca188db405

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZEIe.exe

Filesize
121KB

MD5
fdd3ef42138e37524da846660193f42c

SHA1
edc94833d43fd679c26a890166dd9b0006a5c6ea

SHA256
2ad7e1603a09eed375a4c0a48d7fe6931932bc91b66e7ac9134f68a752aefaa6

SHA512
ae52d6613f2f6c07abc94cd9bfdcae618d23dc0e9c132b01ae8f1d7b59a6dd438991506a75c7a7752185819a6ae278b45dd640af1fcf3d106cf44bf9a7625b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZkAE.exe

Filesize
112KB

MD5
6c945d97baea1eb300063b977264f90b

SHA1
20fc69d89d29cf3033b792d1af2102405469abe8

SHA256
cea305af86566726778daa4806f578638010251d6bbe35a8e609d405b03e8efd

SHA512
6a947fbdb9ba233c097f9e3bdca5611ad8767a8b09083a2e7ef333301a53e5ffecd27899192e7f0448d6f3e67857da1801e0cd8ff85101d32ed88748094a687d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZscC.exe

Filesize
530KB

MD5
5c6f627d06660608eb3f4c3041c9a741

SHA1
bf46dbafc05d2039acc9d25db9770f2b86f0fcf4

SHA256
30cb77b1ff7ab7089f1ac9265a5843028677d813e03298431974be7aeb97439c

SHA512
0bbaff835338e120221a57738544a1cf74ec167bd870679e54fe1a94248bd926eb22d7ef4119c4e1877c5e4857239ab750ebb94c9c28fbb060584a6cbd763186

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAUM.exe

Filesize
565KB

MD5
6ca0ee34df16aa69b18cdecb08a5dee5

SHA1
6f22077ec1c94b72b1977bc619adcb8c792191f7

SHA256
2d4ad28080d5a824cb2f66bc304d19f5ca5e6ac116a6e2a07ab68d7d3d47c43c

SHA512
8792ac12f10357fde3ef238b75f5809019a8a2f6e56429ab8aa91495e26f1914f577be3d11e1e6748ddd6081291b0adeb56336eaab24ad7056ad6e8a22238210

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAAY.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMEq.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMYc.exe

Filesize
110KB

MD5
2f61276f500b71a4486dad4efa697895

SHA1
ee09b833b4fce2a241b1d2be54f2016384c4460e

SHA256
28edf06e71160276f674e11cbeef9484e253956903e8e2c86b91fa69bf6cda01

SHA512
8becc07e537c60cdb4273037c2305c7757642808f5b1782cba1791f22fdb640e958b01359f2d4398b3c9d16e3b985b8ffb1f990da14fa89a88cc8a344ad15cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccUK.exe

Filesize
744KB

MD5
c99a07d3edcc01198067e7021a497a48

SHA1
ceeb03e7fe16dc270184dc9d5a37b1c8265bee59

SHA256
0c3d765d76be66363bb36d0daec3892f8ad8cbc0097e066213fa75ccf0eaea68

SHA512
2b14081756a6065a78c97fd6459c008aa5c5b58f3a64dbfd2b4ef701a223ee2a0a3ed404905af4cd7cc831ebdc69c7272167f31f757f5cf8326381fd45836464

Download Submit
C:\Users\Admin\AppData\Local\Temp\csMW.exe

Filesize
110KB

MD5
efb666f838280c0106f095d9cf62398f

SHA1
ef1bd762f76bb3e5ddcc74dab9227ec5c8cc44a0

SHA256
2cca76bdee70517706a0fa11bfe3bba4f5033ea594d0c2196544ce4b454b8c18

SHA512
0c7df96a7ad763e45b8d21d61b51f84fc235b5734e38538b24c61921af5eb7114723cd3d276d7df1331e3fa0351c0914ec6e6a215765ed2d06eb2331d9596045

Download Submit
C:\Users\Admin\AppData\Local\Temp\csgk.exe

Filesize
136KB

MD5
8d433e1e60de28730ad15ea8b5180b6e

SHA1
77376a563041aeabff0ca42ee286f9897f29c088

SHA256
b9e25b79627c38a37026ad5359daf86978c9e0494be5e99eab773589590bdc59

SHA512
78fa29a4ebcdf41a3755324b2af1ab99f1ee485bbd2a0f9dc8dfe66baa8616815d1e59abde782b8d3b0666b2a2cd40a3d86cda8228036a487afbc7161292bbf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQIi.exe

Filesize
117KB

MD5
8fee054ec54b7f5cc7cc2f77c8825068

SHA1
822677a9956e7b85562e82e8c6ef1190016a0621

SHA256
9e97a84144063c3fa6638b94b22636d83992d7f7a31715ae5074abba972c887a

SHA512
9804367522e56b10bbba31f67b0e796d88b5139aab97b417505bd0c321ec912926b327f0ebb63f6b3c977a2dd69449b76ed8a118b8f0417cfe42c5d2a5f1acbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcoS.exe

Filesize
111KB

MD5
29c8a5be08e000b7b2b9bc480ea542be

SHA1
1525b2bfd7f961ba90e6846abc13c6134c306a60

SHA256
7408ec384aa872986710adfb8ce2567d7d86848b111779ef706daad7cc6d7ef3

SHA512
49565aa2bb29ef254fdeb0512e5a8b57e8594aab6a307c4b4fe3ccecda8c1144ed42836a942d467225c2dd96e66a76a60cd5c61c33c555621f1d72fda1689f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgIc.exe

Filesize
113KB

MD5
358c32174cee0fc03702baae820ed7bc

SHA1
59a02c6cf86a28661cb2677ed99ab62878559eb5

SHA256
d11e61ff3ee625dbcd6008c379e1bca28bd94960e7f03a13fcb8e12039cc4073

SHA512
4d38e368b68bec0f9e73b26556645ace3209f8c04764869cfcffb41ffedca13404f916085c6babdf978943b30509bd030c45fc46b4748f4e0cba105a27ba579e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\foYc.exe

Filesize
121KB

MD5
7a91bd2e3cacd20f98e45aadc9b2ad29

SHA1
05c4272b43cb425101f97ab8103745719c85a229

SHA256
ce412fce2f97d63d21f9a61b0fd44005d610122efc63b12e41eda135213ef863

SHA512
eb5469fdc977b48b16e6e29cde440c1275cd07f6aefeff1ac826d392b9bb53460a9713e1e468e5219df68185b6346b9bf443336b516f5475dbdcc500866c0b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\goMw.exe

Filesize
237KB

MD5
d81c79b12b9cb7d2a80eb929e4d7f7e9

SHA1
1531f76070e951771c0b732a2f7b901deb74817a

SHA256
c00fa08e1959c26e75f277c7eaab87158e5d43ab5c840aff79b176f303711a35

SHA512
c7ea785a3b6b06e922b18ea2af8ea924e487db9952eaf1a9ec0e1943e7517ec0f8a8729dec6aa531cfa6f1441bdabc0bfc99cce43414c70f48a5789521ffe657

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoYw.exe

Filesize
114KB

MD5
b38196f4582773699dca314855d2a916

SHA1
0ef6511261b0f4283b617ecb00064740702e1e9d

SHA256
4b21afc250c580cb05126d46acebd1db6b27f6222316c1edae5ea7a7755250cb

SHA512
009fe83130efb7aa1824fafac05581f6cac26404431c9c1fd2eec3ed67a516ea6e761b955056d46f7d426a6634319b4c08d9b71313cf6c625c578f03193cad62

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQQQ.exe

Filesize
111KB

MD5
48ba1e1fa4229ce3df7283265b5674a3

SHA1
51dcc49257283648e439aa20abbf9bd29a0b7fc2

SHA256
096fd0ae461f099b194641bd67ee7f9e4ea84da39c22efdd12de4a4ae4724614

SHA512
c2f6c3615cfcc13a1a23e3ecc76f35b7081a3643df8dd633aba429f117f2cf0096e90fc7d99600df1dd8faa89ba1cd0807ed4614151e31530930ac420ed9a50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikoI.exe

Filesize
113KB

MD5
005c86ed4f2a98c9d524ab5df31f9922

SHA1
2f2c757528d312fd5f9f8859a1291618f8f9a8c0

SHA256
9091ec3a57649bacc4d3de08217f0dd201b0da67fd206c13f54e8319178267ac

SHA512
405b68b0710326961a5dbb1e561dc10f9c6b87412cbeed299cd21c882eae990712bc5792362cf04255cafd9e9e08119a9ffa19b2636d7b4bdb56eabb5858a7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\iskU.exe

Filesize
488KB

MD5
039189bf883b54a71019a67dcbf06eeb

SHA1
7730f776502727aaa5ef5561731a14d638b829f9

SHA256
08377f1508a26b8d5872088ee4cbfaa2f82c7515578640744948dbe69a9e9b5a

SHA512
0b037efacfd90a6c720ec11acab8dc9f64499a5b0cfbcc0e0ecfa21a900fb813acdfa83753d4f7c5922fef92525f03f977aa8ffba3477e22a77f0d5b92292b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAoU.exe

Filesize
117KB

MD5
f863d5f44dfb1fa15056c553cb0c6b8e

SHA1
e39d8337d3f7684774c8bbfc13cdc1fae6d53e3b

SHA256
e2cd425f6d9dca2bc1be93ff89df943253acdac3d86536cb643370bd76472b00

SHA512
b43107ffe974c923265d8d0eb0ce6e4382c5dfb940221e701c93a3adcabd17a1ebcf6bc5e2ed85c51f56b8c4659f22b50e15d140258ff35587d9c9886a0c7339

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIEM.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\jMAc.exe

Filesize
111KB

MD5
cf03d4a85fd21af047be787a3d65794e

SHA1
6e95041af6ec01c8cbf1e2e9c50e43ef4568750f

SHA256
cde06598ed1660c59a9114b65ef86b56586bbbc1fb864692b63a2e6cd270ccba

SHA512
1fb25570a2752b25a137c997f3bd1cdec330973eb8d763903a9e083a09477272d4a29d00353b8eaa4e33bc5a6c8f0d611b6d1a720675e04d53b995cc51c812dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcQi.exe

Filesize
114KB

MD5
0980ca3cc8f2daae34f1bb4ba06c58a4

SHA1
9350afaf17e60c26478abb830750e74fcbdf06e1

SHA256
7fc66fc54473bb3e6b508916866e6bae765cc2c1b8b3e8c760a0f1964976bc91

SHA512
ac6614960d07fe431f7690f0aace5e41cd3c8c76cdbf17229fc3eec047589e8feaf6952207f29b85a2ca0e636d550304de9317bafb14b4d5770669242608f3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\joQc.exe

Filesize
436KB

MD5
80edc86281eb9947d70674c9bb1eeb0e

SHA1
8706a62656556c16703b65cf41755b1798ed2a94

SHA256
efde4031a7eca7b743461e83ab4a37da1d986548600cd258b32936ebdb52bdce

SHA512
548304c2f8f62976d8b03ef1837fb35b164b8916b7ad1a7d7a9698346fd3310b8c8ae4cb4aa86813ce5caeb01819bced5977fb2c21824e5f389edb19a2ab395d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsow.exe

Filesize
112KB

MD5
11129c6c9783e981f63f75310d54d86a

SHA1
d4458f982c0d55c05e896833ffdfc45487c505d5

SHA256
a6266ae1310dda5e9ffbbda2f1d84b2da2104efea1499f0b469e013a27255fd5

SHA512
40516de8e09d486c61fab5307057d6605bce9af4714f23aeacc5848565539218976da244f80b257ff36728915f5ac5fd5d6d3d2eea8c1544a9020d436135589e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jswS.exe

Filesize
117KB

MD5
3ef74c4aa4e259898d6c535055e8bc65

SHA1
5f2097b98b2253ddda92c8171d636d4cff10cf3d

SHA256
32630b0769e51e3764f88c6c9066ac0923cbf78d8066212c07ce93f1124a34f4

SHA512
7241a0193cca8f5eab588d77ae86926032cf46fbdc92abc51f6852ce31043abbf545f876414e462d266e0d1254d74b5d3d140d7f00095dcd7011a9f0729bfedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kGQAIEsE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMYU.exe

Filesize
111KB

MD5
323617a3a76dfe335861c3890dde203c

SHA1
5b03f0d2032386bb63034b5dbecf04679b056d29

SHA256
d1ec2ff0939d10f828e8e77c6fa5681bc925dc0f4a9b1f125ae4b3de04c4b202

SHA512
bc01f9131a579a51f7d7380a5b404abf7e3d20c7334f70fc204e01d3b944676c4161cbf241e95b630524ac0ed966ff9519efce80ed9a457d974f61f919ed889f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQQg.exe

Filesize
237KB

MD5
7c90adeddea00e6033880471b0e774c0

SHA1
d0f245c25e280ef3332c426e14208bb18bef2c14

SHA256
153f5f290fc5e942288e99981fe4e044486afdc3795ca8f51767950e6373a199

SHA512
f51bd85dfa095b3aaa1f534b75ecbc6398b1d2b084dfff7f3f7ce9e9c6077aa5e463db5dd98709114275e90f9376246631c6f87e99452a38225bedb024b43b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUgg.exe

Filesize
125KB

MD5
8b6b14f736de068d549af06130a0440f

SHA1
5f89d4a9d3fddc7cd201cb83fe601f7c2b1d0c31

SHA256
0c3d27cbb4db2c6c54bac723ec69977f6eb1b9993571e75add4a617ebfe390b4

SHA512
6cdc315459b69d23fccecce10bcda421d1bc16ee018869502006aa25335edf19675bbb56f0430b9737a7b0875bbcd9b7af6878c13183ead4303a1b1e267cfad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYMe.exe

Filesize
122KB

MD5
da2d4d0d52c170dc5b072e2a2ac404e3

SHA1
2fe0a1910b167c666593e8848628151ff19d8c4d

SHA256
d1079efb54c5e0c96fd95683223176af7d8f88647995c6215dfe007319ac52b0

SHA512
087db7802a0a8540881168fbbbf18bef45f91f879acd016472230fd252a1d55b6db8a6d74dcc334b836eae3bbc6e1d9c35b60718c69684ba529a1d01936877ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgcy.exe

Filesize
1.7MB

MD5
1c8150c2aaa38cfb946eac08d3ae5a43

SHA1
da9b76c320e4c0a7edb18129d6d21970d6c29f9f

SHA256
9d6e8cbf7ae421952a84fb1dfe5699278eedafe6455a6a27ec7b602a9b688c7b

SHA512
d0fdcfa40bb065538eeaba207d0a6811c4684a4f82b82a7f3061a280c0fe7f824893aeae5827c5df869f691cf5ea966369dbb35a3d4400ea5f744eeb2812edee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksMS.exe

Filesize
112KB

MD5
0dd04e68f5a8ebe54e61133c5ef37435

SHA1
5de670a2dbac0e184d57154f0e3422edd3eddb98

SHA256
69d9c471752beb2da40ae3dcfc32a50fa5390a4a99dbd9a4b1ed2cbdf56d23e4

SHA512
38ed3fa2b8dde3b2516b0fd6552ccb077b68fe870736bf82b12415c2acb1a3969b6904e817bfe11bd85f0bdc4e47b09bb9ace33792fa2d2c1a9addabdfee5723

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUkE.exe

Filesize
153KB

MD5
2b86b4b9d03c746af21c6ec312a8382d

SHA1
12fade31452e7d08f305d15d909324f5d032bb0e

SHA256
21ff46f91570e037d559fd3f95e0b67b3b563d5411d09d76ea0d405a5d4221e0

SHA512
dcf17ac78bec3f66f3e23330758c38ac4482a4c20dd91c0991e56c42a8843236c021e3c25bdb8d83085b0da0d1d431c0b9a31147f895d590d1a76f33f12ad1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcMm.exe

Filesize
111KB

MD5
e5d6da9cb1275bb9ccf3da5e7ec61cc6

SHA1
261bff004db882a915c52a6f193a93dafd011604

SHA256
a12df6985313c961e36d2f63dad53dff24feec388c080e1ca2e118def871b4ab

SHA512
3c2c7f634d99a9dda2779c51d42d954f44bf1f90f989e1acafbb0ffd70c8ad2ae28f24e0ac2552134252cd6c0558fb2db2e9e5454a07620f48d128c2b8d2db6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngAC.exe

Filesize
117KB

MD5
ea421f0b5763f7b90660d0ee8ce87561

SHA1
4654681bde37035fde4b1110d1e49a4adb480646

SHA256
b64a5374c49754f02d9305102f1249a127de751a35468ac2fa528e069d224937

SHA512
43a0435d0f5da7cfb6af165455a6936192ad2556e5d0ba3e0e3989bef290896410a1b6f23042a0f82e8aa54cc816d8e3c2044743f18150228d140b23658e3278

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMcG.exe

Filesize
111KB

MD5
6f8d779580c6b15de4096816c8aff71a

SHA1
7cc847ac3b6cb50e6940eefa5e0d7fc96c598b2b

SHA256
4bfe062f2f9ca217c640b010b5867dde74a13f25ddaa1ddcdfec9fb94c86d19a

SHA512
49446eb0eac8b638f4f3db7187489a51736fd5555f6e6806c046fd5cecfd7ef8d4cad165d2ff2074b107c89501790746197ad42b12c83d11c9c6d746f6b77c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\oogK.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAEM.exe

Filesize
120KB

MD5
e0c2b59ae81a38270bd893751d26d8e7

SHA1
d4d1befc0fee5363d477819112eb35770ec15617

SHA256
0c2c12afe8fd33d14d9024e8e74195cc70553185f73fa36abc6d354d83e3d200

SHA512
7fff99c5c41d3aafa444ea2802214e61026101e40b69a399318daadf196b7314a1f4ed6b555b4f7c7939a93c7a2b40a0454a4aad1be75fe4b940d85c9355805b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rMIk.exe

Filesize
112KB

MD5
995e530d44fc5196eb1fa800a2610ede

SHA1
dfaeb09ed6d66cc172154d8eef15869ed94c0447

SHA256
5c296067bfa68123510e78753d35ebc2ebd45e25d03ec30e5c3bb8597e8a99ce

SHA512
67ac2dea60c2f2f0415e8cd83ce36aecf33c482d79622d3e4a9350aeb95713ad7a6e021598d453c573e58d696038690b59bde049850ffa29cca370b286faa38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwoc.exe

Filesize
113KB

MD5
07a7702f90f27f01011e3a3e59b72ed2

SHA1
f806dc156d9269c36a0de628d75917253380fa15

SHA256
c30a16b7bae8a79c23419c6d09887d655da4bd6886ae56d5c1d748163e2ae502

SHA512
6e2f5128f3ce00097121c6f16805d5ebae1276b55bc4b2ec053fbf9b6237e29a4e99b6432958c154e4cdb1642177364ba7c24503fe16bba88e9207df18e67292

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAku.exe

Filesize
110KB

MD5
4edfcd474b5315bbc29ba67533c52ba3

SHA1
3aa9407307a5169565c758840df056f363318e1e

SHA256
fb3ec102a743ee53cdbbedd9f5b29c52dbb073ff15d86bb7353128c958b5f259

SHA512
ff3c9cf0afd5d78da7f6f2aa20e0d041e7d86907db44a231161528a9f624d863565ccd3ed2d648c45d05ea8da51d20d6dc9139eb8cfe5ebe8fff1d215adc826f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoE.exe

Filesize
561KB

MD5
dde7fc90d76f69efb2deb669e2c05f08

SHA1
f8b6539a85d63f64b4fc55f9c9e02c96318b663a

SHA256
9838c58c52a713aa572e3be331a9113d7b309531e5cd3153ef090726b79f0bf9

SHA512
dcddc395dd8926d75e947ef0334049ffddb4cf5621c2e5e8fdeb9430d2a731493a7e697dae17393b19d8ae244f87615024993d21e94c4e78dafb10440550a8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\socW.exe

Filesize
242KB

MD5
999a072bd29508b9cd4a7e80e81d8915

SHA1
524fe57c98b3e22fc4376b181e3019b921683525

SHA256
f1a0bd7804a4423943e7bcc13cb8e18864442ceffa29631cff82bd4dd3c31154

SHA512
86f89f2365283cb7f076e430df0eaa39d069b0bad970efd03b140c26a3e2218379dc042aa9a17f3b85e27adfc379a751a32e920e7484c6dc5bd61f7cbfdf0bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\swEy.exe

Filesize
5.2MB

MD5
1323ccdf9149d9e8c8e454abfe3da12c

SHA1
84e65212cfe32a6ff471ba52641a14dcf964d4c1

SHA256
39ad6dd25b7614405f887b2739ff5c48279f4ec010290d66401821b5213e5630

SHA512
b0045b0f6496b4af4bccdac40f5cdec7e0d4134a2b179842c8d73116d6646439968059163a51c743506e98e693fc81c8a1d5b0f793264b28eff7789c3ec5d4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUgW.exe

Filesize
507KB

MD5
2ceed23c72e0dec3cbf19fd6a69e7130

SHA1
830426adc136acd3dcd9df4a44f9a817848c3464

SHA256
4db89cb30f7aa8feccff1802bd4bb458c54b642d22bb73a9dc4d5b67f9e83f00

SHA512
3e6a874fcb230f1038920670a79d139b2acb06c1cb30cad616333ee091d6bd6530ce6b6a28ea540857c40a6a05cccc487c77595afb1ce7c6977c41d842548732

Download Submit
C:\Users\Admin\AppData\Local\Temp\uksw.exe

Filesize
116KB

MD5
0896126aa843201a4b443c8701927025

SHA1
456b42bcee6aa46bcdcbcb8e9db52c6f7f009f89

SHA256
9372b821f18dc34fecd662fc135b8e1ca3247289a9117710c5abb9445a2e3f34

SHA512
8c555aa948f89afb6668db99487f2bc038c84074921fd344b6dc606ba22651ba496e041ac91aa7f5e7d3795e5a7c4ecba9b75b5cacd1099428721ec6b2a04cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoEO.exe

Filesize
116KB

MD5
dbcefd32fd67495050e0279372399200

SHA1
49d870f7caec4d200f6acac9aa3f27f5e0211fb3

SHA256
06724f475e1faf1bbec331a22f57999f6cfa0bced458deb1d38adf70cce627bd

SHA512
462ab46e28b925c3ca38796fbe3b270c165c95dfaab0c2efdd2e6961170c2a96c50f553075b4297369632ebfe241392bcb5f3e380a26aa93a2b39ceeeff1e40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEEK.exe

Filesize
111KB

MD5
aba21e0a0cd50ac6f87a64bd792eb9d9

SHA1
f8e4968a2416b33f33633fbf836f80f339b1fa9f

SHA256
1a42412edc27c9c97475f3225f7e80f3d7411a2862c6a1bab8184f9f9c2e19da

SHA512
5622d9387ddb69d4cbcf50f0b25725de0767b81ac051d6d98c2e573051101178df9916492694bdcb0a7b9e87d0229b61a5acefc9d20288c7712671c3843d1e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIcA.exe

Filesize
111KB

MD5
c142cc42fe257e4bd6f07bc3e917cb36

SHA1
6c500ade63023fddd0283dc3c2cd7acf7973f3b5

SHA256
67949763dd6f5f50ef07969224c96d7e18e7bb3d80132f4691d2f79b82a8fa95

SHA512
206d9f334885c85a6faab072a964e68d5aef0aecd86e5ce6e458a2718b98d9b8a1c66fd393049025e620cb08baa9cd581369ee8f3b8aee0d97720ed756b9925d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wscs.exe

Filesize
121KB

MD5
227c2f6081bd040f01f85ece2ecea431

SHA1
9d4c6420cd31c21139d4fff0966c1c52c1b5f3b4

SHA256
19e9a7cf4c7ecc5adf7aca0df5546ac086f84deaefb15c13c8b2a45f4d31f4ec

SHA512
490389fbad0539e0006847d082259b0a8d786628a89cc4f176a579a2d6ead6eb9ffc379208864a4097c787d7f20ac5fe96813d6cb91badb12c12311fb441a10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykEW.exe

Filesize
140KB

MD5
5e538aa34130f13d17dd8900074a06bf

SHA1
1d299eae48ba846cf1ed7c0a1d2e64861e029768

SHA256
a791c69f9775523447a36eb3bd1a43c85a07651b603b261c7788ff386d9df173

SHA512
4e7c97dd7a518fd9736c2855227281dc7155890ce92e42bb211928c4850f8825150e077c6b0ff75854b8c5f86a85332173b6979d8262472e23ed06949e398659

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykoi.exe

Filesize
110KB

MD5
53feaabe31ceeb4e45768570140be35d

SHA1
63a0c296d981b4055f793c1786083c4ca28d1f31

SHA256
109e11ed2cee8731aecac77b9873aef6585fffb612ad05d5b10a5642a0f0c788

SHA512
946b4b12a1436995ea3fcde38dec2c14bf15106c62c2f56a9f733afe591069fb40dd2644831be4416e4e6877f10f7f013ca610d8954b2f982d4e1a58c7a65025

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAgS.exe

Filesize
113KB

MD5
00285cde0119766b477bd8c96fefdb05

SHA1
e8683233519f4be535c79ba157223bb2632a3576

SHA256
4d1207081c20d498d8f79b30120a93e5eb344e99c2c99b25e9afc8437f350e1a

SHA512
46b5cb938dbb847db3bf7c66fd7d8ab62e1b02bcc19ad94507f3efce5e8d72cdcdc7461abffcf88b3dbaa3f6f566223b2b2e2fe445c0938d3b4c3118aba431f9

Download Submit
C:\Users\Admin\Downloads\InvokeSet.wma.exe

Filesize
632KB

MD5
9d7bc7aa3ac8e2cc438be4b21b0d7eda

SHA1
fba17e7de16dfd2e53ac1d0a6d9e8cecb32ecdc3

SHA256
0e4ee34a000d11b3cd9250bded5ce46cd73f9e4d783d159e70b35261e4100bbc

SHA512
75df13dcbedc9a179c661a586ed3dd9c71fd28354d30e870e558bb2ad4494de317ab7e24b1fa3a1e536cdf39922fa2d07b05183970cc103c8bfdd5f24da0ca34

Download Submit
C:\Users\Admin\Downloads\RenameMove.rar.exe

Filesize
352KB

MD5
5c883a4cfe7f8a3d5f5502757aaa1a11

SHA1
23929a7739e4ceb9ad645f19745df5734b1d7f61

SHA256
5d9583d5a2b200e054befeab87696f379bd1b9dcd10d012bccc56deef0202c95

SHA512
b7e1000b70cf50e46006a8caf79cab04acb3221c3bead7bbb961d216dd2fc18962fd463656535b121b942e44e7da617933496526a076bb414dc87e97d07232ce

Download Submit
C:\Users\Admin\Music\UpdateGrant.mp3.exe

Filesize
475KB

MD5
0adcc6a925c6ba8ae8e8ef5d126b04d1

SHA1
f993156e65976b7b621bb1f87904f211458f98e8

SHA256
be6b707211f4460661250e4aca9f63c7e5f8203eb8bc3f9931838e277d045048

SHA512
2de1feab1331c1580c14a1f8a649a2635354d929658c8f6dfa23280fd48f6fe95c8f30eb33dad7aefc832eecacdd9577154e4c1bb7438963406b297d34c1ee44

Download Submit
C:\Users\Admin\Pictures\GroupPing.jpg.exe

Filesize
403KB

MD5
1360e863b3ccb45d3524336418b840bf

SHA1
fee87b4b8bfa19d037eab6d0b3a4725063b4a28b

SHA256
c734617e49bf71a93e8727349cd60997c6131c9a5df00fca45a7572ba2f049a6

SHA512
8487aaccfe668c20ade52ed8cd963fc6e0353fc3f2852eced98cd7413fe7901b48682a1e5358f455a0d1d2a92082bd738c9fc69c47e987f660446dff7e584fce

Download Submit
C:\Users\Admin\Pictures\MoveSet.gif.exe

Filesize
492KB

MD5
2e0855abe5764af4e62bb3609830ffb1

SHA1
298af44fdf9a0519ebb16439ddcfdb50065d3b64

SHA256
af15a395ddf38dfc872365d0ff03a823fa6a8ebbbeebe1fb4a5e0ee89c692535

SHA512
607e8b82fab0f097315fddb0fd473949f462284f51570e247924179bea5b900d0906ac4252cb3ec14676745ec34eecfbaf64a62cf88a2976145f8f0f3db27f43

Download Submit
C:\Users\Admin\Pictures\SubmitOptimize.bmp.exe

Filesize
320KB

MD5
b76cebf8df06880f9e9fb3fd59c3c680

SHA1
796aec26c298c760e7adeaf22e18841bf39ed460

SHA256
b7e73c6d94b874a8edf8bb1c12b60a65f38132257aa3831d0a57139048b1f955

SHA512
ef5f5f1b63bb1d6fb206d25b588c208d04b1c89e497d97ab52ed2691ed00d4e1243646fc66d6afca2da043a565d3372c4f140a086af0389886713020c95c63bb

Download Submit
C:\Users\Admin\Pictures\UseSearch.png.exe

Filesize
269KB

MD5
8e26f71d3fd20f605549e952386d6491

SHA1
e5a7a3836e30a403897371841f6235c47325beec

SHA256
1bcbd9f6444e02e2626dcbaf11f94c5cef54bbcb0939b6d7c79d9b77ca0e65c8

SHA512
0149964238a7b64e3362901aed4071c667bfa3a9144c00411e3d7b6e91a938cd882eaac1a24cb61bba11d8fd56bfe46a3aab2f41d8cf7bf77b9eac213bb7ce95

Download Submit
C:\Users\Admin\uskkwEos\XWsoQcoY.exe

Filesize
111KB

MD5
135ec0d59ec2761a45f5e034311933dc

SHA1
06329e4cb55e98f447cb789fc69805e2965b8ac6

SHA256
7c3dbbc2fe0f33d33a3d34a9d03ce9c763181d0350e18a272fd22ac04dfa77d2

SHA512
88fe2244c3cfd01472b1103621bcd566e46f90b2f636f29c74a284781c3a370ddfa19b324401e1ffee9f4706f77f22814301cec85db20e1c4f6494748d708fa8

Download Submit
memory/1000-282-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1000-274-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1208-173-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1208-184-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1312-230-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1312-219-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1380-336-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1400-140-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1400-149-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1500-272-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1500-265-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1844-19-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1844-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1940-53-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1968-195-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2136-447-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2172-8-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2172-1873-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2228-104-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2316-426-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2456-42-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2456-31-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2488-196-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2488-207-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2612-264-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2704-126-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2824-1874-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2824-13-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2960-150-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2960-161-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3196-112-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3380-93-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3564-82-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3684-255-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3724-218-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3800-354-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3800-346-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4176-73-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4404-372-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4404-355-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4432-56-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4432-64-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4516-291-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4516-299-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4588-136-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4720-337-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4720-344-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4776-30-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4776-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-241-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5072-290-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5084-172-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download