b624878162700ef8a520ff0ee403f230cfa6897c1f6ca918f5fc4826cb2ea133

Analysis

max time kernel
153s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
Size

116KB
MD5

a38003cb861e0c959293991078f42d53
SHA1

14a30ff7baa6f3d1a429df1a7f5106b2ef6e277d
SHA256

b624878162700ef8a520ff0ee403f230cfa6897c1f6ca918f5fc4826cb2ea133
SHA512

de30d5dc9f9c216da47ab89503fda0bf307729bc4d4280f47b1e68846f0bf688157db7fc499ba50a00bdfd1ef21ccbaabb8d001d5cb02467c50808397455fb89
SSDEEP

3072:rdJOzbbAqXHkQqom2AidmpwTXIPLgHAZiq:rmzHrf3mbi8p84LOA

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 49 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 49 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aqQAgkIE.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	aqQAgkIE.exe

Executes dropped EXE 2 IoCs

Processes:

aqQAgkIE.exeQoIoYAcg.exe

pid process

5048 aqQAgkIE.exe
2596 QoIoYAcg.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

aqQAgkIE.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exeQoIoYAcg.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aqQAgkIE.exe = "C:\\Users\\Admin\\AikAMAoE\\aqQAgkIE.exe"	aqQAgkIE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QoIoYAcg.exe = "C:\\ProgramData\\wAIIcgEk\\QoIoYAcg.exe"	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QoIoYAcg.exe = "C:\\ProgramData\\wAIIcgEk\\QoIoYAcg.exe"	QoIoYAcg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BUQMoAUo.exe = "C:\\Users\\Admin\\DAMssswc\\BUQMoAUo.exe"	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HMAEgIkU.exe = "C:\\ProgramData\\noMAsIok\\HMAEgIkU.exe"	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BUQMoAUo.exe = "C:\\Users\\Admin\\DAMssswc\\BUQMoAUo.exe"	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HMAEgIkU.exe = "C:\\ProgramData\\noMAsIok\\HMAEgIkU.exe"	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aqQAgkIE.exe = "C:\\Users\\Admin\\AikAMAoE\\aqQAgkIE.exe"	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe

Drops file in System32 directory 2 IoCs

Processes:

aqQAgkIE.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	aqQAgkIE.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	aqQAgkIE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5084	3808	WerFault.exe	BUQMoAUo.exe
2412	3616	WerFault.exe	HMAEgIkU.exe
2316	2528	WerFault.exe	BUQMoAUo.exe
2784	856	WerFault.exe	HMAEgIkU.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
3692	reg.exe
4948	reg.exe
4340	reg.exe
4960	reg.exe
2804	reg.exe
3372	reg.exe
1656	reg.exe
4992	reg.exe
740	reg.exe
4392	reg.exe
3088	reg.exe
3696	reg.exe
5024	reg.exe
4140	reg.exe
3156	reg.exe
3768	reg.exe
4628	reg.exe
4448	reg.exe
1572	reg.exe
64	reg.exe
3364	reg.exe
3612	reg.exe
4696	reg.exe
1008	reg.exe
4168	reg.exe
1324	reg.exe
4024	reg.exe
3976	reg.exe
2156	reg.exe
3620	reg.exe
5024	reg.exe
1672	reg.exe
5000	reg.exe
2412	reg.exe
3744	reg.exe
4740	reg.exe
3140	reg.exe
4760	reg.exe
1916	reg.exe
4300	reg.exe
4316	reg.exe
1960	reg.exe
3548	reg.exe
4332	reg.exe
3748	reg.exe
4948	reg.exe
4588	reg.exe
2244	reg.exe
1960	reg.exe
1436	reg.exe
4392	reg.exe
3740	reg.exe
2236	reg.exe
3128	reg.exe
3244	reg.exe
2320	reg.exe
3312	reg.exe
4384	reg.exe
1264	reg.exe
4092	reg.exe
3364	reg.exe
1460	reg.exe
536	reg.exe
1232	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe

pid	process
4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4992	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4992	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4992	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4992	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
3972	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
3972	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
3972	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
3972	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4604	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4604	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4604	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4604	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
3228	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
3228	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
3228	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
3228	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4948	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4948	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4948	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4948	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
1904	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
1904	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
1904	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
1904	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4628	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4628	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4628	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4628	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2608	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2608	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2608	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2608	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2440	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2440	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2440	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2440	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2800	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2800	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2800	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2800	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4108	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4108	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4108	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
4108	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
64	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
64	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
64	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
64	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2784	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2784	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2784	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2784	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2624	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2624	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2624	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2624	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2156	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2156	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2156	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
2156	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

aqQAgkIE.exe

pid process

5048 aqQAgkIE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

aqQAgkIE.exe

pid	process
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe
5048	aqQAgkIE.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-25_a38003cb861e0c959293991078f42d53_virlock.execmd.execmd.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.execmd.execmd.exe2024-04-25_a38003cb861e0c959293991078f42d53_virlock.execmd.exe

description	pid	process	target process
PID 4888 wrote to memory of 5048	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	aqQAgkIE.exe
PID 4888 wrote to memory of 5048	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	aqQAgkIE.exe
PID 4888 wrote to memory of 5048	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	aqQAgkIE.exe
PID 4888 wrote to memory of 2596	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	QoIoYAcg.exe
PID 4888 wrote to memory of 2596	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	QoIoYAcg.exe
PID 4888 wrote to memory of 2596	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	QoIoYAcg.exe
PID 4888 wrote to memory of 2324	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	cmd.exe
PID 4888 wrote to memory of 2324	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	cmd.exe
PID 4888 wrote to memory of 2324	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	cmd.exe
PID 4888 wrote to memory of 2320	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 4888 wrote to memory of 2320	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 4888 wrote to memory of 2320	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 4888 wrote to memory of 5024	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 4888 wrote to memory of 5024	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 4888 wrote to memory of 5024	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 4888 wrote to memory of 1636	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 4888 wrote to memory of 1636	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 4888 wrote to memory of 1636	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 4888 wrote to memory of 2840	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	cmd.exe
PID 4888 wrote to memory of 2840	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	cmd.exe
PID 4888 wrote to memory of 2840	4888	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	cmd.exe
PID 2324 wrote to memory of 4992	2324	cmd.exe	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
PID 2324 wrote to memory of 4992	2324	cmd.exe	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
PID 2324 wrote to memory of 4992	2324	cmd.exe	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
PID 2840 wrote to memory of 1820	2840	cmd.exe	cscript.exe
PID 2840 wrote to memory of 1820	2840	cmd.exe	cscript.exe
PID 2840 wrote to memory of 1820	2840	cmd.exe	cscript.exe
PID 4992 wrote to memory of 4948	4992	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	cmd.exe
PID 4992 wrote to memory of 4948	4992	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	cmd.exe
PID 4992 wrote to memory of 4948	4992	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	cmd.exe
PID 4992 wrote to memory of 3696	4992	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 4992 wrote to memory of 3696	4992	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 4992 wrote to memory of 3696	4992	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 4992 wrote to memory of 3768	4992	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 4992 wrote to memory of 3768	4992	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 4992 wrote to memory of 3768	4992	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 4992 wrote to memory of 3740	4992	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 4992 wrote to memory of 3740	4992	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 4992 wrote to memory of 3740	4992	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 4992 wrote to memory of 3636	4992	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	cmd.exe
PID 4992 wrote to memory of 3636	4992	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	cmd.exe
PID 4992 wrote to memory of 3636	4992	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	cmd.exe
PID 4948 wrote to memory of 3972	4948	cmd.exe	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
PID 4948 wrote to memory of 3972	4948	cmd.exe	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
PID 4948 wrote to memory of 3972	4948	cmd.exe	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
PID 3636 wrote to memory of 3336	3636	cmd.exe	cscript.exe
PID 3636 wrote to memory of 3336	3636	cmd.exe	cscript.exe
PID 3636 wrote to memory of 3336	3636	cmd.exe	cscript.exe
PID 3972 wrote to memory of 2724	3972	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	cmd.exe
PID 3972 wrote to memory of 2724	3972	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	cmd.exe
PID 3972 wrote to memory of 2724	3972	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	cmd.exe
PID 3972 wrote to memory of 2196	3972	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 3972 wrote to memory of 2196	3972	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 3972 wrote to memory of 2196	3972	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 3972 wrote to memory of 4720	3972	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 3972 wrote to memory of 4720	3972	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 3972 wrote to memory of 4720	3972	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 3972 wrote to memory of 4024	3972	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 3972 wrote to memory of 4024	3972	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 3972 wrote to memory of 4024	3972	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	reg.exe
PID 3972 wrote to memory of 2148	3972	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	cmd.exe
PID 3972 wrote to memory of 2148	3972	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	cmd.exe
PID 3972 wrote to memory of 2148	3972	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe	cmd.exe
PID 2724 wrote to memory of 4604	2724	cmd.exe	2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\AikAMAoE\aqQAgkIE.exe
"C:\Users\Admin\AikAMAoE\aqQAgkIE.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:5048

C:\ProgramData\wAIIcgEk\QoIoYAcg.exe
"C:\ProgramData\wAIIcgEk\QoIoYAcg.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:4948

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
8⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
9⤵
- Adds Run key to start application
PID:3444

C:\Users\Admin\DAMssswc\BUQMoAUo.exe
"C:\Users\Admin\DAMssswc\BUQMoAUo.exe"
10⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 228
11⤵
- Program crash
PID:5084

C:\ProgramData\noMAsIok\HMAEgIkU.exe
"C:\ProgramData\noMAsIok\HMAEgIkU.exe"
10⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 224
11⤵
- Program crash
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
10⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
12⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
14⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
16⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
18⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
20⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
22⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
24⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
26⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
28⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
30⤵
PID:3308

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
32⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
34⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
35⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
36⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
37⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
38⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
39⤵
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
40⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
41⤵
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
42⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
43⤵
PID:4256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
44⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
45⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
46⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
47⤵
PID:1076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
48⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
49⤵
- Adds Run key to start application
PID:3444

C:\Users\Admin\DAMssswc\BUQMoAUo.exe
"C:\Users\Admin\DAMssswc\BUQMoAUo.exe"
50⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 188
51⤵
- Program crash
PID:2316

C:\ProgramData\noMAsIok\HMAEgIkU.exe
"C:\ProgramData\noMAsIok\HMAEgIkU.exe"
50⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 184
51⤵
- Program crash
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
50⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
51⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
52⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
53⤵
PID:3336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
54⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
55⤵
PID:3840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
56⤵
PID:4252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:3740

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
57⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
58⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
59⤵
PID:3608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
60⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
61⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
62⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
63⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
64⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
65⤵
PID:728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
66⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
67⤵
PID:3128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
68⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
69⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
70⤵
PID:3320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
71⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
72⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
73⤵
PID:2548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
74⤵
PID:4384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
75⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
76⤵
PID:4964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
77⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
78⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
79⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
80⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
81⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
82⤵
PID:2836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
83⤵
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
84⤵
PID:3420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
85⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
86⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
87⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
88⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
89⤵
PID:4004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
90⤵
PID:1232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
91⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
92⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
93⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
94⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
95⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
96⤵
PID:956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
97⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock"
98⤵
PID:4080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:4324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:4904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
- Modifies registry key
PID:3140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaIwcEEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
98⤵
PID:1632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:3692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:5112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
- Modifies registry key
PID:1232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:4756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
- Modifies registry key
PID:3128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUMoIMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
96⤵
PID:1820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:4760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
- Modifies registry key
PID:2236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quMUUgYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
94⤵
PID:5012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:3940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:4488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:1960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
- Modifies registry key
PID:1916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyMEIIwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
92⤵
PID:748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:2264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWgkUgQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
90⤵
PID:1732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:4072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:4336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
- Modifies registry key
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCcgUYUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
88⤵
PID:3672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
- Modifies registry key
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:3692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XqYEsIwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
86⤵
PID:984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
- Modifies registry key
PID:536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:1368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
- Modifies registry key
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEkkQEoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
84⤵
PID:2604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:3272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwMwIUok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
82⤵
PID:1548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:3608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iugkAkUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
80⤵
PID:220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:1672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:3228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
- Modifies registry key
PID:3088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
- Modifies registry key
PID:1264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:3768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiAooIYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
78⤵
PID:4252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:4492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
- Modifies registry key
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\siQcswYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
76⤵
PID:1368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:2140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
- Modifies registry key
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uacgcQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
74⤵
PID:4468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
- Modifies registry key
PID:4740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAUgUsIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
72⤵
PID:3692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
- Modifies registry key
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
- Modifies registry key
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MsEooYUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
70⤵
PID:3444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:4972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
- Modifies registry key
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuwkUQog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
68⤵
PID:1368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:4756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:4216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:4460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmoUoYcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
66⤵
PID:388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
- Modifies registry key
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:1672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkocEUAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
64⤵
PID:3140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmAoYkYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
62⤵
PID:4588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:4508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
- Modifies registry key
PID:1436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYQEMAQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
60⤵
PID:2604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIMkMkgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
58⤵
PID:4520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
- Modifies registry key
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juMwsIsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
56⤵
PID:2352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:4296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
- Modifies registry key
PID:2156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:3720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqUYcgAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
54⤵
PID:3612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyoMwUoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
52⤵
PID:388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:2392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:3320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:3872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
- Modifies registry key
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
- Modifies registry key
PID:3768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEMIEIUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
50⤵
PID:1712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:1704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:3272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqMEIQUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
48⤵
PID:3364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:3336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
- Modifies registry key
PID:2244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miQgoEsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
46⤵
PID:2804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
- Modifies registry key
PID:4140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWMwgoAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
44⤵
PID:408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
- Modifies registry key
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:3228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuIEQUAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
42⤵
PID:4092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
- Modifies registry key
PID:3740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuQQsEII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
40⤵
PID:2248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:3672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIkcwwgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
38⤵
PID:4152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWkkYkMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
36⤵
PID:4888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:4148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUYowcwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
34⤵
PID:940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:2188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqMoUwoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
32⤵
PID:3164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
- Modifies registry key
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZucMcAEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
30⤵
PID:456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:3620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqcUIoME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
28⤵
PID:4076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:3720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:3740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:3420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMowgQoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
26⤵
PID:5004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
- Modifies registry key
PID:3692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eogUMgAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
24⤵
PID:800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:3312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
- Modifies registry key
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uykowkgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
22⤵
PID:536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:4696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaAkAAgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
20⤵
PID:3232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:3400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
19⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:3312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeEkIogA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
18⤵
PID:5076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:3420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:3792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKQgIYAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
16⤵
PID:2388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
- Modifies registry key
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
- Modifies registry key
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWgMEgYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
14⤵
PID:3912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:5112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKAoccIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
12⤵
PID:4152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCccokcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
10⤵
PID:1076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
- Modifies registry key
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyUMAEgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
8⤵
PID:636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:4720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
- Modifies registry key
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgcEMMks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
6⤵
PID:2148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiYAEEMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:3336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOYgsEow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3616 -ip 3616
1⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3808 -ip 3808
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2528 -ip 2528
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 856 -ip 856
1⤵
PID:4148

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv b+T1R5lOMUuTe7UsgubMdg.0.2
1⤵
PID:800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
Filesize
154KB

MD5
533a828965c9db4f150d4299ce59a959

SHA1
1caedc23fb66bdc0e30c5033f34ebdec317d0585

SHA256
84c9b10a851442a55ad933a4d255847eede4bbf423ac2e4524f39623954c5020

SHA512
e19d764d66e805bc6fb1de83833f530cd7c4c7c946afcec18e7a1ac5630539ce09432b7ffcd23c27829eba5de963d2e36b1fa4b51e3b41f08ffd48e1cfb4c212

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
Filesize
143KB

MD5
6a6f16b02da70877fef3eac6598f657e

SHA1
33a0897bac6a0d85ed26297e58795cfec338eb68

SHA256
f2e484f33a19b91bd6520b69c80f4016661418f35d4f6c5b6a71f650e711958c

SHA512
c6888a44b8148c4296a56b6750bfbfbb3a5be5673c83bdf48e6b6c106ab40170cee1db73a0dc7379ddb6ad6ef25ea7a9fc64d6d0dcab7ec570d378438b9349fd

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
236KB

MD5
9d80a18ae79743f062ba0b92a0645489

SHA1
26079015057412958c72f1d6f704b6465ec5fd2a

SHA256
875bba7f45f677d5ec11146955e473299ebf941869684bd044f1b0e3789012e1

SHA512
2204201dc83f0608d54486a15d146216cebde3f0a2c9249df594e2e8dcb6799a193c01c061c3c4bde50f55bbf7b054012c5b1ac0ecd796c507a8376a34533569

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
140KB

MD5
5884f92d42769dae1e3c64b084d37021

SHA1
10aa394630ba121629d30d7afad83a5993037547

SHA256
cccefbc63864da46456d9812ac7cc7cd21eff3dc521f5ad38c3b792a009fd6ef

SHA512
b6eee72eddff935d089eb98855a14c1c34f582484960b71a7afe7cab1d566700086837fbcdc8228c635d116c9f312903aaa7a01e05cf460013b47ff287b1e9c7

Download Submit
C:\ProgramData\wAIIcgEk\QoIoYAcg.exe
Filesize
110KB

MD5
a397280e23e4700f7170e6c4ab844a0b

SHA1
30858d6ed04bafed1ec62c5d2a732fbade88fbaa

SHA256
435fb1fcac22779ecd151f7ac79d7181e923a38014bd39b486c4866282b756bf

SHA512
f613912fd9e4dbaa18a01ca606188a08a20bd0d59fc30a70e9fce95f0e5b3ab0225047b04bd0b39d68216875505ba82d06effa551fe28594817bd97f17fc9319

Download Submit
C:\Users\Admin\AikAMAoE\aqQAgkIE.exe
Filesize
109KB

MD5
e9d09eb62c3ddc21c51a3724aed2b854

SHA1
74bc24b5f61a1ab02bdaed630b1d0e6139efa0fb

SHA256
1028f12574202f0a099cd9f8ec75bc253a92cf6ded188a428404243b6cd44769

SHA512
a9d6889fc98686dfd489e5c12800270efc1ba62b0379cbe3f46f2c665a406d6d08b0ac2a6488d9a13be2dd98aca2b3a06c56ce90fd72e3c8268c9f40ea38caf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe
Filesize
118KB

MD5
17da1aec1f13ed59718e3c4f853d6612

SHA1
6e895bdf44cd05448eb11a0df86d3e8824a85454

SHA256
7b6c168544d4f1b43da2f9516176cd2c8e87eaa0a32ab4d5c1dea70d5541cbf9

SHA512
272014db250a005dab3c215ff8975f1c4996281e11dfe02154e446e85fcaa7d0ebffec13eebfe029c373746be8ba8833e77ba5d308b460133c825e4e4773beb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe
Filesize
117KB

MD5
df4b3356cbbcc86158495089047d66da

SHA1
7362d9daf12b35580b16a87a651d731b5638ee38

SHA256
18205af286f398eae10158e67ea8ef2de5daee03afd483a7700b082d3d775f7c

SHA512
441e19bb574bd829b28c77ee25e7d5ce37a0a7723952cdf51467f4e3bcb9b89259fc92db65fc2fbf3b0bbc8f03f55dd2558d9109a5ef95458bcbda06ede1eb2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe
Filesize
120KB

MD5
d1795a1a575d3a58ab4acbee497621fe

SHA1
357223adf7fb658cd0c24dfd29937b89d9f06ba1

SHA256
fa75994701a9e1d88d35c093da76ac4114e5af57ec88faa6b0c199992b44ff4b

SHA512
61122f828f9d2dab61172195a755557c8c572b5946164e78d0e9bf5d6b61320cbdc4ef71c1ef84b5e8f66f90e171fe686fcff42a1fb64d717197ca7952e8a27a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png.exe
Filesize
111KB

MD5
1561e284e9f662baab1541fedb2c7412

SHA1
d2a138e711663402aca98aef4a7fc0d6218f222e

SHA256
097ad03ac65f8aa946821df1b229fc487ea4dd0816399a2769dbbb8765e0fab4

SHA512
815321ce5ac8d3c910cc60fbd1e01794216c0a1e6707312c980007646f52863d98c36e20076ba42f937ea4a217b42773243382dc48695979ecdf1368f6d0bf05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe
Filesize
112KB

MD5
9a9eb57e6e53806e03574e4f78c1a529

SHA1
7e35d4d709bdc5c92247c4b3a310069eb6835030

SHA256
8816d819ee0b832bfb91261fb4184c5295b0c015ce693af6de80ae909b5d8695

SHA512
d00f60b42c37eb295d0f3dcb190b6d103644ccb4cbb0daa75eed3f1f87a4ce1b2a23368eacfeb8248eb3475a7b01eb1fefd7326d3d046709dc95c9892ec2b24a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe
Filesize
116KB

MD5
5532a00fdf832e3acd81a2da6e1d9d3c

SHA1
33ae0ca4c3ee67f1aaa93c8217117b0dc36c8b92

SHA256
12e9051caa2dcf0045fcf42f5cc50b90403f60567f5fffb2b24f36b5460ac6d5

SHA512
774567a7dc5182bcf1e9d3712080de9a71ae39b46177eceeddf542ed5059e5ec5c7804032cccda3c9fcd4841588de1f6e4c7ae8aba5dd76ce936f97d59d00d66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png.exe
Filesize
112KB

MD5
9bcd582d5130c5daef4cd378fd5d91cc

SHA1
f0a2a122760a8b8e0ca2120fa0ccb19ae6df1564

SHA256
dd064bc67d8dbdec827f29ea69ee95f4492180eff882ed14a9b2bf9da9501813

SHA512
4e6b7621ef99a9a576e8e9ffea259e5a0ba790dbf5e64ce0f6db45e216d08058d275418e4dc6418ef16bc0ee42e57e90297e570654a0797376b8acacd512f302

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe
Filesize
112KB

MD5
30a2b12cbfa2b106b4f3d482fc731aa1

SHA1
594916e984ba38ca3553b68a1cf6af335b06a98f

SHA256
eda5933893cd3e3354e1d0fdf89d408ac8ead55c6b0d0f66d5b4e1e724b538c1

SHA512
8666a4be808c1a8af3fc972f18c50cfb4e82a2987a419ac96c714a473b4b9d93cbade8120d46c1dcd48c8b20e3f1c394d2cb2943ec6fe6ebb7afd70da5ba4648

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe
Filesize
112KB

MD5
b98ccfaee427fb36cf15c84ecd3c244d

SHA1
7f77fa652878de2696ba60c8ea3554bc22ddf2ae

SHA256
b46407562a5c987d595ab7cc7cc7582d98689dc787605ee311e03416ba0bf272

SHA512
97b27201799295981eef0864aab32367ad8e8d862ca018f9328e6587bcf3ef33a444865ce1fb9cbac6810482ea346b595a8a2e2b0c2f88ca088fa211d5a14e03

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe
Filesize
111KB

MD5
e911e05bef0e764d93b04d36225685d2

SHA1
5f3efa988eb34ea75892ceb9c9fd34df56d54b02

SHA256
10a8d6356383c2a76c85fbe66e66decdfb3888aa0ccec6bfde5960984c2dfcb2

SHA512
a837b71c7008fcfe4d98390f6fe02e6e7f7576b02cbd206733e2b48a04a862f654cb059d4a6ad98fafb7ed935357b7fa1514d7b6f1c9ab15b8354ea6a91855ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
Filesize
6KB

MD5
588e8e645526676ae2f8644d4dd82f06

SHA1
607f0d19028f909a02b5a4b00ab7096dfb7f30d8

SHA256
46f556f484064bb3cc55694c4fca9344b1432ac341861e56bac17d15cca46c7c

SHA512
69766a05b8874d7a0b4ce8b7fc7888b05cb4c3be56883db39fcd63d31742aca901c056b655b716960054fdde71abb56905d73038a5974682cd1092c5a7efe6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a38003cb861e0c959293991078f42d53_virlock
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcQK.exe
Filesize
147KB

MD5
3ea78b7071a804353e0389d4a634470c

SHA1
2964442fb360f9f2ce86a90bf6060da28ee6f88b

SHA256
7f28503934974b882a8947d4e789e51a115c249dbbcbe62891dd8f828aacc084

SHA512
f3bb54f7ca0298646538d25b39a128c455ddb548a2cc652d86f20b3d4870824600cbfe57039174e651a4f00bfb6ae4f84134b038d5f26d183e07349185a71d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwQK.exe
Filesize
110KB

MD5
2484e23e30f67d55e7aa229950675bda

SHA1
105c74af3ec82a068183362dc11ed934bc0906df

SHA256
8ca39f1dfc1fc4ff65c8571c603850067499779aa9eb71e241e8f2b1c31e63a6

SHA512
c63b4389d3009974ab03adb285bc3655a071c4c60500238253b1af4ae68e5ee6395f6b4810409ee819298f1809ec158981d1cb4653c7138eafecc8cc5c94473d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awwe.exe
Filesize
115KB

MD5
ca8e40a970eefd1f39ef642b38c22191

SHA1
73ef1c1c3b0eddbc1e21ab93c1b77e62d9d97815

SHA256
37835dea347a34f27401a678dd725e64cc4afaa57dc28e94078a6baa9acbd1d0

SHA512
df11a928acf892d7b92108bf27af02bb519aade92d5dbfd1ffc630a4dab8ad7722cbf09b7c69f354b34d96cbb292a375a381527ed0d3ebee98990c3db0c0395f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEIM.exe
Filesize
139KB

MD5
90c7cc5a1c8dc3e1d8aecd42f561ca36

SHA1
96dc2747488fb2a3438dbc84282b8e16d22db519

SHA256
02d45d518eff91d30265b5b85fe1181139d75eee9ff357393f097ab3ce24b0f3

SHA512
e43caff5d93807e8d04b6a113ab64c066f3890484ac575e6f0eafe79dd00f03dde7a906c88b388ee7d0b600fe597a527f4b095f2de3edf995bef814124c613f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMUQ.exe
Filesize
554KB

MD5
aeb90c4e39374a0ffd31479f3eeca6ef

SHA1
9f79676df51b5f9f04481412727cc728e1134a2b

SHA256
581f0389a609ee57751fadb2c4a5a4c2fd077ebe94b44ff48b3e9179e1f483d8

SHA512
73bd408a34c45e6199e94ec9c415c57a03add0ac62af754c6f3badc933243cbd87ef70f2579c2d2112729041aa4e6ae0ea277e798821131d81e43cf406ee8e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\BsUm.exe
Filesize
745KB

MD5
970b37f06bb7decf27107178292edb4e

SHA1
b737e9a8631b75903847d2f80abcecd8c0f45ea4

SHA256
07721343ab15798acb12e3765ae4f0b3a0f6d3c022c52645edb1a0edd409a361

SHA512
880f3fc4f4a0ead94c46867e2358c4b3d329204074954f852a4413e4bac27e8e74d78b1b7346889f8c955c057961d5f72fd5ca95a16b8ee2f70ab0c7681f7227

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAQQ.exe
Filesize
111KB

MD5
72f7265823accfff99dba78af54dcd85

SHA1
aede622bc530c11024f8848f46f6e4c837a70b0e

SHA256
76839130edffd3173db2e21378a86eb9bd58562762e79791fc16cb8dafa63518

SHA512
57a14dedc85f8eebe0ee10a799564c9af01cb5c6d30807731f6cc4515b156aa26f8ae98818ee9b6f0dd9deb98d8e7ec541c7354dfcf2ed22770e79d6645bd22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIEK.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEsC.exe
Filesize
721KB

MD5
58f035142b48e0fce339d851c108b4d4

SHA1
e3014f70a1552c3ab336be2261b8e621202966af

SHA256
ad354bb86aaf0f59afc03c6c6a3e557426d8a6176577767fb24c62acb313b5f4

SHA512
783fcbf640ca1b6de29c8afb68d353cd2719bf7e5ca318608c5de1ec7217aa90c61641dbf5a9894f65b815a341315257d24024e8e58b451ae3cf047f4bb5439b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMYY.exe
Filesize
565KB

MD5
946b4afd30147333ebcf1e1f5a2fd225

SHA1
a476fd0dbce22a8c248fd3927639c137a1a2af25

SHA256
c66cb00489d591e621ce23f888affeeb0589b116bb4b77687309dedb5eea39db

SHA512
8dc1e331c71e70855b8b6a2b0c73dc85990e00af002df6a0e3dc57be3f7de4cd814ec1cca1a275285fa434fe052a6690f8d97fbf53c81dc00f30d5694496ff20

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUAq.exe
Filesize
115KB

MD5
c85bd50e31754f98629ad7efc9fc1c98

SHA1
b1484cf4eb4f720a13731d8a996f6f725655c546

SHA256
ffec6ff3edc3c92c12917778ecde40c400db12d6ad72453e863affdc2f65af28

SHA512
b069ebf06e96acd1fa16720c76b9677ab5adc779534b26b7b87a382655c7887e3e48ce95ae076f446a4b12cd53c82b7c0a63a2962c1f68470e132a674e69cddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dokq.exe
Filesize
116KB

MD5
8c33144c2b6f98c6c331fa0317174c6b

SHA1
53a020bb1eb2b097449a03c66a51ccfab02cd71d

SHA256
8d5a8ecb98b4e7e0f5d8eb63e9a17c78c830d3af9cd128b4a4ff879170a61aec

SHA512
d2a62c46f3c5704c05bb411a73d5180bda258270fd97b967c1d224dd65ab6c05e6177c00d5f1a896f0fd1964e77b55e286d9ad44c02764d33c12767a869e7a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQAY.exe
Filesize
150KB

MD5
4203a8563071c8f560286ae676c5a842

SHA1
1c0bdffe5cca1322dbe099c0996356e6f210d752

SHA256
5c1c7a214a2ceeb18133bade02b4839add9365b319fa1d4a941b4b522825f04b

SHA512
20aac006a4335871bb4137787dac0e36fcc98e8662cb846999348f664b6aba05689af745463d8908387b7f82ab1516153a9760dd2ac6c403ada48bfabb05179a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEwc.exe
Filesize
113KB

MD5
9c1e5b8b06c54e0d5f21a6477ee584b8

SHA1
fe166ea9941ee054d2304fd7a489a9c92d719a24

SHA256
0ed1bfd59882ae51e17b3d56eeb2809291559c594862d4118e9088d6e2cca1d0

SHA512
167ba27b4366d918478e14865bbf87458139876b496e49c709a1ca087bfd1f9d7f23aa6362efeee2a91caba5f0a31e7fa69436af3778858bb7e5ad40694f789b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fcoe.exe
Filesize
111KB

MD5
479d42c80afb01e3f8050a0a869f8eb2

SHA1
1e57b9cf4c4a3df8c926200ea51e2cbe52514fbb

SHA256
740fcf50953fac01fa9b6cd86277a9a209c46465c1633bcda5e83ed730ae03a3

SHA512
4516cdd2935e0291fa63a66cc18a0dec8bd994f572e48d0ef54f7dd08756d1e0e919a5080277c81b9099075557c9f7038424a17f5305c2b9b6c8c755d43e3278

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIcW.exe
Filesize
699KB

MD5
1e411688870437e707ed111c7b806a81

SHA1
296e320bf05859dceee20bf3060399f42be1e081

SHA256
09c7d4c214b34ec1280863c0d227ec3b508afe1df6a948135424f5b0d4f2e8ea

SHA512
c868aae65a9d31e60b57d8e5f2125427719c793f0da573a9b2d0a81e23f3a89d2d2fe69318a000b0ad47dc42d755d2e577d9b0f29e0e2522698ceb4fc55f1928

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQcq.exe
Filesize
536KB

MD5
b158ab47707433ce28e4ee09a78757f5

SHA1
57c18509b22f2360c4f5cb77fd317b3ad4581ecc

SHA256
09b669cf5e7ab11d738427b1d6fe396bbfff9a8ec16ebd5147164c3503f815ac

SHA512
0c3196c8d49c4cc9d1cc3b543dc88eef3185288ab76af2c6dcb38c5a1d248120353a3bd1d96aff716454887c8d73b138dc8a56ddbecc747ee4385063a467855b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEko.exe
Filesize
237KB

MD5
990f70b2ec63d2650cb0a1e0ed7affab

SHA1
1efa7f19190c3168b6746f4bd49c0c2b47b20c66

SHA256
fdedf2d4ea232a2bc6114faf8c5f6600ad562bdebd3361219fa9542cf2ddd960

SHA512
843486fcddbfe4d934483e4a7a40cd95776ecb646f33845385ac1db75788bcf465d430422c6aab9d74f0f3f86cd84aef02902de05011c1756be590affd860d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMkA.exe
Filesize
111KB

MD5
3bfa09f86fdec79a1d7267d7f511f52c

SHA1
364b3e6b5dc8582cdc14964bfb5bf196ddab34cf

SHA256
1eb5c6051282c1684b6179c7ab7cc4277778883d9f0717f575a04698fabf6c3e

SHA512
b381ab74542372f84b1e82a43e00f2e9777035d132793551ad1235590137e645b860674a9daad64e867872346145977f32e280538b733806c68ea1c12b7afcbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUEA.exe
Filesize
110KB

MD5
1915fca102e495e2ab739c93941ff970

SHA1
e91a060f033144b5c8434fe11fc9a1f30bf570be

SHA256
4ec7b2efae18efbde89b930f3bc8d2098c3791d450011b414797ae3db72c0d73

SHA512
24abcf7fcaa5fec6bcad11724de321b84e7826b5646f6ec7d076b37aa8a827a23fd97be84a2c325103b35c10ba280eb9cbefef1114d45f51e03d1a4fce8d0e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUIg.exe
Filesize
111KB

MD5
7c59455fa3d1893d464eb2a52171146c

SHA1
8c21c7ba7c9ea9201362555e9200e6cbf1515f9f

SHA256
d70bb284ea2747e66dedceaa514c07b867edaaebb335808432bb0f601ed83a53

SHA512
3882d5f166bd3c6941bdc9269c6cdb67aac97d472b214ecb32f17be5c67353bfe984c293a84cce95f264b70f73ae936479997f5dc4360025eeb9a76b7d1a84a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcAg.exe
Filesize
126KB

MD5
dafdf59aedff1c3692c949073641c44c

SHA1
8351749616c2aea1bb56216dd8a243f5ef9da7ac

SHA256
97aa0fb536e2f524945ed7cd86bafe7cf838a406ad352d45e3bad058705085dd

SHA512
eece4ee2ea246ca21620ecc2f72b0e9966451421fb9e5c42905dd7706d2e0148f29db89987f068a60224ea13ec4cd5b06f21b8bc4eb4b17b7f04e00dab4ad970

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsAS.exe
Filesize
113KB

MD5
6abb68e721d2754250a5e93eb24509c4

SHA1
c8470839cd8008877e6d629993be61a5f13ccffd

SHA256
cfcc65d22fc5ccd8211337d5fd145c0b5866018715241c814874cb1ac6b9ccdf

SHA512
cecfd82cf53ad1408e23c60f4a0ba7eb96ff388f4fdafb34d3d87a71d2d666138cb36dee439659c6bdcb2b65c76a6388e4a3b470ba45201823fc3548e460e19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iswo.exe
Filesize
115KB

MD5
0260554435142febcbbda54b064ddaa4

SHA1
abc17285300b50b6c72377cc21bc7833627ce040

SHA256
b7f0222d15b28340c13e47ef4325501397fb5d30e114ad042e79784a8773f1bc

SHA512
dd0c543856f695977d2d4c5237063df0d53826466976e8e60d8c422247df0976f42c264420a2bd6dea2dbbee8542c0a93020e6248e9aad25b8a111497416c801

Download Submit
C:\Users\Admin\AppData\Local\Temp\JAEG.exe
Filesize
116KB

MD5
ac5ec924d2b9e5b77632bb3e5b0becb3

SHA1
147e3f2140d4f396cfd96390fc691c2eba94420a

SHA256
04afe69250ecb11625467f487d616a0503459a193926bfea23bcdc9cc7c92b0e

SHA512
8bb1184ae82adfad66b126c10cd192b951458c4dbafa5f111a8d200699650c54cfb64d26aad2a51037be00286dd7543a7436edcc0effaa33025ae7f4cfd6bd51

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIUQ.exe
Filesize
141KB

MD5
376cf2d2ff0105f1b1af4c8515f391d6

SHA1
db1dfe8dd3ab7a73b8812cedaae232652fb8f77f

SHA256
2d8997049730d0fedbd5f986b9600c56b05f74b860c756a3aa91750b010626a5

SHA512
ff831b67f9d418549f5ae2f3a31bcd4157feac82b9a3ba5c022dc36a2b153a7e35efdc5b85f2ba6f8c6d66e05b484fe00c01bda2ec552da1599d9926f5b34525

Download Submit
C:\Users\Admin\AppData\Local\Temp\Koko.exe
Filesize
116KB

MD5
d4af6e320c44a83b1efe1ae009935015

SHA1
24d061b25167701a252b760b56d370c6cd240092

SHA256
6dd41771224fccc8ef7b4705f1e2bbbbaa2e57354a6968d5f05ba00a1bf8768c

SHA512
20cdacd2fe1e82d1f96706d04078c8ff8b46dc0c86d065ea69245a699f6c2600a1789f953722c34e207102e9fdf0f53e3295cca547a01807fe2da7d8f89f7113

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lows.exe
Filesize
462KB

MD5
bae51cae6542d206e015be7c05bcf30c

SHA1
8f2c3843cb510ee3457de5fa459efde8d087264a

SHA256
3c64eab0f343d33660696596adad8523510a35788b449cbddb207c14e8b4289a

SHA512
4c6f9870ffef8ed7b89ca2c30f01358194357f21e77342c3b8c40e5bc03587c7ffa9fd9ecb93207140c3cb7cb94a1c91463ddd718d1cff8a192cfaf8ea671ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LwoQ.exe
Filesize
556KB

MD5
f01c880e5a498c909f722cbba744f5d2

SHA1
17fb3afcf4f1c793f0c5c1c6efe82ff4db0e30a3

SHA256
c3001512dedeb9912b7908bcaa7a05d79df74c1d27860d6e965b3d3c77e3510d

SHA512
061de82db12507e469b52b3072bcbed9f82f8ee14bc8215e48418bd68bbaac3ca5bc6e92176e1754b0aa859f595ec4de7f10f11419351d9f0eb4152ba8f0fb62

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQQC.exe
Filesize
348KB

MD5
66f2a4f4887a5640a191ccbfda2d7fc7

SHA1
222539d564f791f876fe05e9f7ada35a4a9fb17e

SHA256
3f497c2f47a47f09705198c1f91a954076b6d0d1e09bc852453aa50040f7cb74

SHA512
249090b59c02d46a4991bef2a89317cc1ba851199aabfc390afeb87dee807ca03402d48b381ad485a6003f012a66f934dbe19079dddf61307edeb3c58a8f9727

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkMY.exe
Filesize
111KB

MD5
c806e55f9972e742c228b964cc6ef934

SHA1
ba499a14f6d64a1d438c3b75538308a5d3dbba0b

SHA256
1a2b85b6c9f40157155280a3f18ad475b941d3adce1dc9fba2abdfac95da08b4

SHA512
93e62f45c910e4e4061031b2dfcc768f990309dcde118b44bf6e34eaf54b1e1e89df55535b75f8bfd2ccb91831dc4ab5e30dbe717d99e574e9e70418a255e703

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEoO.exe
Filesize
566KB

MD5
ad39813d62dda069dc47878f4503daf8

SHA1
16265edcb8957d7ee535d669d75fc26ce720cee9

SHA256
795aa3acc2ebbdf2c2d51508e7dd3261d34e795f96d347d8ddeb55befd56bb5a

SHA512
0e27aa624e6d5f5f1fd86a60f47155c8839f3316e5353eed91b636a00545f3a4728c813017beff8ef74369693a2a388522f7a123b70539f25335ae2f454de4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAwM.exe
Filesize
118KB

MD5
c988918bde928055830e3bb4e872a3ac

SHA1
02a90bc6c437644b02ec552fdab78a2a6a0ae53b

SHA256
7d0ca3a11bd50d1c040229effcd6229cfa2925e30dfc7ec27f8965465e2641bc

SHA512
c2877aec89088764d05d8deaef1b2a0837efa51100080dd1c3931f396228747d04165b4434afd48b11c9b0029241243115de5218c6428b3f142b5ae416190976

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEcI.exe
Filesize
5.8MB

MD5
421d45f6020c2a1bce345a625c5871ad

SHA1
46b48f975041b89f5f79b8494e66fe73cf3f0e18

SHA256
26a1f82c920986e2ba14cbcb5e284bcb03ae088988042055e20c3eb82e619c8c

SHA512
f6be9d08a17d37c7945a9d719378ecd83054a5a7bdb10bf4f91b6181b5525e0603c6bc607ce7ffa672ccb7748dcdfd4895865775761e9ad369214635753dbb67

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYkq.exe
Filesize
118KB

MD5
542ea5cea48803eae6e1334f56586a01

SHA1
36684c5196ed090c322588cf6e6c37ef7f37bb93

SHA256
44b787b96a84aac9145844cd08827b2b1041929c67794516d6e2279912da0e9d

SHA512
9a214246e3a36793ac37a8527c8eb6fb3f48f40db83fa2c26da9a374441fbdff1426745cc64adf492e53de4d6f8a0e3d144f780720a4eb86b6a37f05a739bbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgQA.exe
Filesize
112KB

MD5
68a78773085deba4ebb7587c83a71917

SHA1
602f2d286475785df40fee287dbcaca75d1250e6

SHA256
1ee1d243d2f84d289ccb8f2858bb696401b6089509f80ba4ea8bbb5e92995265

SHA512
7f908ce71f6c4d6c13c275620a344f5721f5cd35073fcc5b647fab0cda35527ea3b8a5f5288a6c741da2cd638a42cdf52fec4b88e61f26292911687f07098df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rcws.exe
Filesize
116KB

MD5
11e66ca3e63a04ed02ab11cf628c0ac0

SHA1
c4929a2f5a02eefda00cd0a3d1092d958e221720

SHA256
0322f985a0117c6f96f3dec16f8d68f65bc3d34d21c2cd5992deffa32219d342

SHA512
d1c056ab68c2c68933ca9595f070a08b2499b3eb982ef67b4bacdd003e77a0624cc80a9af171d2ee1ddb77846c87cf387bba20bea6a20f21bc06b54474247adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAcy.exe
Filesize
113KB

MD5
117c849dd82e8a1992947a321d6e49fa

SHA1
4fea8a5226f9457c253281c9f7a79d7e9f7ba752

SHA256
ca7128850ac2be5001baae8d21e24c776b7a3b08ad047415c946facdbf4146c1

SHA512
a467040b93e635a0e1ec192ce1d3b59af81c498ecfc9552485c55db7f98407ca0119e467df5023a21b045ef507d84913b1b335679cb30abc5587459fe261164d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tows.exe
Filesize
122KB

MD5
cbbc201f691e8dbc065e761c9f0d362e

SHA1
8c08b57716049efb2194458986ebff6103d0231e

SHA256
54e2b437520738ac77f178f1ac04284f9d25c6768ce4fabe87d97f13e9d3e771

SHA512
110953e83f83ccccaac6cf7fc0f7a2cf6cd7488008496af876366f87e019d4dd40aab91c092c544d3e57650079c32f729ee49007384720c469bb8a7140220adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcwY.exe
Filesize
486KB

MD5
2818bb05e416cd4957d2726437d78955

SHA1
6e8002cbac3bb52225fc78bb100e747a4badb156

SHA256
72a37c4952f5eba600b7f0e6735885c5f2da44d07b38ad041885263789034c4d

SHA512
26d2922e4e1882945afa52b5ced3535f6f407e8bbbe2aec389ef87c7eb5321a0807bdd80e4bdc49e93dd3dda3033f407064fbe8637bdebdf9e882c968eff7613

Download Submit
C:\Users\Admin\AppData\Local\Temp\VssE.exe
Filesize
114KB

MD5
912e6bc3df162965f1f566ea062bfa16

SHA1
16377e53c143ef1d60a96f432c26978170e05d3b

SHA256
7884c57caab758b77ff969c42bbfdbc089ae6a1607db9378e0aed6d23e376b8c

SHA512
47d814f020fc3f9b21760c009ac1ce68499dd57dc4b6985f002050a9b790bee55e6d77ba78a21d27789848b31bec76b749b0e3c5ba975d8384a89b16beefa148

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAQI.exe
Filesize
137KB

MD5
3e5f82466e09a2d215a7bf6a77926244

SHA1
0e821fa7a6d8399977e6e8c9337e6339a2404ce7

SHA256
748a49f207a7ae4581624e7a2074909c75ee6729546d85f0e162bf9392ba7b40

SHA512
f878c82c0405278a84e40440ee2a0a4dd3ae7d892910f9870206296fad5ffca069be0d7be14b81df1b5b8f98d37cf261f2ac1c966e3a1cbac539746af13a8267

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQMA.exe
Filesize
461KB

MD5
93cc41141e1cde7a10f63cfbba00511d

SHA1
08926497cc4223189ebfacc5e6150659673b479c

SHA256
6db1a5a7946253871cea210ede394dc913aa3c4bc6c88ef105f8d9a5de21a04f

SHA512
fb995e51066bfb936007b5c1398070050d40b028f673e09ce5db1deec2c19d478fcfaa849256bf4a3934ad1d847eecad8b458f2b1a5d49c52508b0b118b9533b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XwoU.exe
Filesize
113KB

MD5
d0dcc1e4d75844e1c75ddc518631ca51

SHA1
9bcc42a369d4749e04efe210c7d40dd00460e3bc

SHA256
3a87a5a62774a5ec929a736d168aad9c67639ca0f1e3deba97bf1a0a0d3c42e4

SHA512
a8e6a103c221a2e187d286a496c8520409335565df35468244906124cf92e3a62fdc61bed3029d84859e8e1fba36ca6daac2f17803fed948337e5d3409cbef68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yosi.exe
Filesize
470KB

MD5
ef84a1b7c8f85fa82c590785d1bac03d

SHA1
652bd217d56f8f2be18cb9f84f433478784d6e2d

SHA256
22b823cabfd6f0349f9f740f12a2d10cd3142116aa319c7c2252714d35652e31

SHA512
aff42a498b817b9d97b197e9f34695dcc368dcd5f884a39cd59096c0b5d83e53a9c9bf343275cd1950d0dffb230c9aedfdff038a3f02d3863b0a374e90a7bf7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZUsQ.exe
Filesize
1.7MB

MD5
258783f6ff059beaffb2845a8779b37e

SHA1
49f90b57b4ecb25e54083e530aa63bc86d19532b

SHA256
d6c99cf0be892d7e79eaa6aa373d3a0270fe63e45594090dde527298001f80de

SHA512
1adbb527e380b482e90be30c9d3a2c5079d2c6feb0582af92a6a5e6155fa46cce2deacf706d341acd25c534a76e4c9bde5647f0f3799204c3521e0140d304f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIgA.exe
Filesize
566KB

MD5
f1c0a3ecbb75dc561b341658e8cb024e

SHA1
f459158a2dfd6123ea174148a6b0f7538e8f8638

SHA256
e1c5e4adac98a77540cef4e7b8e7c84ad2938fbd8d157c98b8ad3dea7e12ddc8

SHA512
519cbe9d230e68eeaf7e409065890a003604ff3bae89957a313a421d02b573cf3077e3033717396be909124b2844be2139a810506b054434e89b97d4b5c03e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQEm.exe
Filesize
113KB

MD5
373656e648b251ae3302a2c702e2ecc4

SHA1
f955ede07d0a69f22dd391ac2c0340d367769d36

SHA256
a74d044affd344b8f0cd875f14a7260ef33774fd7c426a22728f8ae673a07d23

SHA512
997e5b4051eeed69b9bb78c17df5e14ce2a7126b41cb4f692fc9fe83c349719a7ad64f43abca9f2e5dc99cd5b68de9b963dfe3cdfee55bc3522fb5dcca12b8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUQm.exe
Filesize
113KB

MD5
2419da60f2b42a39cc1388462158b33b

SHA1
d1b2066c15c24f9e20b833cba6919d2ac5b6555e

SHA256
badfa9e89f1cb494bdd4d41eae074aa3f121ab9818b322266a0539758bde882b

SHA512
9b23d386462009c107acd47ca6faae5f22ec42223ff2bf1b7fb3d2d316ac4036d7efa3657f92d1bc67cccb444d1a207eb9bd6902c45cfc8d3f1908a5c41dcfd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\agsS.exe
Filesize
111KB

MD5
5f11bb14948e3dbe3fdef305d279971f

SHA1
cab5fd7abe7e9bba9f33116c2ec6ce782aa638bb

SHA256
7088501bf6e0b829952ed29a1dd6974149a67aee635353c34427f66aebcd1d68

SHA512
5fc8a6efe2a33121b13a0af08d7b7261d9ba8267b3acff18d517b619440394afa270d57bac58f88940baea7777f23b66c02fa283e9ed188a3ba535d01dfc6db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQwQ.exe
Filesize
118KB

MD5
619e905dcd427f1160ea27137f5d1de7

SHA1
3f0641ad633fe3813c37ec76d99e42b1929a8d4e

SHA256
641287662ff88191b732b483279a78f298009a8748224476d0cc11088b2fa43d

SHA512
47cc1b8a4aac5ed646fa988c028340e3ccae9c97752ecef5b2483376d063ac652d472bc3052a7d7ecc74310c18ece5c77ec06bd9a362c2fa8ed7295801203183

Download Submit
C:\Users\Admin\AppData\Local\Temp\boIq.exe
Filesize
120KB

MD5
8896fc5c4594f2035bb0d50dace61967

SHA1
68683ab4158db287ee95ac805f67347381503533

SHA256
cabac38b11015eb3d1752e8b704bc5f533a94561431f9157b7d87ad53916a305

SHA512
125bfc4faf44552c6925ee257912fe3a86891edbd6d2d85aed1b80e6f67b800c1a453f2a701d9644c5e9b831798d3d4464184f15c2e7bc1a68657d14cbdf300c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgME.exe
Filesize
110KB

MD5
9902fbb38127fc55758b06babad5a0dc

SHA1
6cc5f6c9efb61861b35b8c6c745388df3d7da39a

SHA256
6c0101df0f1cc389acb88de71bb5cc00de6344f86ccb508e8624d00248f47c9a

SHA512
611eedd4350e5f4aa8266551ce73462e65091b2ba9b6530eb5d339465d61a8f011429b751155d351e5aed1cd97e33670e7e28010284c026d1a78025ac8a5e65d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMcW.exe
Filesize
109KB

MD5
676d8fa5afd43faa5c90e6bdf75c13de

SHA1
000ba074988044e24f582eba1fe3bc7241912e12

SHA256
474792f9088fd92574acab45d8e04580217bf0129bc6768fcc913f0ee7a04d9c

SHA512
2e5e85d2d1a6c9a096e1c74a57566b144fd1b31aebbc208854818a03e5a534a0ea10bf0a064a69369d039a28b0b6ea860516c7ac6560e702b9ac24c6e0d9390a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoQI.exe
Filesize
155KB

MD5
faa90b3c3c85b45627c87ea9d91d2f37

SHA1
a5eb0a589dd385e0c5f7f120fabd67bb8bbef431

SHA256
2eb6883fc4c89509dc94b7dd4e8cf937d5cf817a04901947a5dbb4471b7984c8

SHA512
26b930f6b3be40a51e825431004234aa09fa2dda6aa776ae9007d68054c6e6567eba3d0295393fb41755d10f335b3003b9fa2c0b1625b6b92b0707b7c93ea0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoQy.exe
Filesize
110KB

MD5
38185997765333769d3920f21dd8fdb9

SHA1
826ec7b2772825cc4533d93aa55eee3901ca6691

SHA256
8dbde5c5fbe2f467f47038dccb3cc4e93a8866f63b22d774330a96f79f544f9a

SHA512
1936927a449a99d84cf8b2de51e5986abae5e2a1cc2ab0d49395283afce42111baf0b8849df6b811f5f92ebc3bb5167ad0e7f435df1e24a89e1875ff11716d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\esIK.exe
Filesize
113KB

MD5
f6c177e682568f3034563c49efe4d01b

SHA1
993bc3fc0d1ca18e740eb89d0e34cb60385b2138

SHA256
17f38069d0caf12385b88e94337bb231cc825730b81caa24a039fd95385605c0

SHA512
69a6d54ea6a552eef13ced21f9264cf8fd4743242f6597111031e4036ef9f28bc004de9e6cb4c678acd68d984570c41d73dd758f47186d39b8a356006038fd6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\escm.exe
Filesize
114KB

MD5
2f9cbfb911d7ea0f7d0b9cde964e4b9d

SHA1
95523893e0dfc0307c38bca7b550168542548825

SHA256
d2186019497f6e34b082d1f45ffc819628213915cd87d0107b0df5f28833399a

SHA512
8b672bb76ae5699ec4be8077b175df9f9ba974991ddc4877ccadae50d455993e207cf45af814235e7c9cdc93833d72df461a814711d947b8c9d16a6b7bc02bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fogM.exe
Filesize
119KB

MD5
708ceba1e0f10410607abf203351303a

SHA1
a41dc28372845f79ad90ed01d332bfc477df8e15

SHA256
4cdeb0aa6637adefcc3f0037e50f69cd38062ebafcfb119bd12ef1587b98c7de

SHA512
95107d33d9a4f61ae5eed801b4254459ccfd8fb2bdc49811d19dd6d0f06c262e9556d05e60b621c3a88944bb6497a2ddf1f7b55009449a805efbae8d04d99c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fooo.exe
Filesize
118KB

MD5
b1ecd1fb7e52cf1db0f7a5e415a3bb71

SHA1
7996ed359428565795d0a8b063259a8c20ae018a

SHA256
84a96682e2b7ff487c4da87944137619795e00878c05dc8d6946a646aa3eaf2d

SHA512
f82d84fa70ac2ee00449256aeace492c3559a3de23a3b33893f8afa135f4c50a4f00702a121a5a08d75ae72ea14831ce77c0adc421f289a3d464e823322654ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwYI.exe
Filesize
237KB

MD5
84b1c3950d9fc830b519eb520027db57

SHA1
c407d2dba5edee49512e5beeb67aa283cdf1f890

SHA256
c97226a89ff65717644f3fe17ce03192c3d1ebe5f6985bff483042e03b00ce95

SHA512
f36a215f0a74f1bd9788fe92ab1037b6c5581376c1e62680896db40eec1f34310990bc8ca1065b8f4ec6dcfdab7dcf2f3b11f9b2d9c6ce76edbf313fe28e8c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgIK.exe
Filesize
116KB

MD5
1a408ac7813a14f702df6dff3b60eee1

SHA1
49846fdb0060b09acc971286063cf7531edecc22

SHA256
65186e6c117f1dd0be42e5ea916bfdc8bb97f656eea69083292cd584660bb2a5

SHA512
73ef54a70a408c80d05883d66eaac533c945fbd7801b1dd5068ed9346cb6134b16d919cef4c2a6c71079673fe7800b92ac42c9e36cfdaf7f4353efd052c5a419

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUUU.exe
Filesize
5.2MB

MD5
2d184cfd2810379089627892e74aa684

SHA1
ff09c4e8bba393203a787a0c62ac75e94053172a

SHA256
d3f273c09519016769302bef55dc74a3474787aa14809806c031d5dddf1e70ed

SHA512
a79d447fd129b0c219d4687532a83cb1bcc99309dcf2b38c9f796b85204186c33356d1c7f5d4db214e7aeb84abb8c418649d69d5a97203dbc2c19248a6a6045f

Download Submit
C:\Users\Admin\AppData\Local\Temp\icww.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikoG.exe
Filesize
719KB

MD5
3b9e9e0bad087919297acd85ebdaf7cb

SHA1
954ec5886fb617049f56a93060422a05b3ccae20

SHA256
3b67bfa5bb4907221b95c42d18089671c7dc2fd0de28d769cb12bf3397be5e20

SHA512
1e69d7398b07a545943f1b44063361c5e48646242f003b3413e23865717a9430fe564e673ba278248bbcbb47625f390e36e194ff096e0eebb768ca5e1e41fab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\joIs.exe
Filesize
112KB

MD5
e50fea29190e65b52287cb031de51767

SHA1
50835c53ac94114495290fe2114f9530f5240218

SHA256
4979f1b1b1e4d07407473001d6d267bee2def682590812fc980f1920c5a1938e

SHA512
5a433c584e8a1de5604223b7e25ae058bfec6e156e195c113339c01b5ff2ba32eeeabe1616e48cc6aee7fdd991a32feb920893e1aa765541fcde099b3b2e88b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEcq.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOYgsEow.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kksi.exe
Filesize
112KB

MD5
02eb2c8264175dc73a10b5b0912dd68b

SHA1
8b9a419259797b999a84cde34c9d349102acc0c8

SHA256
1c0d2055c0b83c224d4e1840ca32931a69caec2b5249daa26d387e383ac41e77

SHA512
c5ff8919e18f5005aee121e5d1f9d2c342f9fa864533d04bb9359abb22017f78d036825d64fb815cdc64808c5e0783c90d32c005b1f7651900d4ea9ee8546671

Download Submit
C:\Users\Admin\AppData\Local\Temp\loEm.exe
Filesize
112KB

MD5
66e755c5f08b2b61e19dce5971ce1356

SHA1
fe81cc095b9ebdbb55d44d8543ac072056dc3c34

SHA256
5b991181e1b1c05c19fa69a3bc06d54a8a09e6bb6da6628d87b6f387f4c1edc3

SHA512
3b62f39961645f024d7a29cd69ca1fa55acfe266ea93e813d9248cdd58263f61645228101ede7dc0a00421f697d28bc4f3dcc3a12f8d5da0158631ea529ff4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogAA.exe
Filesize
653KB

MD5
41df3355948020bf468a38d8aa8d5d64

SHA1
3cfb6bbc86ee46ac846ca5abb680379d86c34bb2

SHA256
7c6f1d9388615182d9043d18c8834976c361be8771946d84a53c14d7ca7176f5

SHA512
1454e04a0f4e700f1225786c1704277b4cff0dbdc33babf34aa48c67d53c66f4242b983363ee4caa06507d48b5fa3078f22d569fb7ddd516479e1c9d6a133fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pIcu.exe
Filesize
744KB

MD5
17321b12d4fd5613aa24c797143f5f8c

SHA1
7dc7e0ddd056b136b50f1982d32c679ad63d2ff5

SHA256
a4a93c79f52668511c4b24f074e544fe13f63a2ae51a36e66c82ba0bdbe7b590

SHA512
4c8d5430876519132e2673333db3d6d789a4c95cf3f24976a9d97ee371ed8e0d1635fc54c30389523ec183abc5e4a6039c5261a519e5c932e6aea8b10e597573

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkQY.exe
Filesize
235KB

MD5
79b12f00885b8df03839616d551715ab

SHA1
eb600f6b29df613a047510544e897382fc8ac7a8

SHA256
92afe65747b378e56939d2292661e123c10c33186912522c2c53bf19dc4ead39

SHA512
2ac9486297e0f21130026acac8cfed3825d97dc33706fb01ae9abbea90897120c54aefcf826f551f0d3482b4b02dff4312318c0f277dd8d28d3b574567cb6fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qowo.exe
Filesize
111KB

MD5
d23540a52b99d294659e8e055bc078a7

SHA1
6940e8f96e569fbd96ad65d2ef22d99c35af19db

SHA256
b35e962c739ea67966d0d523ca67881817ba823db4c0531f15e3c90cd4137204

SHA512
8b5aaf0c3cfe3caef5915a2cf05344cd5e8abda7d7626c0c9d534c33ed49f826b395aacf4ebe2f0b65f9bcbdbded9b9c3e8d9d0bf6e33c6c0cbd62a881485514

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsEu.exe
Filesize
114KB

MD5
f2271e799e69638328b0f70f1b50ca41

SHA1
e352221d0e758f636769e526ca5dc3f6e9bd8ef7

SHA256
0db7e5dc67d129f000eb848a72d6072e795779c9fcee430d375ebb99fbd111e3

SHA512
b431ef04ca56ad784278eb7de48b6e82c625386c6a4d9ecf0e72c4f8605642ca092d32f2ff16c6b135fe5b3637c20f7429d59a2075d16ed1b039ce1294dfe04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwsC.exe
Filesize
113KB

MD5
14463d7fee574a6d6fa217b1964ed349

SHA1
b144c5e1ac22ab0d8d274fa0087a44703b398a96

SHA256
9fc33274faad4015085335209e89e400e1da39c33ecab4f09515431f84121767

SHA512
060a53ca6854977613f06f1447f88b02d1b89b656bcd227f86b4f8f78e86b6dfaf94b545d21bee8d541e8e222530c89eaf7f30011499bb4cbc9a750b08453469

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEQO.exe
Filesize
116KB

MD5
8ce8a4a9291a8c351ce499a30b7e6aa7

SHA1
bcf7939ebcb92aa76e21c8918615ac4e133e9ca2

SHA256
c111068f6e21937d86d845ec8ff15fea492be2391baa1ff85b4ce514c8c462eb

SHA512
4d6f392f10bb30eaf5930f661c7917a1322cb42ac4fe65fcc03c4b1ea611e9e4e26b87c61868a7180f2f2656965e457047628ef9653df96225e85eb912e30c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUsY.exe
Filesize
113KB

MD5
599dbaaf4120e5695fec315aaeb62494

SHA1
e395edd3392db4193acb5bbafbc5e249c0a0e6db

SHA256
670b5041fd8b19d41a35c85e8f818b23e064f82ff77379a01a32d09a0d71b1e7

SHA512
e29a3e08ea32e7404a5d573a2ecc7467044ebaef5a2e9db53e72a6a1bb2044615f4e223675be8f9c6428e6cd356044d4cd31b490e67fca21be0603846c6f268f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYoe.exe
Filesize
112KB

MD5
899dcba31bd208bc34a80bc4e99c055f

SHA1
909203da22f83a89b1f657b59537445cec77064a

SHA256
2565ddae8ba0edca6986cd95b90054d1e4ed73017d069e255fd885fff696bfc7

SHA512
c380fc9f4b134f82a3c7987f7dfb15d9b33088d0ca536493e6ab095bbd4c11e959e8d6029c9e4b51ff9025d45ddc27dc29718409c1eea51770931b1a1a8e93d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vMcy.exe
Filesize
110KB

MD5
52b12e648a060d07c65cbb4d308d0ea6

SHA1
f0bf3b64377cf39f2c2d1d38d2789a142b0960a6

SHA256
73541685065263cea7d16a29d50206395010f419f312cedc82b93157d8285a98

SHA512
6acb9e01a6673efec615c257bd3b4109b3f0f7a72cf215b85f3f46f42f4e855791b08ac984ec6fa70f7c0657da5ff924144720ddec4b5b21ba8b35487f16ac87

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgQC.exe
Filesize
5.8MB

MD5
685cd2ac0cdc0f8827d2ead568e5b94d

SHA1
aeb1968ec1ff7140d1cb88e9acf6d88dd4648035

SHA256
a873e989ea500ad8929eaa9cd39781dfd7f6803c06213b255669018867ad865c

SHA512
e9a76bb88478eb02f28a431d988030b68743f3dcc724998e8ea77b2b8a376440004fea044a4b9abd7d10a50beabec989d9a994d2d9ae189369ce56d443c7ecb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIUg.exe
Filesize
111KB

MD5
954db6b03494b12b466f857e7f5b5be6

SHA1
4bd2a39aba5eedb75ab95026a277000eb35bb052

SHA256
f4271b184c3abbde5ef6f6af8604f0b58ba9902266d9123528f4b0156017443c

SHA512
755858134e276bdc036633746ba957626035ebab4a09caa5978239b7483f5897784481e370ce22286351a55990bbb0ba64dbbb681a1fceb89173aefb5831fd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMYq.exe
Filesize
121KB

MD5
8b7e59c5a27030273a11f070ee0b9106

SHA1
b86bd60ee4aa82c5089c8bb48bf2e7dafee9cdb8

SHA256
d6c3a6c00b1df4c6bdad105b7a3f279124b4e3fb8610602246abc9c1a09d47d0

SHA512
191081bea054be9c0419a1b07ef1494533ff4bbbfe13a19eb3dfcaf94189552b7195cd8837902d35631c146da8a2577164a3a336fd4ec83bbb11ff92bfb5ef3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwwm.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycgW.exe
Filesize
111KB

MD5
f52d8c0bdaf0f4c57efa3498facf9490

SHA1
9c25fff5e3289a5b48ad8cd99e5f0fc9bd1201a8

SHA256
6361bb004070259404932e22d389196ea2babc2bade5632243a1b702d63fbb29

SHA512
d89bed4d458fb6deec78c6ed502bdc67c1b0af87051d550c9708e1a3d52a10040d43e6d0e31c2d086fe94751acc1672e13c709354d013ca8e99cb0b511227b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysAK.exe
Filesize
505KB

MD5
877eb65769095884e580a44a9f96cfeb

SHA1
23978b8bd094c9399311ec3ce33d0b1336c480c8

SHA256
f38b2c2bea7a7abb261ea11d6aff9f0a2a46e4cf1b1cf9d8c8026fa11815ce5e

SHA512
727f98ee0ad58cc86c0c67b3ea16d75b492d86b1f540cfce2718a3105e870831e002b72d589ba3f6852973ea27c11b1d8f4c3d169fa3d500aca76337c8d48f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysMm.exe
Filesize
388KB

MD5
a977941d04468c4dc41c0cb094b73c15

SHA1
61368bb8e646b8439c58047e9761d7e47b7b7138

SHA256
ac3c013e3357ab4f93997809633fd6c6c65575ba581893989fafe91b0b10b29d

SHA512
0cb3e1001e64a295dc0fab24ba53ea769c545114fbebd97f4bd1bd41429081302733aa2541726d2d9b434bb55bbb29a2198001ab0d98ce67ca73e0ab30f7a704

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQsi.exe
Filesize
114KB

MD5
5304cf7f36c38b3a531d1e79a00a8aff

SHA1
dae65efd9de587f178185c130b3c15c84cd4165a

SHA256
32dc06775d171a831d19cc78a5be091f9a212736ee0f9893d2882f9770703359

SHA512
0b9da13528ce4f669696015ce8ce8e7ca9584b7a1d6f5e74547080e359936d364ad3f474dd6727c4fa472ffff41aa030a7216a249fb0753d4b47dabdb21a8d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zUsE.exe
Filesize
700KB

MD5
3b5e50556eaae7efd795ad17fd001ba1

SHA1
31c836af606be65920fcc078f5c5d6657d874e49

SHA256
1d143b07466098bf57275fad6f50bd4148fcfd646c6685bbb9259e6442cbfd0e

SHA512
9532438de4a4bab50c0e219613791ae3bc6e488026f29e65a40fbdabd7579fd7817bb25e4334df2c0554521735a5c650a5d10d2ead6821c3b3aae5faa1ce0a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkYg.exe
Filesize
111KB

MD5
9969a0f4230f8dd7a75385242a46a94e

SHA1
c064a1a28a652c3f498fd2bad37eaee6475428e8

SHA256
69363bc965677911a4605a9aeed3406acc24a3897781992b7c51a259e3918e04

SHA512
14780cf6a81ce77134a6dc94d99d892857039dabb20cceaf8e532a6b13b5b40706a68f4b6f68481eda31c6aca9991e1d8f0c1c9d233832ff84033511ba154a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoIy.exe
Filesize
114KB

MD5
8f7c82d4c7f23496efc103d84ca41693

SHA1
44e0ecdbd29089bd8e7e867de17f8097a62f7a23

SHA256
3bea9167d14ddf379a614f1abbbcdef590f774440a37f0276cf0d22d33263cfd

SHA512
f984bc57e4ddd3979446d510f1085353ecc6cc444ec1b8ef14f007b41cd1e6e3835b638619e51c6d947d4a0b27c43ccce3ffb8ac57d5d6b5819c4d5763e48095

Download Submit
C:\Users\Admin\AppData\Roaming\ConvertToPop.zip.exe
Filesize
324KB

MD5
544f92e2e71a352355acca5f964fbfc8

SHA1
f517837c77022cf9547f88582b45ce0d8320fc53

SHA256
d07073d6586d597736e5ec0944edc672bd06deb93658eb80e51a7045ee189f4b

SHA512
ca2d43bf284f23d0086437b8f9921dd61e2be59787e3120ead6661fdadcb97a66d9a37fbb5e8c7fca1ad46b05ea063ab34681ae45f96da573cc5d4c99ce76d91

Download Submit
C:\Users\Admin\AppData\Roaming\DenyReceive.doc.exe
Filesize
375KB

MD5
220e7c1adb63cd6770456ddbcb55b394

SHA1
764fa6866d62cc4dadd3a7f58003c27a7580ffd9

SHA256
eb84d839e55a2ab4c3e9075285ba744b832c42472444b9316124721dc7e624ce

SHA512
ba17fa119b5e28444c3bc758aeb33421e62c63fd12c668e66584df7a715d902d17145cd8daf0a3d6cb486d1edb7ce5d04866e8def1c1e0b2152d7e0309c070fa

Download Submit
C:\Users\Admin\Music\CompleteMeasure.ppt.exe
Filesize
669KB

MD5
a78f07907ba7f154a0156469542b29f9

SHA1
adbeadcf1e67acf2258df2348411a62e7d62ec9d

SHA256
404a62206ca6bd8b6329140a181613c5607d2553608df5b32aba3a980bf9c96d

SHA512
3d8320018711b24700d922474ce7131bb4d0825273801a5b6f868908026bd024ae1397bfbab8463e7326c873b88dbf587cdd4948f9ef2243b19684a7025590f2

Download Submit
C:\Users\Admin\Music\InvokeInitialize.bmp.exe
Filesize
774KB

MD5
cfd0ac77f44aad3b72ee035d271406e5

SHA1
6935a6358ab1756916b038a5b6ba98482faf2dde

SHA256
786841f05d92ec675485a3bb7c7beb45e4f1335afe141077da5c5819b24bba6e

SHA512
e0295a44f338321b7bfb11cb27c8b304071a44660af9fa1da38534c53e3228978e2ad36db29fca86b157efeca7ec6f243ff0c5fbcdf46947f3c7e9109231db39

Download Submit
C:\Users\Admin\Pictures\AddSelect.bmp.exe
Filesize
451KB

MD5
75ae272713500110f816a61799359c88

SHA1
94c70634a88ada8b21961e5d0c2ff2409bd05101

SHA256
37242d3225622f81ae63c5f585692b99bf8a9ded6e2731db1780f5e66b16ebf0

SHA512
bb657802c288410615f1eda2043793749bbc8a04a99dbafecaefa51952e5e2558761ccb916947db480e33e3788a18de134fba2a4983773fa69003f04935017a5

Download Submit
C:\Users\Admin\Pictures\SendBlock.gif.exe
Filesize
365KB

MD5
aae02b79a23dc774fc449ba1749a8c75

SHA1
493cbadcdb45b7e7fa7fec825ce7c01d6bfc2cf6

SHA256
5a008f00ab69ee79de9a9c7b295ca7138128a425afdd754e63b7263cf17182f6

SHA512
5fe36da68c1b036f86af8a1537bb088b6e72a7e9aa94603c98c9aec2563441f4896d73969cf9e35e2b683c635edd971b7507d2b69ea6d4ff7a90a5d3ec63cf5d

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe
Filesize
5.8MB

MD5
0c7a9c49b90acb4cafffc1b329086a82

SHA1
87d1fe2af71cb1139cc7b0c07aaa83edff65c983

SHA256
8762a13df39cc100030db42990db8001eac88db8708603d6131bf81b1aba9771

SHA512
c4afe0ea790bf9bcdecffe7c0d0e708349a1bc253fbec4b31479f41ec4c93393225bd6f4bcffc0dd52f8de1d38172691bc570805c703904af3cc32857661b2b4

Download Submit
memory/64-151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/64-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/728-729-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/728-691-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/856-306-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/856-357-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1076-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1904-83-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1904-95-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1944-363-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2156-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2316-201-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2316-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2440-117-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2440-128-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2528-305-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2596-12-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2608-116-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2624-177-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2624-187-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2784-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2784-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2800-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2804-654-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2804-619-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3128-750-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3228-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3228-71-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3336-403-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3336-428-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3444-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3444-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3444-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3444-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3608-603-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3616-59-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3616-178-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3696-245-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3696-234-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3808-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3840-465-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3840-429-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3972-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3972-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4072-233-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4108-150-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4256-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4256-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4296-676-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4296-655-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4300-517-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4300-553-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4328-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4492-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4492-222-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4604-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4604-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4628-97-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4628-105-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4888-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4888-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4948-82-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4992-29-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5048-6-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download