a04698f9ae5a6f148769c7852cac3707823304265645089bcc4411100c7a88b5

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
Size

186KB
MD5

843d4b65b69d1ec8e6a4fd32a2769ed2
SHA1

c69c36418a5c9533da54a703c25d66e5bdc3f546
SHA256

a04698f9ae5a6f148769c7852cac3707823304265645089bcc4411100c7a88b5
SHA512

c80d06b19007cc51e81bdff665dbba665b440e5b8f57a24d80dcfc5d124d0afd359c66819f6c766382a8f64ea7e1153d2d38e696e5e95da0d235dca20e1a5fba
SSDEEP

3072:frfH7LU9NknL4KPe9Sn/w+f2/07z1PQeQzTyH1ZxPVPmK8cMm4ffl6ceY3XzgCqd:frfH/gecCeQn/w+2M1PmzTyH1ZxPVPmu

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 45 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cYYMwMMA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cYYMwMMA.exe

Executes dropped EXE 2 IoCs

Processes:

cYYMwMMA.exeKIQMgsws.exe

pid process

2620 cYYMwMMA.exe
4708 KIQMgsws.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.execYYMwMMA.exeKIQMgsws.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BUQMoAUo.exe = "C:\\Users\\Admin\\DAMssswc\\BUQMoAUo.exe"	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HMAEgIkU.exe = "C:\\ProgramData\\noMAsIok\\HMAEgIkU.exe"	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cYYMwMMA.exe = "C:\\Users\\Admin\\xQoMIwsY\\cYYMwMMA.exe"	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KIQMgsws.exe = "C:\\ProgramData\\tgsQscYc\\KIQMgsws.exe"	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cYYMwMMA.exe = "C:\\Users\\Admin\\xQoMIwsY\\cYYMwMMA.exe"	cYYMwMMA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KIQMgsws.exe = "C:\\ProgramData\\tgsQscYc\\KIQMgsws.exe"	KIQMgsws.exe

Drops file in System32 directory 1 IoCs

Processes:

cYYMwMMA.exe

description ioc process

File created C:\Windows\SysWOW64\shell32.dll.exe cYYMwMMA.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5040 2212 WerFault.exe HMAEgIkU.exe
4600 4992 WerFault.exe BUQMoAUo.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	cYYMwMMA.exe

pid	pid_target	process	target process
5040	2212	WerFault.exe	HMAEgIkU.exe
4600	4992	WerFault.exe	BUQMoAUo.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1888	reg.exe
4256	reg.exe
1356	reg.exe
2220	reg.exe
1376	reg.exe
4132	reg.exe
1764	reg.exe
432	reg.exe
3808	reg.exe
4900	reg.exe
4656	reg.exe
4124	reg.exe
4872	reg.exe
208	reg.exe
2280	reg.exe
3332	reg.exe
4484	reg.exe
4820	reg.exe
212	reg.exe
1184	reg.exe
3928	reg.exe
2252	reg.exe
1544	reg.exe
2236	reg.exe
904	reg.exe
2084	reg.exe
716	reg.exe
3140	reg.exe
3644	reg.exe
904	reg.exe
2704	reg.exe
556	reg.exe
400	reg.exe
716	reg.exe
2908	reg.exe
4428	reg.exe
3816	reg.exe
3504	reg.exe
4532	reg.exe
2180	reg.exe
1692	reg.exe
3476	reg.exe
884	reg.exe
5028	reg.exe
1368	reg.exe
316	reg.exe
2300	reg.exe
2196	reg.exe
2932	reg.exe
1184	reg.exe
3500	reg.exe
3812	reg.exe
3552	reg.exe
4884	reg.exe
1252	reg.exe
3180	reg.exe
1084	reg.exe
2516	reg.exe
3772	reg.exe
4092	reg.exe
5116	reg.exe
3884	reg.exe
2524	reg.exe
5000	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe

pid	process
2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
716	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
716	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
716	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
716	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2084	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2084	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2084	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2084	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2428	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2428	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2428	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2428	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
64	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
64	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
64	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
64	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2616	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2616	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2616	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2616	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1708	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1708	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1708	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1708	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
4132	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
4132	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
4132	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
4132	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2908	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2908	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2908	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2908	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
4384	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
4384	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
4384	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
4384	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
3972	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
3972	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
3972	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
3972	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2224	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2224	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2224	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2224	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
3984	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
3984	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
3984	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
3984	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
4800	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
4800	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
4800	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
4800	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
4676	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
4676	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
4676	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
4676	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
3256	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
3256	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
3256	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
3256	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

cYYMwMMA.exe

pid process

2620 cYYMwMMA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

cYYMwMMA.exe

pid	process
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe
2620	cYYMwMMA.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.execmd.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.execmd.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2236 wrote to memory of 2620	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cYYMwMMA.exe
PID 2236 wrote to memory of 2620	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cYYMwMMA.exe
PID 2236 wrote to memory of 2620	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cYYMwMMA.exe
PID 2236 wrote to memory of 4708	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	KIQMgsws.exe
PID 2236 wrote to memory of 4708	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	KIQMgsws.exe
PID 2236 wrote to memory of 4708	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	KIQMgsws.exe
PID 2236 wrote to memory of 3808	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2236 wrote to memory of 3808	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2236 wrote to memory of 3808	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2236 wrote to memory of 4040	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2236 wrote to memory of 4040	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2236 wrote to memory of 4040	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2236 wrote to memory of 116	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2236 wrote to memory of 116	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2236 wrote to memory of 116	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2236 wrote to memory of 556	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2236 wrote to memory of 556	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2236 wrote to memory of 556	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2236 wrote to memory of 760	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2236 wrote to memory of 760	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2236 wrote to memory of 760	2236	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 3808 wrote to memory of 716	3808	cmd.exe	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
PID 3808 wrote to memory of 716	3808	cmd.exe	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
PID 3808 wrote to memory of 716	3808	cmd.exe	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
PID 716 wrote to memory of 3812	716	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 716 wrote to memory of 3812	716	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 716 wrote to memory of 3812	716	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 716 wrote to memory of 2932	716	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 716 wrote to memory of 2932	716	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 716 wrote to memory of 2932	716	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 716 wrote to memory of 776	716	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 716 wrote to memory of 776	716	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 716 wrote to memory of 776	716	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 716 wrote to memory of 2220	716	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 716 wrote to memory of 2220	716	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 716 wrote to memory of 2220	716	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 716 wrote to memory of 1812	716	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 716 wrote to memory of 1812	716	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 716 wrote to memory of 1812	716	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 3812 wrote to memory of 2084	3812	cmd.exe	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
PID 3812 wrote to memory of 2084	3812	cmd.exe	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
PID 3812 wrote to memory of 2084	3812	cmd.exe	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
PID 2084 wrote to memory of 4428	2084	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2084 wrote to memory of 4428	2084	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2084 wrote to memory of 4428	2084	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2084 wrote to memory of 1184	2084	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2084 wrote to memory of 1184	2084	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2084 wrote to memory of 1184	2084	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2084 wrote to memory of 1536	2084	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2084 wrote to memory of 1536	2084	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2084 wrote to memory of 1536	2084	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2084 wrote to memory of 1760	2084	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2084 wrote to memory of 1760	2084	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2084 wrote to memory of 1760	2084	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2084 wrote to memory of 4988	2084	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2084 wrote to memory of 4988	2084	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2084 wrote to memory of 4988	2084	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 4428 wrote to memory of 2428	4428	cmd.exe	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
PID 4428 wrote to memory of 2428	4428	cmd.exe	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
PID 4428 wrote to memory of 2428	4428	cmd.exe	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
PID 1812 wrote to memory of 4256	1812	cmd.exe	cscript.exe
PID 1812 wrote to memory of 4256	1812	cmd.exe	cscript.exe
PID 1812 wrote to memory of 4256	1812	cmd.exe	cscript.exe
PID 760 wrote to memory of 4060	760	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\xQoMIwsY\cYYMwMMA.exe
"C:\Users\Admin\xQoMIwsY\cYYMwMMA.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2620

C:\ProgramData\tgsQscYc\KIQMgsws.exe
"C:\ProgramData\tgsQscYc\KIQMgsws.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:3808

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:3812

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:4428

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
8⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
10⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
12⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
14⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
16⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
18⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
20⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
22⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
24⤵
PID:4512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
26⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
28⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
30⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:3256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
32⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
33⤵
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
34⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
35⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
36⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
37⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
38⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
39⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
40⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
41⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
42⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
43⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
44⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
45⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
46⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
47⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
48⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
49⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
50⤵
PID:3804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
51⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
52⤵
PID:2252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:716

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
53⤵
PID:3920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
54⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
55⤵
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
56⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
57⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
58⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
59⤵
PID:4164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
60⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
61⤵
- Adds Run key to start application
PID:452

C:\Users\Admin\DAMssswc\BUQMoAUo.exe
"C:\Users\Admin\DAMssswc\BUQMoAUo.exe"
62⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 224
63⤵
- Program crash
PID:4600

C:\ProgramData\noMAsIok\HMAEgIkU.exe
"C:\ProgramData\noMAsIok\HMAEgIkU.exe"
62⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 224
63⤵
- Program crash
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
62⤵
PID:2780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
63⤵
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
64⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
65⤵
PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
66⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
67⤵
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
68⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
69⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
70⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
71⤵
PID:3772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
72⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
73⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
74⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
75⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
76⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
77⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
78⤵
PID:4256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
79⤵
PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
80⤵
PID:1012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
81⤵
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
82⤵
PID:3672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
83⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
84⤵
PID:4048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
85⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
86⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
87⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
88⤵
PID:2580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
89⤵
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
90⤵
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
- Modifies registry key
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:1136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmcgYgMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
90⤵
PID:2196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:3972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:3784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:1760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:5012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQAwEMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
88⤵
PID:4592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3816

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
- Modifies registry key
PID:3500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
- Modifies registry key
PID:432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSUEoAkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
86⤵
PID:4092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:1692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
- Modifies registry key
PID:3772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqAUUEEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
84⤵
PID:1776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:3504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:4672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:4484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:1172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:4184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqEEAEYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
82⤵
PID:216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:4328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:3896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
- Modifies registry key
PID:2704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:3620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQYgggMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
80⤵
PID:4440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:3772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEYkogws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
78⤵
PID:5096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:1180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
- Modifies registry key
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:4808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMEQowUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
76⤵
PID:2124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:3816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:2084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOYgkYwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
74⤵
PID:2196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:3836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:1392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
- Modifies registry key
PID:3928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAckkoYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
72⤵
PID:5092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:3516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:1684

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
- Modifies registry key
PID:904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
- Modifies registry key
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgMgskoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
70⤵
PID:4292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
- Modifies registry key
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEkQUIUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
68⤵
PID:1776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
- Modifies registry key
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuscsYgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
66⤵
PID:1692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BassYYgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
64⤵
PID:1712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
- Modifies registry key
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmoEwAgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
62⤵
PID:3896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
- Modifies registry key
PID:1356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NksocYIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
60⤵
PID:3868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
- Modifies registry key
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
- Modifies registry key
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOoQccUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
58⤵
PID:1548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
- Modifies registry key
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:1252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAIYIwkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
56⤵
PID:3808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:4184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
- Modifies registry key
PID:2180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgQAMcAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
54⤵
PID:3612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSYgIoIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
52⤵
PID:4376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
- Modifies registry key
PID:316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
- Modifies registry key
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsggocQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
50⤵
PID:1108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
- Modifies registry key
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEsAsIcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
48⤵
PID:640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:4884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:1632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGwgQAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
46⤵
PID:4048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
- Modifies registry key
PID:1368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYMAkgww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
44⤵
PID:3148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyQUEcUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
42⤵
PID:2704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:3260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
- Modifies registry key
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
- Modifies registry key
PID:884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\poYgIMUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
40⤵
PID:5084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piEoUYwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
38⤵
PID:3228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqoMUgoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
36⤵
PID:5012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkkAsEEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
34⤵
PID:1368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
- Modifies registry key
PID:4256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:1136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGAIUIMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
32⤵
PID:1976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMUAgggk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
30⤵
PID:4532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:3812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwEkUkQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
28⤵
PID:4120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:3884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
- Modifies registry key
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMcIMwMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
26⤵
PID:2216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEQYckUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
24⤵
PID:4384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
- Modifies registry key
PID:2524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQYQQgAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
22⤵
PID:2940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:3884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jakkkoEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
20⤵
PID:2196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:3244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
- Modifies registry key
PID:4532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
19⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
- Modifies registry key
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGMcgQcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
18⤵
PID:2252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:3788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
- Modifies registry key
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOAQwYcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
16⤵
PID:2704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
- Modifies registry key
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmkIcAUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
14⤵
PID:2280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
- Modifies registry key
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMwkskkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
12⤵
PID:3836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
- Modifies registry key
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boQsUcQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
10⤵
PID:3196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUsEUAsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
8⤵
PID:3900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:2452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MugIgEkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
6⤵
PID:4988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
- Modifies registry key
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwIgAsEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:4256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:4040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
- Modifies registry key
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQAosIUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2212 -ip 2212
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4992 -ip 4992
1⤵
PID:1860

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
306KB

MD5
9c46553c1769b50bd67591769df0abc1

SHA1
a194afbdbf960675232e409fbe63548645dd1968

SHA256
61e310eed93bdf141fde3c7c82adaf252e8de6b526c4665b0b5f073ddd31a468

SHA512
cbb2aba05ad50989b46d68ad01f6ed14e47ef76d41ca1fc6439f6a74c64ae8b46e886c2e6ec1dcf68dd52133d79c315283d32e5ccda73e8bd7a21ffabf37e42d

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
234KB

MD5
488b2f9fe17cb27f25d13d10aee2b4b2

SHA1
8937b2291657440590a76d2ecaf7b57d11de2616

SHA256
8afb9d855a123ebc171f241d0c1053eb5b455420132c597c7a22a1bce1a2fbc8

SHA512
7f13c490cd25a3918aa11166b623ee2ecb156f40a000f5701f6f3f1edb566b967acc1fd903c101c83054e8b4796f233658eb6db6c10e599e7161bf13a24722be

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
233KB

MD5
30a5bdda62a617417467910950bf734b

SHA1
e5a698a397b593d6b06f9cfe352c0377bc2b66e2

SHA256
84db553f4c2fba3fdc57420d818162366b8f762b8ecab5ed84956e38e5dea3e4

SHA512
2ddd18984443b832befa641884c5eca0a6c7a8abf43f992f264a135c79c93589fb31b2d023f4034dc9c5225cfc1a6639b3633d4f8dedfe1934ac51e1a11e867c

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
230KB

MD5
6dbcf4d9e032d20fc621bcc893f70bba

SHA1
14d20f8b5a99e5a441b32c7ea2dc864d0e6b27d4

SHA256
2ec590516126dd48b79516a849e027574bf252342b5e352ecbbf633d4fab3e6c

SHA512
1a0653edde238032b20b1003415652400a536d3909c3d63c1fee5b7d59f313348b3a18ceab260feb9a97518653ecd94a170e7809a999f459c42af3eb5c76be0a

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
230KB

MD5
f19bfbaa352edc21beaf4e68e87a1e0c

SHA1
6a0cb960dee86a993b5134b1862a513fc4d12c30

SHA256
ec25342c2de4209cbf89283e3bf0bea551bac92507a5c600768f7138078f943d

SHA512
636189ae05a87383367b620fff338cf3869d63d609fdb5c6b909792b793bbce06f0ed8fff0cbbb43b364b128f803402c5afcb24fe98604582579751c055bbbe7

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
321KB

MD5
af4e1b74749c146e645fdd226f1c3947

SHA1
78bfec599fc765c035e9dc933c02cd0252a39fa9

SHA256
a057c7399ee4421a57cf564424e272f6ad4b044c128f4186c8f5e4f45ae9c974

SHA512
d7e4917d31a78389c411cdef8d25749a4af22b4d068b07d9850a3674dcd6b74c4b98858b36b985caa3338790d6295795b365904e61f6277a477838665a9d7188

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
639KB

MD5
8d338fde54fb20282ea00d699026d744

SHA1
6eae74e8ba0399f3060ac698278908eae686b04e

SHA256
488975551b83e92e20b8b879117fcadfe70a69620140117ca26e3f8fa69fb36f

SHA512
a9db167ce36cee9be037f26dd474662cca3fb5f232ddc85307ff9f046f71c16a3d98c791bea95f09045ee3d13d9d43697b5ba437b194df87388cd3e747314baf

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
820KB

MD5
0a2aa1b0358bc247b329a122d1e3c0c8

SHA1
d88648257d9155e162b35465bb4643893cf6bcd0

SHA256
0146beb1f79ac5c396c95fc295ca607d3fa6342a58feb6dbf2a4d1c64a32a05f

SHA512
c072b0d15864b22fdbfcee12b51bbbc8367c12c59c3ff28b4c44fdef58ba080534ccdff8bffb0115d3a9439a2b5e8d0fd1e7ef72236a3ba1ab4da4b211d39d2c

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
642KB

MD5
733c901fd49214f8a4cf12ab63de44cd

SHA1
4bd94b5bd7cfed95b9408f9a26efcd7d3100bb54

SHA256
39bdbf2cd8b32ff3338470504a31a2d3a3672a60ff784dee381145f5306bb60e

SHA512
c2e3d56210ca588a8b56a003bab8e48e4419b24af61728b9037732f9b17703e85135937752d54c18ed974e09a6b47d391cd79749a1f88affdbe0f3d60035263b

Download Submit
C:\ProgramData\tgsQscYc\KIQMgsws.exe

Filesize
190KB

MD5
a0e8d8207d88d25ab9c387bebc5bb44a

SHA1
359a4bf4544993cd71bbef00eba806951d1683a8

SHA256
30dbc2f1ec6653d4013983380f84b36383e79dbaf30b7213bd476eaf532fb92a

SHA512
cc40db4f333b221f41471cdfa3a66833226f341962551fca8fae7f0a6f64dcf2200964ffa1efa60245d05fc84c3634f2b5f6ef9032ca1e496aecacfaec26699b

Download Submit
C:\ProgramData\tgsQscYc\KIQMgsws.inf

Filesize
4B

MD5
a2e74d86baef95b36a865caf249e1f33

SHA1
ed94f8bbf16b51e167d16a2ca6063202f9d0ca36

SHA256
ffec154acb9f3af99b7f211d83895db3ca52192232328cb19d109f9c427d89da

SHA512
78ef7f547046f8833c7630b1726b6a03754db0201d7050f5d766699b77b66e42869786ff4eb0cc255071b3f2797473a9d2c270288c2a650dc55d9da048941968

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

Filesize
210KB

MD5
5875086fec2cbf20b350a1563af2abdb

SHA1
c1cb4c2a09b856353982836f7c2bccbe62dc3579

SHA256
aa89b9da0bbe7c9f300f8711c5af08703b768efd36f375d8da00b369a7857c88

SHA512
b5b2732472c7bba55c74364c4f7e8593febf51f8e33c778c1ffa0a63dd655b5628a698aa981866f60126b5f739578e0e4cb3f80937b106857a2d8f6ca5233343

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe

Filesize
213KB

MD5
9cf6a89ad66ff73a0e2edf7970480357

SHA1
c436f693d87483d6978c0283ae0ffb7c62b9755e

SHA256
821166646b2430eba5cc9a458a22a492f66b0b28dda9f502ab441bf5a994d6d7

SHA512
0d3bee69ed304d5cd7447158ed7ae9c317bc3b4613f4c4a9037c84524b3ee228523ad89b051de1778b8e1a74110a2621424edf425bd36d771c29e050b9795fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

Filesize
201KB

MD5
d4b96549113df283efa12068b71ad0a1

SHA1
bee04a2b63a02e7ce0673bbdf7104d132b8b46ee

SHA256
7762fb95ea3208ac334406db2ba296a3ea12455e2e58cf63070430d07a46dd76

SHA512
f3e0bab48618957079bf8fca2e16baed93341c8c41ca4a1b7fd89c593eaf35fd54e4ed0b46848b7706b821c6eb32c9d7223e65c1c98a2e5344ddd358c8533249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
192KB

MD5
50f13a22377f23950d75667586a94d87

SHA1
66e49925507fd1ff54606ca167ef6e33b9349e70

SHA256
7f870b3451f6797c35b09d097e122fea51d7c5204855fa4e722dfc8fe836bbfe

SHA512
53215ff909f20558fd0c4a1f28a9f5dd6684f3f5c36582d107a86ec0c1829b71c465d3faf418f6a2f2e5b084ad6693c70ee84855a1acff671699abfe3b2251d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

Filesize
196KB

MD5
ebac2a548fe4bd41f452337e4fcd0651

SHA1
77fc36949c1d005bd3e9a2e3157e258b4126c6df

SHA256
b69d832eb1d573a0d86733bd95c7e04ad534f0858fe9341b3503b05af35cbb3c

SHA512
3199c9c36c6134b31000bb0fc8ff616dde3e3faf29cf948e95e02392a055453f04902fe70f2e415aa3f626f97a8767854491d4ec0ce7573b76e535644b08520a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

Filesize
209KB

MD5
84b7c2a43ca23304779fdbec674523cf

SHA1
f4729953e429854a971619e1dfbe7d7929a86f9b

SHA256
1d8424d66ec9a906cad05e3be9a2018e5e66d15ae8533f23e034b957ac60581c

SHA512
043340f81338ffce589d1c263294323e90909cda5dcd566d2de6b21602ed6f5b2529ef3103bc8dc3fe18b69f4436ab624cc69bb30206f6ba62e8526378ff0d49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

Filesize
208KB

MD5
ef1c81b806c76d88152f61229571375f

SHA1
625240fffe52e6dd010301fd8ce26d60879c912c

SHA256
c84c50d0277e54d4342a3af93807895ee6c6f3a2f2032fdd1c05bcf8e33248c7

SHA512
728d06f73f56a5d80c9b1d4b944d29f6e8bfea41831812d00e74e3ba1832e86e09a1ff3a133743d1f6501afb48f8a3109a551a93b4efebd797380a47d0855fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

Filesize
191KB

MD5
fbe3c8c029542501fe5847e416b898ee

SHA1
4c9d3b2eb64b832536225e1c0647fd802c87c1a1

SHA256
8dc6b38e873bc327b64000b6b38ebb5ddc19a89afb1c85fecb9a2928b2a63fc5

SHA512
91e169440516ceda819393c3b16271c30e4e4ff8fcce1339b0a66326d2c868a94f7e5b8891eeec06e6f6c2b8421228b0176fa8971d3806f15db4c9e9f035a7f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

Filesize
194KB

MD5
4f26826989b9f115a9973717505d154a

SHA1
f022ac9d98f058dc84095c3d8722048a0f83491a

SHA256
7f4480a6437b49c3abe31b9560c4365d9ba1ef46cca06f8224ba4294556d1e5e

SHA512
a31fff6209b8953b3634f9a941a579fbb6dccc1302d9133ca75d5c5bb182dba08bafe4e5c51abc205ed26ed1e3d689bbeab2e8cfa7ce61f7dbb2c2a9d374dbc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
197KB

MD5
437575fc11af0ac76097afaa7382bcc8

SHA1
e3e29bf828a78486c7a4699b16ce45a012694a76

SHA256
9a6f73569c4fc433ec3f03ec85fca909f913d3d62c5517e7ce4400261f4b8437

SHA512
1e29b2e87ba0e42b35498b1c7692e7045fac4079356eba26d74f6a858f271de2706f69b487670ac7fd5b8b863d4daa4dc45e091fa9f152d0491b856a3fe98bb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

Filesize
195KB

MD5
321ba5d8d400c4460879f96a56681173

SHA1
02dd6e35cc8b7ce6c471e47ab4e7779ef9ea0315

SHA256
25ffa46587846a384fb4fe83def25aaafe60575eda12db95a0189166de185998

SHA512
13db6b226bf017f1df5511013506a15b3bba834357ebfd8cd3001333c62d3ae17ceaa35101aac3be6157408c6e524c305d2df76ddb1e75fe942ab50adb3461ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

Filesize
204KB

MD5
9d75338a8b4e9f9aea27afe358c394aa

SHA1
b26bccb98ec32a582e69a691764943989373cee8

SHA256
6d9ec5fe931a367ca0b55e5d423765f92003f2729b81ded62db6ea49abd44c7a

SHA512
621eeb390c94a0d094ee29e004ce726a5b7b900f9b4ebce88501a9039be61aca94b2bf86bca1d367bb21e446c093452411c6936e531670f8efa45e61849bf5d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

Filesize
199KB

MD5
87c6adc44010ad2c60501d40a79f36df

SHA1
dcb8ea2497bf2c091f9c4574fb9c7f36a2afbc88

SHA256
4043febe3067b54692a2a107f51d234d2756cbe2d626236f5683629207ece709

SHA512
997b7dd663e1339e21cd231afd657d85a5460e1efb919d294eaf0bb305900fb621a4f2879271ef0e9723abbce4c50828741378539a45667e4c6cd2bb93b4cd8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

Filesize
199KB

MD5
766c776330dec42f6daec1a598dc9f6e

SHA1
9e0a760bb3dd963c2eacc685255b59e19264cc42

SHA256
516a3cee765545a2e49a175015ae07e1ce6a5a5952a17b6ff27f414f6c14f589

SHA512
0947d5b0f0e6c0ce03a03e606eab0370f6103f5076c0d194424bf5151473d5da2f3604345d0ad34ce8fd7966205db2198558ec6c2518aef01a4982d2fa1b5db3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
ba6de770b1f2a30d5c0c958d53825c3d

SHA1
9c1047a66df77fb9d397cd1567195f25a761c694

SHA256
86a066bff8217c3830f5534bb020a35447bce49c52d827958314c2ee3f70acc5

SHA512
e25ccf2a108d14472cc795fd6a081dfb9b0cf8833b57ab6f816577b98147ce48028bbf0c8a4f385a555030a3f3f8ec5058e1ea5105ed102caaab0b05e6e9257b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

Filesize
190KB

MD5
85ed752b9bc30b36b6b245de4384be5c

SHA1
db1e5e856c588db09db436744d55e6a09476bc6d

SHA256
0d37681a0b64b488f59b42f0abfe13cea662d3a4af6332346d423578d155d32d

SHA512
916bdaec0765f70934e880dfc050670680bcda0666591301bdad750ab68898171a1822a9228f559e6b5cd9ea895138cb3d6c1cb9fa64990647438b2f2d466fea

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

Filesize
186KB

MD5
676ed958ad207f196d41c50cc6e2db84

SHA1
eee484b6f1ffd0c3ffe403156878162aed6b0a48

SHA256
675508387d21f2eb854a712c0984f09e36610320fbfabd44c73e0271a8679e4f

SHA512
1867da8e17f56ebac0e2ce0db2180b61f21ed792d9a9fef9a7c7d0dbb51ac7db74c51285d9b74c504d2dac433df6f513791c50e9014e4e3976e361f9ed03770d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

Filesize
185KB

MD5
bc28a603cf88fac0fecd8b86a56169d9

SHA1
e8c610ee4b35ad817979647355c9506aee63a0dc

SHA256
3d7d62e6454135627391a5ab2d83257c00cde6efcfc03569bcc88baeb65341c1

SHA512
bc4c02c517ef85c61c2b32e346a0944dcd5c021d2583ffb67c52a6aac2b6b367e29d67cc124d6d11d70ccea343f8bd590ab422c98ae5626c40063883ebd72f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgMI.exe

Filesize
183KB

MD5
f05c68b194ff995137c76af4fc75c687

SHA1
d63e545cce20f67ee2fc288412b6174d3bb3913b

SHA256
59bf5601403c11414fe01188198e7018c7bf2a14d1d6b4288804b9011fb906b1

SHA512
c49a1b8bd3cb5183a2a16e3ab4e9b0a663236f0c391729ec671e314e0e910c5897bad09af4080becf2669074e35c6bac1c783fcfc0714334cde77c686a26f4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIIm.exe

Filesize
192KB

MD5
1d3758211b1f0ca715a6c1eca22ad043

SHA1
68e4a38eab446522fe9c4fe9d2a6bb291ca4e187

SHA256
fe22a29182395c70099de28b8b07a60ec8ada02f7ceadfb0a47d8d7ea4e44728

SHA512
ddc388d11ed7b497439dddc0740e8d9e06537485d5d30f8968e93364836a51f0429f0b2c9299939df2c91bbbdb09a416a05eb4977dec5da22c82156ee86123fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUwU.exe

Filesize
194KB

MD5
d2b96b3e26ec79bd57dd5786cbadba1c

SHA1
d293d9f0490bc4125fc84265cb4aa6a3bc38367b

SHA256
97a62e59815672e05d3c5c6b401ef8444931b16d8d5f3148e93ef2bfc0d95a70

SHA512
d09edfc912366d6aace1f59032d5cb6135b36b8c5a0a1f79e56820fb1894b7deb65423539db605be029b78429f092931c8b42142e20c2ba25345edc35ab3647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BsYw.exe

Filesize
200KB

MD5
151d0486828b36108ab1b34c75835075

SHA1
16e27eafcb2aa4a0137ca8630c10c90051409e71

SHA256
3d196a2d669630cf390463cc0f41c20fb4ff7e94c2ca5281158a0d3c8ba16eba

SHA512
3288855da964ccc667a18847367288a8d3b13c362cc32efa58ca3ef8288d2ad1b524adf5310bb0e22656184eb4e3e7186583f1715636414d654b2f8a8a1e4551

Download Submit
C:\Users\Admin\AppData\Local\Temp\BwYC.exe

Filesize
328KB

MD5
096bbd4b2fbcb016c79f1a0b43106fe4

SHA1
29f162b9432e7a510fead96ced0669d59d851d4a

SHA256
26039fd2d73afa3c532449fd0944c155c935e22e8e459a41e70206ec42fc5bc5

SHA512
5ac1d14a6655025aa226bc8edf3f0d19cb366d40aee62240d449479a5fd4687dd3a3359b48ac8a19d6a32071b2422a21d90676aed2835f9c0f2cfde85697a4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQEy.exe

Filesize
345KB

MD5
0ac71169fad475718facd8cd13402dd3

SHA1
9143f275755e025b3b9ecbdbf9c4954195936499

SHA256
c2667b7af70e4596d09e990a1883af1d8617130b48154e13ac8faa50446d9232

SHA512
690fb720fed3fadf1618a1d7e910f4d637e0bebe3a4ef509ca039735e0b0b8a6467d630266f7f50fc73255b3936a2868f354aed42364edfc158ecd566f572160

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAku.exe

Filesize
204KB

MD5
18abd62c5cc0cb4191e70991e86c0a3f

SHA1
e76d8e3655e0815c009abf9b9ef9d57afe44097f

SHA256
d6d8db25cb767579981a983b0fbe214abcea280c09194d8315ce7fbc996fd2f0

SHA512
f66611363b00eac9263f1118157329d3a91c8ba4e758bc53b41c624576b1c8f029c5e76c4371faa7508c16d7bb93e69b44ce17021ccd96cbf31081c9b77b4552

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUEG.exe

Filesize
221KB

MD5
c35b7ac008ed419f5bbe9a8bd141e9a0

SHA1
3b886bfd09240474f68b507d10b39c8ea0c0cc0a

SHA256
9195bdfc655edc817cb15a6ca0bcfc147b1e6282bcbac81bbcb7414f0df52dd6

SHA512
46e6c5266c3637808569b6d6b112231b661e3b35533b51fbd2802edefb11107b52aafea37adf24dbcea4c610de70e053e584501da52d9e18f26b5d25093e784b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYAw.exe

Filesize
207KB

MD5
515c894abc27c69eed65147fc34021d0

SHA1
7ea59ab5fafb597a0d3b5fc1715300488b404d76

SHA256
aabf21fdbff436573bee554fb1ea6223696957f78873ba05085d34bb962fac2b

SHA512
6c743e4ca1f72b9ec363bda586ee606c436f3b5cde0e43f7be8448b9f64dbe10d221c0deefa6d805d89b94a251fc0b1395f89a2521159ae0a24f2391546a9468

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEIm.exe

Filesize
201KB

MD5
2a6966743257b578f713f29c409f9fa5

SHA1
e7e7b06d97c1ac262bb36dddf86248daecfcc3e7

SHA256
c14953f873fc4d5d806969845144c0fcc199ea5e390418dbb5da1c0cdfe34123

SHA512
5868a05d24b5b7060d4584f51176c2b9e7c330b255de001d8590fa3ec6bfe1931bcfcb07af8aedbcc5069f6ade4c64c5d640c292a8925e83b1e0b62cc9646b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMwC.exe

Filesize
185KB

MD5
d852d2c6f71b06d3cddf04e2aa4475d1

SHA1
2c1be4804d273ee0c050c502f467230e959d7386

SHA256
8b1e805d874ed2b9495449bab36e33289849b3419ff344ff88f7a822d2f4ab79

SHA512
7434eab216ca2653ca1d0f315ad41d97c262b0855cb574671a639f1a888871971c2d3874a658ee5b33e944239fcaae476fb79c5770c527563ed57aa7f077d8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Goko.exe

Filesize
773KB

MD5
c7ad30303bc4d14241dc71cac66dd079

SHA1
dd5abe0523a23000a1efdb6fe6920868c55feef7

SHA256
036fa1d03c074e6cec062fce1a3d4e700930917cd5e75018f5d56ee07125d8b2

SHA512
851a51786a0e0e52bb1317477058804dae159e5879f6a0ff3f3d6dabbeeddd0fb702e27cd95e2eafcd5a49b9f8c972da883ebf0b6e890dc825d45bc6374703d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gwck.exe

Filesize
202KB

MD5
626aa9a146b7c51f666a75ff36c59349

SHA1
efef5fd984bf7ecb9a40fbdd01d24f0e17af3c8a

SHA256
9d2024bfc4713e37a562680481ac8b4640a82e92915dfda08796e7873e30faea

SHA512
00f3cd10739163624940de249b7efcda125e5bee42c22d0d3ea198906c599b904224877668b008cb9aa3874356fab02501ea28d72ab41f0a85f1efa027cb8b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYEy.exe

Filesize
1.4MB

MD5
103afe727c1003033d8be876f7f39508

SHA1
919dea765c8e870a7faff2e5c9cb7cde76ddb878

SHA256
f61bc35998245b05b68896a49b331e9250b3853cad5f319773da79a1da6929d6

SHA512
4b3082e87ead13cac8bdd1b38e8b8eed33f73fb580698708a3218b61a923ef9e746aa21f91bf06a26005221a56b857828a540addc4db268c9f8e47f43b3b9033

Download Submit
C:\Users\Admin\AppData\Local\Temp\HwcS.exe

Filesize
197KB

MD5
024f156d99f8403b8f33418ae10b7638

SHA1
ccad435e453a29604312c67c351e1e22316a4a97

SHA256
45ee570df68157c8e4a579a44c71774be329554fd376c868d7d98d23aa04f6b0

SHA512
f729e12be91f0481eac83e16e78aa4fe47367fb4e1f72f4a04b7fa68f40b81c64a20f227878dbe78c12e0ead4a88fd070c7e3bf1d973f1af9155b5efe8089698

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEci.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\JAUU.exe

Filesize
329KB

MD5
c941274cf2c3bfcd2ef8289255bd4980

SHA1
68a07d812f884940897a8ad4ac9f9d6982b55e66

SHA256
8461c5c3f2c1b9913ed35a291baf745ddfa077c3df904d169840256f42e4a8de

SHA512
2e4fdc15c4dd3bbc74790969f4e1ee38366a013a30f1ed838e51b9816c24dd7a5ae53c2a19b77886de1332b7ae3f12512677bb5cca29b567ac886117281f9b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\JYIM.exe

Filesize
199KB

MD5
948bb18612a8a664d767c5b94166911a

SHA1
20b20ea41e5ce76dd4cb8260a3d93ca10b823edb

SHA256
69daba4a39783e58f0884775c8d6e73f5435c17a2827747b1f9e374ccc3925b3

SHA512
dec84f115f6dec954f5ddabe0da47f021418f076c8f43c5b408c31a783f9bd80deece2b14b2d9787a7b2aa567f2688939ee7511a45385521676b8bf58d53ca43

Download Submit
C:\Users\Admin\AppData\Local\Temp\JwMe.exe

Filesize
202KB

MD5
4c3cd3a7b53591973806ae6b12978afc

SHA1
133ee4302e90e8f3bfbef557011b7b87a5026b03

SHA256
a4d182b346e1584a0f69a467724241fda47bd67e400e1ace87eb6e5688cd9e9a

SHA512
2837457c3b17aa9222ac54ab530017644aeb214b10ab3b82dc667f28a5c79537526bc9849f63a9fd69d2ef541433ac37379773c63670c3134763e3c625e305c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kcws.exe

Filesize
214KB

MD5
a7c728b03a705210fb59e2d7b98af698

SHA1
41dce1331577ec3af662261b8724f5a298398ed4

SHA256
af135bdf93f22e41db1551e0d15f00de14de9c0761a8f4efcf88f52b21f31c48

SHA512
ef3dd64d69ed1ae80bebeff48fefc8f4366e7e52df12e000bed8e20410b14357ea5a9ce2c0f7c0fbeab549bd2580c1759a7b49631ca319ef4954df20fae7292a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEAI.exe

Filesize
801KB

MD5
e6d275394499c2562045b3220e3110ca

SHA1
dee7922d9b1ada1abda5010ae2872d81d08f2568

SHA256
36d7200e0aa50a0457f32b2c7879a7f560693b4bcb78be5d029f4f87459ae240

SHA512
b24da85ce9f0925540fc6d9ecea069a59b3eabaa07ec7dab702598200843ddbe2c2538c92aaa11ee62bdfc02d2b9574d9ed8d1d4b5d3d4e3a5547e13d2e9ea98

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQwy.exe

Filesize
206KB

MD5
5052418f3ce46e5586f2d05893f02851

SHA1
717683261257d919dd569641f46622b01736e5d5

SHA256
40d2dc3b0ffa47ddeb591fb150a26657b3022903a620898317f265b0b834e8db

SHA512
0747697b63cac3c0f4ed21b5aa835f6d7dea3c2c8ed15f5f9214ba40f70305aca85a655343a4d7b776839c6353a9cf1b3462094ef372cc5f3aee9c4998748755

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMcu.exe

Filesize
556KB

MD5
0bd3b8728771db0a8f87b8fcc37fcac6

SHA1
f191d63ace0f2420b5fc7bddca7dbdb1cef94e87

SHA256
f907cee45aba494af8aa8375bd3f1033f4dac22b8acae5df0b39e7ca5933a5b2

SHA512
64a3d168d9113c5e228ffa0f3bbe9ceb210795f0637a69b1982c0ac212976eb98d92aa27ea10ebc5a6f263d545407b6e80400ef70989f28cad2f8cf6f4515b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PwwI.exe

Filesize
192KB

MD5
8fe89a348ec39d86aadf2e6e50c6143b

SHA1
95e364d8cf36a295da3aa02913f4dc4be2ac8b1f

SHA256
04425b85d931a1f349cc1fb162f89e75e1b34943f66fa18ef969380e127c0f89

SHA512
be32b9c544ee4c3fcaaff247b9587254cf9333a132f7eed968b330ba6c3aab206a0e89cd40cc97c2000077b2e49214e9cd0b45f4afeccb4abfd6e705f2b35764

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYki.exe

Filesize
197KB

MD5
a323b5d596ce7ba6621c2bd38a99fe85

SHA1
52b91514cdcefee0c9cfabf6318cee3cf8659d65

SHA256
155ccd7bbc7032f5a9ddafa9ed14fce20e90e3722d6a9515b206e34b3f8af73f

SHA512
498de9b1ba6434179e2fa64e6227434616d7549b3d072e9b86ba05d3a936c9527cf24ae62856a28e2c1d8d6c1a02b5451bc5e6f0fb8bc67740eaced46e824177

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoEE.exe

Filesize
233KB

MD5
5845605450f3d5a2b6effb0b2b07eb9d

SHA1
24b3bfb168900e7f2711633d2f288725b7a0fba7

SHA256
6cc6e11681a838c7795abc889ecdca93a0bfb96734a4b674c3c4551b07a0efe8

SHA512
e38860188b3852e35be4402b2ee5661f6f71539523c1336ed9bb98ca6f105af6892aed1648dbcb89122c2fdade502a5a7547be89a021dd3869a24dc1e7db6aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsIc.exe

Filesize
183KB

MD5
e2dcd078ac8b34c5f496b1858e3ac115

SHA1
3b831f37f6c9aadb07eda484952b60f0ba3dafa2

SHA256
f282e7d1515a515bd63a24b2376131ee5543d5a63a5cdc97b24f0dc70bdac80f

SHA512
f54f515d0b5d7812a7dd855ff60ddad8dae7f617303ca06e5096e7e304e01afe5483840ea4e7cc910768131144edf39a234cebd68dd7f83e029da105575e8ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQAW.exe

Filesize
208KB

MD5
05022725a369cc4ce8e315a7e9556719

SHA1
dabe1bbdfd39c3363bf49dfb01cdba28cb8f38fc

SHA256
0de7f81c4e680fe365f3c7b64a079d0841ef6628cf2862fbf6a5bd7e3b61ebb3

SHA512
43a8b09d50040ee08374eab52d33941d7541f04b027435d6fbeab88c210c1dfd911f729f733ab2f03050925e831182a3d32d204ebe0e76a23e8c1fb9a26e3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAgu.exe

Filesize
198KB

MD5
b6dc75741958c0c39d4696d54a173173

SHA1
37e600859ada059c121cb6dcd2e37970bc3adfad

SHA256
92eba09ce3d091985e2c9c7589a6b3a5dcfff2108378ce313ec40efea419b3fc

SHA512
7906117fd7130473015fc6cdd2454f518e6189188ee1ade885f947040104c3920b8e04a3f3e195259645d470b6a8837bda09fd9658a6b1f7c5aed7a76f8f0a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMoE.exe

Filesize
629KB

MD5
24cee79785a7c9f2a544d6a421d08784

SHA1
69db74368944afa0483c3b302782fec13df631cb

SHA256
350f51ad980e16813d1c77068643d22f04a9c33576e9c6ab7a887cecca689c2e

SHA512
98fee34dd209cc45539026c54a0d0e2ca1a1a3d6fc5d34cc02e440d06f9154709f4cdcc728bbf340ad56fce9bf564c160c4e2bed25acb322bfa4fdad58221a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQAosIUM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vgwu.exe

Filesize
192KB

MD5
22b1f34fc9b17374794b954ec09198cf

SHA1
aac2a5a67b3a745f61648d145974b8f66b58e65b

SHA256
35547bc3777af0f554a3f1e884cee1cd580c9fb2283925ed9b3e2718ad833f55

SHA512
9d2a7e1605cf5477bcf491d85536c43d99fac8d3ab8b8e59ec2212ebf48bb6848db37e379ff163080eeec3a4b91b7da9f14341b64007323bac43cf7a92c7aa25

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoIk.exe

Filesize
234KB

MD5
bc1fc6de02f2b6349a05fe3abec892ea

SHA1
62c91e9cc784eab96bf25cc3f6240fe0c7dc24a5

SHA256
ad926f645786d315cad10c717acd8a93ff1e337fc32ea3fd41f0a270e294541e

SHA512
dceaefdb11189d8fccf5aae211231c87ac65603399750a1ccf190f3b2465faffb13bf04be1c9af4f9e2a91a781f45523848914ef96d51a223f78754303edef8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgYi.exe

Filesize
200KB

MD5
14c0368dc2f445f3465c61c1049b6f23

SHA1
38b52dbcda6683ba2a7bac021fd6d1be412cefdf

SHA256
6b5c770bddbb2a26a51f1cc97140439c7d7181d91349ed92743ac64c81ce4680

SHA512
21b5329e7f0ab5a5c0b6ffdf227a756c6c6b0dca02a558509b989eca17a3aaa9cfd3448a53d609024d3ac9e02c661bb0fdcc1ac5e2b5a6c1ffaa8bfef0063483

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkcO.exe

Filesize
182KB

MD5
a21a1418e6bf454a0597a2625b0360f9

SHA1
5ff7ac60c94a4bf86707f5ec9ef75d4e1c908c8c

SHA256
e9f00480f97dff1a0641e2350d4ff5428a76987395d07b0bf2ba59d94f24064d

SHA512
eb95109962da2c685ed599a88e983749979acefdb394ba7111f6b8705e8dfa9affa629d4549c0e8a70267178b9a7dcbb8015acb72dfa39acc9867e9cac740410

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEEW.exe

Filesize
206KB

MD5
8aba9631db9bf0fa530175fb10f61b16

SHA1
d123301dd176090cccda9485c949414a6bdc598b

SHA256
cbe5d06edcf3e343c6ed3c3137211ecc8417af4defb645372c55d643149f3b3c

SHA512
22cb4f46e379f73bf436451692fae1e3ce8f3ae73125d5c8d8006cd2efb98346a211015dbcf7e663530a8f7a2f895e705926164b9c36d45a61960265c25a035a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XwcY.exe

Filesize
652KB

MD5
2695cc8a40abcd8b2fa17c3dfc52670d

SHA1
d1d509d4c6d9e63541bb4bedea326d4bd1d556eb

SHA256
d2fe6def2c1c2384897edcae28c35c8a6bae443a387deaa66f94632d7824a4e3

SHA512
57fe4fa61aefd76f1a7fe714cbbb05205021719c3c7ee931e1139d61fe43fc242b242b9605dd8b8c0932a4532d1c5031c804b038a189bdea3ea7d2e0ded71ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkQg.exe

Filesize
922KB

MD5
9437bb8f3ec9a98080831f2eb95647b7

SHA1
4848306e7a77dfbc1222037c693bacdabfdcef31

SHA256
1a754d6e9012c805b4bbf214494228778a8895ff0022f2a752be0c8e77fb8f99

SHA512
171aec75d6953e14d43f71a1691c99b13c3f116246258bf60409eaac77699f1340c9dd55c59567503437a99b5b1b273f204163b9fd2e9aa588e3eb1d7462830e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZYEe.exe

Filesize
191KB

MD5
bdafe440364f63c299411e7228e9ee42

SHA1
ee57e5b11a13284f16c69dce094bb4b243b09444

SHA256
f1a2bcc2cef6e605b57cf1e72cfcb09d10144600822f81277aeecda3d2cd0dad

SHA512
6940bf22f50333ede42780ccd8de3714de5c5fab3df864a74d7aec0d0e67bb711fff27bfb3e2c72e0509f91a0ef0949c74c0407d01eb32e9b208d28173178ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEkC.exe

Filesize
767KB

MD5
c5f38e2e95f776c5f045d4bc16d4c808

SHA1
b6fa8b8939b79f2667de0042384a1fcfea97c7b6

SHA256
f4f851780125585f2ab05eef8bddb555ff6ae86fa7f3e70e3939296e145decd6

SHA512
980b0ed9d832307b10a59a2dd3ac29f7262fb35e04936dbf5612b4852dc6c24be5b549a2d2e9c886952eebb5fbc42daccd8a83759bf87908f8713b37b429724e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwkU.exe

Filesize
991KB

MD5
86d0af78bb922f779d45b91f8c3173b2

SHA1
7659dd0b2c8027605fa4175815b8965eab0d9f7b

SHA256
7293782100bced45aef1413058ae38951261b17e3fa94dc8b382208bdbb3dd08

SHA512
b835c9b02e9917d0caa89982da3fb8a02141c8fa1f5f505865d6a74f9b9a88947d6cc21f11bae9a26a282b035c4db8982edb558e7ca12d13b96328a2f057d4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAcu.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\dMoU.exe

Filesize
546KB

MD5
9c67a4bd53e9e34e97368342b552a742

SHA1
bd6ca071e3226fd7741bb1ce5962d3babcafad00

SHA256
2d7722e3d1fed21aaf6979225244118e9a27a239102aec5622f36908726996d6

SHA512
33992a74ea17c65d2e7cae98034c163846cc9e2c720fad27df8d92c41c8f6e2eb44f9d632e1cface88f49bb51c5f529136169c165557eefe90bcd712761a226b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fIcE.ico

Filesize
4KB

MD5
a35ccd5e8ca502cf8197c1a4d25fdce0

SHA1
a5d177f7dbffbfb75187637ae65d83e201b61b2d

SHA256
135efe6cdc9df0beb185988bd2d639db8a293dd89dcb7fc900e5ac839629c715

SHA512
b877f896dbb40a4c972c81170d8807a8a0c1af597301f5f84c47a430eceebaa9426c882e854cc33a26b06f7a4ce7d86edf0bcfbc3682b4f4aa6ea8e4691f3636

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAcC.exe

Filesize
183KB

MD5
8ab2067b1df0e01c8ee3f2c4880a67d5

SHA1
b23907e1841888eb6cfd9131615b4d415c379fcc

SHA256
e10d523f25d4e85b7810d1d59cba19fba18dfb809538fd3b87bd5bfc842f58c6

SHA512
7d8da6d52a8dca51412f54de5a4f079ece78fd174cf490747f98bd7c9067df5717d86fb4541a23c1e3d170338864cdb0749a188c6d4ebb2e9b6290a67b39b75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwoK.exe

Filesize
197KB

MD5
6e2b6353044749f402349bd2301c6bd5

SHA1
a54a71a7e887d1c47ababa5f59d06effaa13e272

SHA256
51e28fa1801143ee08994ba14dbd88596043df13c256b476f4e47c7fe468101c

SHA512
a4c77acf44e906761afadb0f3bbb7889f9ef2ce558ffbf4eace99d0d30f6a895ece71f04afe426aa190ec7316fb8f6a160d976287feab1c971cdd87372e29711

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAIe.exe

Filesize
208KB

MD5
ce4c6b418c83a1d5e41dbc50da93ce77

SHA1
f3e199bef83f737fdfb06748d5151019705fd38b

SHA256
55bdaac31de1e9c7c7e2deb7b5d7361e4fa48b2839654dbf679712a0dc63cc5b

SHA512
48da2bb0b2e596b55822e736319be6962e0505d00fae678958b6fb168ae745aecc11eee20d3ff21dbd38af1d128a2b760734a9fa9d5af04cd11770dd357e9265

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEww.exe

Filesize
205KB

MD5
2dc6af1516b824c5ce9b2350b1b38d75

SHA1
1cf642307ddc5b5f5920b72425e464a88c7be08d

SHA256
2daae0b868e7bbb09374eb7d73ba5ac32c438498ad47ea8075bef172284917f2

SHA512
891203e302545904aa2d674cf96b845eaeb5342f065f571f1d14c9ec1124e4cb993c762ee1978b1290065f89989d6806c494b491cd61edafbe2b62d3ab53ae96

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEUG.exe

Filesize
5.2MB

MD5
f429782f01476b1f5f5fa352afda1ede

SHA1
b007da19eb62cc46688e747d18adf1c3d4070f39

SHA256
0ca745065fbb0b3a3688e6d98902aede5f74a95073d907d90454aa9ad8623f8a

SHA512
8c97ff8012a28279b8b31ec667913c9b8b8d349d24e0ee2bb4065fdbe9cc1fd224171b0fe5bd8221b7e9dc7a0abc26836af0d149dd3ce2d72cda6376616c00f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUMy.exe

Filesize
837KB

MD5
915eff1398aa823c191800df0d4a8ed0

SHA1
724330e2f6c8ecc8ba412ef0209f5ee8386250bd

SHA256
1e0bfc2ff63ae1589734852b9fd3d2c3e33e7fc5ea66c07df21f50f3386acacd

SHA512
f8a9bd16e83f306e910d9f18312a9a89980495b1a974826c45f8edd48d5f961ce02e095c39e853ef3b82ea33c081b9898b4d675edfd69897c8cd10806b583742

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUkC.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\loMu.exe

Filesize
204KB

MD5
48ca738cca4ed24fafa1099d20d0e0bd

SHA1
5e86d80285375e369843a9a108e7f1628dd3319b

SHA256
a95cd32c15763cce8685f317c08b6039bc32712585b9a50201c9ef5c06ef231f

SHA512
2a66fe19d320c00a834821297122f1358871f4ca8dbdfc223c553ed1613a44385bcfa4311c3491e1b16ced676bcf23f6af472a62d28db32fd82d3feb5954abdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgsG.exe

Filesize
184KB

MD5
e3a88ec64b2445e97116e61d438b97e1

SHA1
b142faa337744537843e7d630b1af2eb682db89b

SHA256
1a6a83c127436897da7bcbbc576de20414dad6a0934ae7246f24525e2ebf62bd

SHA512
67086c2883af4d77de56cdaca2641416b9b7794085a64ce73ccf10f331b32ccf14d383cbac137208e8e7ae2931c106380b67b27bd2f926b749876862ea9d7972

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncQi.exe

Filesize
209KB

MD5
66b335c4bb1f903b085aad5734f8e4f9

SHA1
0551aa0f9be07bbdd4389c25dc7dddf6b44c0cc3

SHA256
895174b2d06fc1b8e5943cb82a14b92ef55c82acf1c4d0e60a4d8a82ef8ce87f

SHA512
02bc927a47a478a07cdbc6fd19f4539d3411def5b67585508a66503fc1ee234fc814de9de3a41d56c7c6950d307e6a335ee4310374ff31c935e1b96070cedb15

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAwS.exe

Filesize
207KB

MD5
3cfe98fbbe79bf64fd99e6958c9dd98b

SHA1
f99bda75500a0f062fbedc05f497e6ffb7a1b988

SHA256
974ec497fa2ba59dff27d18951da3baec7345f586178de775c4de67d9f0b9b6b

SHA512
f34ff1214ddb24d5507dc66db78cd37d11fa72afba3e71cf9e95ff128e218681223a7f0492675df85adbbd86e12cdd74164a64391008528178a7d5b93a982bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYkA.exe

Filesize
192KB

MD5
1ecd100b74d4c4f508e7520dcb1e8042

SHA1
b3331ee1684d489721be7f430a374b92a29f7268

SHA256
e357e735e1c196a539b0284ad7dbee66ce81598699f91f4604b85f2b5731db80

SHA512
346518da1be2a54434e73d1249b3dd74f6a170427eed291aae19dfef14b8b909d32eb0166366c1ff8e05ef15c189b64cdb6227d205d4e2420b1ab71025c48d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\psMk.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcAy.exe

Filesize
203KB

MD5
e0b64318086cfa625a4379031fc67fec

SHA1
bd02b0c4c5e2dea9f7cc6b780035e09c8e732371

SHA256
4892a8cef832910860fa55827b843b4bae5f8f6706c13358be325535c6cc8719

SHA512
13aaf399873e4f399a823c3c02ce9c836c565a690922659aabbdb254a96c76e5ed5f07eac3c85afe6029be001316d2b55f3906676033c0c4241488420992ecb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qksq.exe

Filesize
585KB

MD5
3a6469d322faf37ed1c16fafee5cd344

SHA1
ac6f8be12aa721aba557022dde22fd934de3e37c

SHA256
70bc1d3f94c232ab98e51dc5e1f992aedddd448b26dbbeb6d6fbe3f8af438834

SHA512
3dbd73c99c2e24d8f12542fb9fa4ad0e906df617e16b1e5b9bae7c6a2c9c2152d0235292348f6428be4eabdbfb86ab657e830cb59f5ae6f8b315eb3fe41ddab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\roEK.exe

Filesize
635KB

MD5
ae3b68d569142ebbf56611b57f657376

SHA1
957a279b00e8c984f8a77467350151f618b3075b

SHA256
7825ca91e7eb5768ba69b1878d1b7e446f366ce8519f191ed0e0e2a94b1edce7

SHA512
a2a37c11d565a1cea4af5b9d646ab88a213579fbc0c8b69925862a19888f1ae559c571e7e9c56c51ec5c16466c2cc0824eedcb0bbd1061c8daeb9df4bfeb2bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMIC.exe

Filesize
432KB

MD5
4f1d17708a450306455d08b58ab37dd6

SHA1
ed1d23c518f2177138d71ca5ce037b6a4c4a955d

SHA256
4019609fe22b90eae1e2f849afe3fcb613f0b344eada5fda970fe9ab469016cd

SHA512
12dc08693a2c6799ca58100f1051bdf8aab79199ab3165662e131817dc4da955e3a21370ebe8584a42f9a0ef0cce05d825308e845c3e4b6d310f1309180dca70

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYYq.exe

Filesize
205KB

MD5
bb29900bdb6450ff4e13a3aff3220beb

SHA1
d05f7101aa90210ad0d97f3595b7393c9b939b21

SHA256
dab675dc3a4d0c870b6bb10951419afda10f22c946b51e6afb3c73abd98e9591

SHA512
e7bd560c2c867b89ef0da97d57d4ac2392ce316fd8b029599eb1ea85871151696c042c1f86841e995c049e8ced01412b99bd5019c8f60646250f494251d6abad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tQAy.exe

Filesize
577KB

MD5
948c29a9afa552823461de00a141d6eb

SHA1
9da787d7d4b74ea1ae6c44bd90d05d0e5a4b1236

SHA256
4dc4ff56b3dea7c8b5a54193a72d8444a808d634c88a3e4b84299516b1c07789

SHA512
5e9067c283cf0703bae28f9890ced184b8302854fd8b3f33410a6b2a45675fe0824d5b4c2caf7dd4ddbef1b76d75a9ab0db879607c1baef5678b6f0e96fe1586

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMYo.exe

Filesize
208KB

MD5
1eb1cf00ae2ef0d4f1067bd1a4aad90f

SHA1
4020085357f87ae36c8f12c6647775f65b3200e5

SHA256
c911248287a22d6571edc5890d3d6cca728696fe5e0be8781040f7d11d1741f5

SHA512
5452750ec5972ecd07de3cbf927fd1bdf585d50f81fe3e35bf23db323402c661b2f976196a99575ab5fb7a1f338f3d67881ccd102558f635fd24b8ea21e90a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMok.exe

Filesize
203KB

MD5
6f40249bc1f491df95832c8e704340e3

SHA1
2216c1bad33e786cea246aa53420bd3db7c5497a

SHA256
ca4bcddbf11de1ea902da8db59b8ca228a67f4e5a672e129e84533dc623bc03a

SHA512
0212759d0f2fcf9cbd96a2f1f03f5b8e2dcf2212069ea419811802ceb2e9b52c89e1d61a35c755f95b045cd97d67acd1a3d77df71586122b0186091967fef31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vAUQ.exe

Filesize
208KB

MD5
4bd64bf3cf23e712673e46c1bf9a8799

SHA1
e8b8c99c040b01791cd568677c68adc0833686b2

SHA256
c46eba5a2b5424bfb6f8a2e18780576a64c5722e633b8ee82905ec35bf4099b2

SHA512
2088772234924cdbf6e80a7904c2511496ef39054913fe13bc65c176f6d5020723942fcd0896954f30cc953c537a55c42aeb362b11ec453ad3cb41255bd391f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vMwG.exe

Filesize
184KB

MD5
a69d68d36dc415fdbda3044e0fd7a5c6

SHA1
b8db9ca341f4b77185b940faf92ee13ed2014d57

SHA256
b958365f41d08cc7051a47cd4b1972a1d43efa05edbfc6d971da9ea26509c8d4

SHA512
6322a6d581ac2802f18e1a878c52661ba9c3272dadeebe0048282c35a2bddd72917d562c309a2c5a345564dc6add81615870687e1487ac7a51bf1b8970490a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgoW.exe

Filesize
226KB

MD5
283969332cd1eaf0fe9d7f2bf0462a78

SHA1
f0c11ff354c92abee40c72d4a05cbf1468906bdc

SHA256
21dcf0c3a8df1e1ab7e12555e5d90571a6d0fb0c3242f18edca24b73ad216e6c

SHA512
e363e2e93fddf4e1bba2a522188157bc28969d244eeb6412adfbee5473001aa9df23a77458d26b48dfd1f4f00b3ef54903d145c956a10eca6af15aaae3f4ab7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xYIO.exe

Filesize
806KB

MD5
1e48bca6478bf4e5143f17191d5c4844

SHA1
c1a1bf4c4e14e4608815ac6199896924e9fcd3c3

SHA256
52b7d089682b982d95fa8c09725f7a63a5d507f1cbff9bf6e465502c64339141

SHA512
fe26ae4c217955fb8dfd04ccf99428fbe3200e67cfe81aa09b78f75c3d36786a161243f4dc71ae9b2682efa5228f6cb55ddd0232edd6b45e57fde17526ab5357

Download Submit
C:\Users\Admin\AppData\Local\Temp\xccM.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEsc.exe

Filesize
201KB

MD5
e99e9a1c31f1075aaf2991dfbc6cab55

SHA1
c9e6dd88cec4a25255721dc03b50b9c510648924

SHA256
c99fa0d08b59724d829645d5579cc10f192e589d9c72f4e21ee2fc13eb0e9b90

SHA512
7b8087c07d25706304429f47bbbe7a3aaaadda197b63146c55e8cd84d6a8d189ea7fa9a512ca99f046bdd26211f1beb841f6aca89640eb2326f3ca8fe5f6e87f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zUwO.exe

Filesize
187KB

MD5
807dd77c6f1648a85b0e178fb389eca3

SHA1
d9eb9693e3a349fee2a65feb272a873d489fdcc9

SHA256
65ee3c6a8c757770b5fdea9f68dc9dec15b99d5777ccc6e5cf8fd093176c67e2

SHA512
b6dc990f5bc5de693530192d63ff0c171b5f71acdf2d6c67748203a4173fa19d391a6791a9dcafd784ab1223256474a25dad6d7375cdd12c96ed95e1fbb9f29f

Download Submit
C:\Users\Admin\AppData\Roaming\CompleteSearch.png.exe

Filesize
577KB

MD5
f014fd0004d49e15b36000caacb036dc

SHA1
03917a35ac6170a8140610116f8b8005f13b0fa5

SHA256
0699813ec147b55a537cd3eab9228d6eda853d33274599d61606e30108969432

SHA512
89b851c5986ebbd19ee94e663c4fa549da4f019276241ec29a929d96a585c49bb90084471e59eb418be299f12714a61371f62fd974d6f76ee40fcefa313699bd

Download Submit
C:\Users\Admin\AppData\Roaming\DismountRequest.jpg.exe

Filesize
686KB

MD5
4469fdc0cb4aca5222c24694101eee5b

SHA1
567663769dd8fbef195379a7deb2c9c9a1b3dac1

SHA256
663b3932d0a7ed318b3b3e05b6d668e28e6c3c3c2bf5da4d22b623bbfbcf37e5

SHA512
71feb13f593682e53344ddd5db8ebab8cf66f31282e790e147a63a156fa8c7804b054a494df472d9035a1612ae9f6047d0575ac8c92876803ef6d6d8f28ad89c

Download Submit
C:\Users\Admin\AppData\Roaming\ExpandCompress.zip.exe

Filesize
724KB

MD5
958314d961be4e5c9ba8034884bc22ff

SHA1
6ea709c716cf1e5c7ae9850ba66f4d174c08762a

SHA256
ef0b53fa01ad9f176dbd6c768748c04a00591ea2e999822729803c7e594af521

SHA512
67522cabf0924fe62e618fcd706229268ec2e78455371e6b24e27978836323a1bf32336ea032f5557b3b6e0518b48215b16f3a4a298052ad753ec385205b3c35

Download Submit
C:\Users\Admin\AppData\Roaming\SendGroup.jpg.exe

Filesize
858KB

MD5
507bd9df627f09f101a9946b4274b51d

SHA1
de30d5e2d535d93f19c6424d9b90ec98261d9bd7

SHA256
aea9a9767b07f33c25ec9ad969deb132180aba2b31d13cc027bbbf60fba3afa9

SHA512
4db3f575bbf6ae96e4e8e1c7add2018ea0ed50aa9640befee4a3f4971e1957101833ca898d88522d2bb5efd70ee31d4464d3b8b9007e0f2ba67c63093242fe92

Download Submit
C:\Users\Admin\Downloads\MountRestart.png.exe

Filesize
739KB

MD5
1c0555485dbfa96e617c950bd37ab21e

SHA1
d284e62d939010cde76c0409a7ed37426be3dfa5

SHA256
8bc140836ecc464c8f1269ad2360a6c7da438a5ef3884bd40a7b506ff8d621fd

SHA512
e51192f029541a3055b0cc0fb053df3e2019e76dfc0dd1b6af352f80278099d671b6e3eb4137cc3192304d610931c5d473215780d5ae7e87151652a0410ef657

Download Submit
C:\Users\Admin\Downloads\RedoRead.gif.exe

Filesize
520KB

MD5
6cc2c56c8b422f17f4e5e9a22bdf952a

SHA1
217aee1bd9dddab1723553d5734fa0bdc1f2834b

SHA256
94c3426aee4cbaf5f5c70ccef65f7b18a0f279433bee13330c6e73bd7a61faa2

SHA512
23537bf2c61cad6791ee21eef09a716fccdd2dfc9aff379612c9777fbed44789769333adda41ec32ef14d9ddb93b8c14443740aa580b62b27b9d532f734ffea0

Download Submit
C:\Users\Admin\Downloads\RemoveUninstall.jpg.exe

Filesize
602KB

MD5
34d95323aa1d29069693f73d58964963

SHA1
5c5ca8a2832247c670cdc32e062ea56dcbdbd11a

SHA256
53d2ff48c85b8a00ac70948b43af09e0835fae42f975176b2d313541908aa092

SHA512
57fdbed2aa1e5e62e5324f30df46421d694a56b99de2e35becee005b96f1d83aa89e1b9342bed6dbe09f2b5d04f06feb212aa848714cabadbcca2c7425fdec65

Download Submit
C:\Users\Admin\Music\DebugRename.zip.exe

Filesize
483KB

MD5
ec41558bd0c95de00c3d23fc4b1b0ca6

SHA1
14409b6e72c0dbecf46c3a9c6303c0081b49c7da

SHA256
104b43a4e3714462d8bdae1979518e5969acdbc918b64dd851a6cc4004655535

SHA512
1d57aa42242b05b7ed20fd7fe3e81afb0d32ffaab100e038ce4c149f8d73bcb72fdde990bcf43917fa81a6d4ce3aeaa1ea84ebc1a2d7b0bb05e82a3a8849f90b

Download Submit
C:\Users\Admin\Music\MeasureProtect.png.exe

Filesize
483KB

MD5
dd68429abea802298aa367f1a47b7b6e

SHA1
77ef9dd2501f6a0dd2465e66eab32cc30041d92a

SHA256
95cb512fa386e92db9231a7a7e03f66c399a3e3d576c54daadbfa588b815effd

SHA512
5338a67432c76cd5c70ff2762fe62fc1834f3c146bbc7b62483aef2ec5658e8d125d6d6083fa42677f8c7240b02f4e8fdbe49e75fbed56409cf8163fe2a639e7

Download Submit
C:\Users\Admin\Music\PushRedo.zip.exe

Filesize
325KB

MD5
f120d09a63c535116dd0e44537066589

SHA1
0cf0f130cab9d0efe9bde82e76d913ba4551a1ee

SHA256
b38c77414a5510b9a20fb211ac21a186fe10e8adc44d794d6778cf6117c9aec4

SHA512
518f282a173ce6f910748f269930127c0b5c8e1afebefbdd91265619bc75bc24171bec7c4952955c4ef1e749c92f5dbac5907a938acea7a7f492f492e2ec1df4

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

Filesize
207KB

MD5
fcf2f000eca9cf83ccbadb38f3e7f7d5

SHA1
39cc0b7ead0293705c952cc8ff466f2524ff4ae5

SHA256
d2e9b60dfc3d074335ef3bb959621c76620f41cc79b897c91cab4e6cf737a909

SHA512
34536f04d60d5b6af08c4cd3cc7a82e499a89fa38d220bfdb6f9ea4f242d7eb47e0c9799d561d064fb762b03009c8aff31e380c0851d5cab074524ba1c20e112

Download Submit
C:\Users\Admin\Pictures\RenameRequest.bmp.exe

Filesize
999KB

MD5
c60b0a70995e8d7f6d77b16203a8d11c

SHA1
fbe770115a85bdf591002c31a8a73a50ecc6d574

SHA256
454c3b1998c539085064461939f51ae39eb3cc5c18a809900ac8cd69539a76a5

SHA512
23cdccdcd62d12a00435d5549b60bc47576b54f4495a6364e1e7dd5cb87c5ee292468d8c2cd39d83ce9965e591da2b3abee0cea4ce4af8ac0ea7c360f6e44ae0

Download Submit
C:\Users\Admin\Pictures\SuspendRead.bmp.exe

Filesize
633KB

MD5
f8d738d80ff0283b0dc86599f70719c7

SHA1
e78f730d5f9efbe4d99448e3eab5bb1ffbc46f4e

SHA256
4e39984e0881ca6d93c59494b50c67b3d60fc0a7281b3bd24c3bf661b3686cc3

SHA512
d3769f5239f66baada42bf422e7a69e6cb9b628d5fd598fc44d3db82df9187530a636a0ee90119f8548b1e8ad7947ce90d28cb9946a3fce01bf4aaa5917ba49e

Download Submit
C:\Users\Admin\xQoMIwsY\cYYMwMMA.exe

Filesize
182KB

MD5
dfb436127c8eec22a0ad65c90faa205b

SHA1
818ace7c5f1feecbceda6905a10f56a825b36e08

SHA256
48ac4450518410c7880cc11fa7d449736df9f8e3b28c445a77ea09b740b6c898

SHA512
335f3956e8a93269e544479f8574fb4beb0236af846d136342dfec2e1386a5c00bd9e76ac725c0f7233ffefb00b3a63c4fa980951e6144f01eed708cea1c2db6

Download Submit
C:\Users\Admin\xQoMIwsY\cYYMwMMA.inf

Filesize
4B

MD5
8612762dcb58b90edc42c85eda3b6b87

SHA1
bb1a150376d0d2b253885276207c73b051d78776

SHA256
659d7aec1d2de77d944531dbfa224b0c4582cfa2076c443da18abe7215aee81f

SHA512
b5016d6eab5886baddfd42d3e290d5c3015678a6e3ddbd9c5a8cc656a03516ae0d290e79a0947f1c97f79bf987e646001c9ee8999db724264e5795f29a243415

Download Submit
C:\Users\Admin\xQoMIwsY\cYYMwMMA.inf

Filesize
4B

MD5
fdaf22b2d5c0b1f1da8b6ca835c2e3fe

SHA1
a8b2b60fe9db5071834d1879d820ada0e5e71936

SHA256
1c463de1c628b44a7495f498f91bafcd6063c3b3a76150fd56a0239c86bfe8fa

SHA512
0ae11b5220a58e7e3463fdb9210c0d5adef2341768dd5c4eabfd73b906e3878c2b9c9feaa3ca57e4a6d76c97e5d883b3be6f4beb53d5ff6d5155c96fef5621f9

Download Submit
C:\Users\Admin\xQoMIwsY\cYYMwMMA.inf

Filesize
4B

MD5
f61545a929b92c79fa8bf31d5c4a19cc

SHA1
f2bcccb0103ca563ebd1811bfc2b25201acde1b3

SHA256
941e48b50dbab72b85c935ef93ae55cbbe1d2de48635d349d58801e4749c82e9

SHA512
9a9708ca4063e5ffe4404bdbf1e19eb2ecc0cb7f910102c3f188b54e12ebe304fde61541aa5e92db5667f35ad8317cd810d9b7d6ccf63952ad4bbebc06d0c863

Download Submit
C:\Users\Admin\xQoMIwsY\cYYMwMMA.inf

Filesize
4B

MD5
605152ed893f1194938b9e1d7b825468

SHA1
c7ad3b6aaea3d4de42bd8e4bcc4d69afdfacbbbb

SHA256
1abc43167debd1b7cc652b858de1047a38ff7b2a0d62096eeda71d4feabb3fc7

SHA512
b5fad2fb314fea6e6d30db046620411b0948c9ca23385953a94be421fb02dccf7ee1986bbb690fc7b0d80b58a6f7f66261f8141d0fcf22e29907c364955014bf

Download Submit
C:\Users\Admin\xQoMIwsY\cYYMwMMA.inf

Filesize
4B

MD5
6570af27c38fc66be39ea263bde233d1

SHA1
4096981f720125337b5cd4bac65c4f3ef3a5b4ca

SHA256
37bb68d3d4f36714dfedcf9a5fc71ae386973b53ebb4099e371956998ef4e798

SHA512
78053a9304bb94d1317334a7bdd63574fdc4c737485d1898fad9538f25ffca3fb22818ac2b97e94abdfd54e86b4fe00796a8f19bfec54bbdee3aad8c93c81c8c

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.9MB

MD5
4de4941f7270d4dc711bc247b7e8f14f

SHA1
aa19d5db081e966bd4734e9dac853abd07ae7b9e

SHA256
6de4ce4c156aedd5eee5d13ddc0eee789b89f8f4c9468984a2b57e06c98b3885

SHA512
0f56bfb0a6872b426c0d8fcbc2cfba81722a608d764233f15dc050ce83a0027b37ee6ef42861d2489f6ff1fdeb60f1d3bf9d45fe457e136efd058219b8f357ef

Download Submit
memory/64-228-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/64-70-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/452-357-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/452-362-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/716-32-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/808-465-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/808-473-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1268-380-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1268-463-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1392-240-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1592-308-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1708-94-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1708-437-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1708-446-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1712-493-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1712-502-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1748-251-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1748-244-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1868-271-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1868-262-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2084-288-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2084-45-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2212-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-147-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2224-160-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2236-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2236-21-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2248-416-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2248-435-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2428-57-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2464-399-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2464-391-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2616-86-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2620-2184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2672-454-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2908-120-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2908-492-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2908-484-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2908-108-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3256-204-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3256-215-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3528-512-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3528-499-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3644-338-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3644-347-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3772-408-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3920-317-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3920-327-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3964-482-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3972-146-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3972-137-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3984-163-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3984-174-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4032-279-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4072-336-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4072-371-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4072-328-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4092-388-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4132-95-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4132-111-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4164-355-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4304-316-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4384-132-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4556-260-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4556-252-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4656-291-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4656-298-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4676-189-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4676-201-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4708-15-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4708-2189-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4800-187-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4992-428-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4992-360-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download