edfe85d5aaf502eeacb3c35968db2684a53c50acdd54a4e7f545778e772e2895

Analysis

max time kernel
150s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
Size

942KB
MD5

40a0f08f8ceb929f709507c4f8e5de6e
SHA1

7385b0b3989f5acd097f274818eabbe9fd2a96ad
SHA256

edfe85d5aaf502eeacb3c35968db2684a53c50acdd54a4e7f545778e772e2895
SHA512

fc4f77d3d58519791f7a5e1fc814fc8c68d0e9a38d8cacbddd076fb1097ab77f5b1f87e122b757289611bc1d67c2c37007ae68ec1c32b5588c090f6111591ab9
SSDEEP

24576:V6roiwLpXxrJIfZar0jZPrFfOSl8QU/W:c6xxuRaAFPrcnQ

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 44 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 44 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (75) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LEUgEYEA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	LEUgEYEA.exe

Executes dropped EXE 2 IoCs

Processes:

LEUgEYEA.exelkQUMkww.exe

pid process

2772 LEUgEYEA.exe
3708 lkQUMkww.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exeLEUgEYEA.exelkQUMkww.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LEUgEYEA.exe = "C:\\Users\\Admin\\WIoMYwIA\\LEUgEYEA.exe"	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lkQUMkww.exe = "C:\\ProgramData\\XiMIEMYk\\lkQUMkww.exe"	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LEUgEYEA.exe = "C:\\Users\\Admin\\WIoMYwIA\\LEUgEYEA.exe"	LEUgEYEA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lkQUMkww.exe = "C:\\ProgramData\\XiMIEMYk\\lkQUMkww.exe"	lkQUMkww.exe

Drops file in System32 directory 2 IoCs

Processes:

LEUgEYEA.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	LEUgEYEA.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	LEUgEYEA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
112	reg.exe
4712	reg.exe
2028	reg.exe
1564	reg.exe
2896	reg.exe
4496	reg.exe
3800	reg.exe
4200	reg.exe
3296	reg.exe
624	reg.exe
4588	reg.exe
4732	reg.exe
3048	reg.exe
972	reg.exe
1792	reg.exe
4664	reg.exe
3016	reg.exe
3768	reg.exe
672	reg.exe
4760	reg.exe
2764	reg.exe
2588	reg.exe
2376	reg.exe
1696	reg.exe
2596	reg.exe
2588	reg.exe
396	reg.exe
4436	reg.exe
2648	reg.exe
3308	reg.exe
1500	reg.exe
2268	reg.exe
3692	reg.exe
4024	reg.exe
1844	reg.exe
2272	reg.exe
2436	reg.exe
3148	reg.exe
3672	reg.exe
1500	reg.exe
4944	reg.exe
2948	reg.exe
392	reg.exe
1768	reg.exe
2344	reg.exe
4656	reg.exe
2016	reg.exe
3628	reg.exe
1812	reg.exe
2276	reg.exe
1392	reg.exe
2292	reg.exe
2448	reg.exe
4148	reg.exe
1444	reg.exe
1812	reg.exe
1968	reg.exe
3108	reg.exe
4132	reg.exe
3284	reg.exe
2768	reg.exe
3556	reg.exe
2520	reg.exe
4636	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe

pid	process
4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
1812	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
1812	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
1812	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
1812	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2692	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2692	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2692	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2692	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3144	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3144	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3144	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3144	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2516	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2516	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2516	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2516	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3084	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3084	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3084	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3084	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3212	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3212	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3212	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3212	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2752	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2752	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2752	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2752	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
4068	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
4068	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
4068	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
4068	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3748	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3748	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3748	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3748	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
5084	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
5084	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
5084	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
5084	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
840	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
840	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
840	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
840	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2768	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2768	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2768	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2768	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2816	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2816	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2816	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2816	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2128	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2128	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2128	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2128	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
4204	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
4204	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
4204	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
4204	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

LEUgEYEA.exe

pid process

2772 LEUgEYEA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

LEUgEYEA.exe

pid	process
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe
2772	LEUgEYEA.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.execmd.execmd.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.execmd.execmd.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.execmd.exe

description	pid	process	target process
PID 4180 wrote to memory of 2772	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	LEUgEYEA.exe
PID 4180 wrote to memory of 2772	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	LEUgEYEA.exe
PID 4180 wrote to memory of 2772	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	LEUgEYEA.exe
PID 4180 wrote to memory of 3708	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	lkQUMkww.exe
PID 4180 wrote to memory of 3708	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	lkQUMkww.exe
PID 4180 wrote to memory of 3708	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	lkQUMkww.exe
PID 4180 wrote to memory of 1056	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 4180 wrote to memory of 1056	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 4180 wrote to memory of 1056	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 4180 wrote to memory of 2268	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 4180 wrote to memory of 2268	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 4180 wrote to memory of 2268	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 4180 wrote to memory of 396	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 4180 wrote to memory of 396	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 4180 wrote to memory of 396	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 4180 wrote to memory of 2948	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 4180 wrote to memory of 2948	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 4180 wrote to memory of 2948	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 4180 wrote to memory of 3792	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 4180 wrote to memory of 3792	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 4180 wrote to memory of 3792	4180	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 1056 wrote to memory of 1812	1056	cmd.exe	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
PID 1056 wrote to memory of 1812	1056	cmd.exe	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
PID 1056 wrote to memory of 1812	1056	cmd.exe	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
PID 3792 wrote to memory of 1792	3792	cmd.exe	cscript.exe
PID 3792 wrote to memory of 1792	3792	cmd.exe	cscript.exe
PID 3792 wrote to memory of 1792	3792	cmd.exe	cscript.exe
PID 1812 wrote to memory of 3512	1812	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 1812 wrote to memory of 3512	1812	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 1812 wrote to memory of 3512	1812	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 1812 wrote to memory of 1068	1812	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 1812 wrote to memory of 1068	1812	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 1812 wrote to memory of 1068	1812	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 1812 wrote to memory of 2760	1812	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 1812 wrote to memory of 2760	1812	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 1812 wrote to memory of 2760	1812	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 1812 wrote to memory of 4580	1812	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 1812 wrote to memory of 4580	1812	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 1812 wrote to memory of 4580	1812	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 1812 wrote to memory of 2212	1812	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 1812 wrote to memory of 2212	1812	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 1812 wrote to memory of 2212	1812	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 3512 wrote to memory of 2692	3512	cmd.exe	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
PID 3512 wrote to memory of 2692	3512	cmd.exe	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
PID 3512 wrote to memory of 2692	3512	cmd.exe	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
PID 2212 wrote to memory of 4548	2212	cmd.exe	cscript.exe
PID 2212 wrote to memory of 4548	2212	cmd.exe	cscript.exe
PID 2212 wrote to memory of 4548	2212	cmd.exe	cscript.exe
PID 2692 wrote to memory of 4272	2692	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2692 wrote to memory of 4272	2692	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2692 wrote to memory of 4272	2692	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2692 wrote to memory of 2580	2692	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2692 wrote to memory of 2580	2692	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2692 wrote to memory of 2580	2692	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2692 wrote to memory of 1768	2692	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2692 wrote to memory of 1768	2692	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2692 wrote to memory of 1768	2692	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2692 wrote to memory of 3800	2692	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2692 wrote to memory of 3800	2692	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2692 wrote to memory of 3800	2692	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2692 wrote to memory of 2016	2692	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2692 wrote to memory of 2016	2692	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2692 wrote to memory of 2016	2692	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 4272 wrote to memory of 3144	4272	cmd.exe	Conhost.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4180

C:\Users\Admin\WIoMYwIA\LEUgEYEA.exe
"C:\Users\Admin\WIoMYwIA\LEUgEYEA.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2772

C:\ProgramData\XiMIEMYk\lkQUMkww.exe
"C:\ProgramData\XiMIEMYk\lkQUMkww.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:4272

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
8⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
10⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
12⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
14⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
16⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
18⤵
PID:4660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
19⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
20⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:5084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
22⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
24⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
26⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
28⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
30⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
32⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
33⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
34⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
35⤵
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
36⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
37⤵
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
38⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
39⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
40⤵
PID:1500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
41⤵
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
42⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
43⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
44⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
45⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
46⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
47⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
48⤵
PID:4180

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
49⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
50⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
51⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
52⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
53⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
54⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
55⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
56⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
57⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
58⤵
PID:2396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
59⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
60⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
61⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
62⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
63⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
64⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
65⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
66⤵
PID:3524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
67⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
68⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
69⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
70⤵
PID:3628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
71⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
72⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
73⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
74⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
75⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
76⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
77⤵
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
78⤵
PID:892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
79⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
80⤵
PID:3524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
81⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
82⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
83⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
84⤵
PID:3672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
85⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
86⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
87⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
88⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:2628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:2588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:1996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:3340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUYsgYUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
88⤵
PID:2916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:2704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:3360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
- Modifies registry key
PID:2344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:3496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
- Modifies registry key
PID:1792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEEkIgEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
86⤵
PID:3128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
- Modifies registry key
PID:624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQAEkAgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
84⤵
PID:1984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:3552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
- Modifies registry key
PID:2588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:2916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuIEkkYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
82⤵
PID:4272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:3084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
- Modifies registry key
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jogoIkkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
80⤵
PID:1468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:4280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
- Modifies registry key
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMggkgEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
78⤵
PID:4164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:3604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:3360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:3224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
- Modifies registry key
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\busgEMYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
76⤵
PID:4584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:4168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:3340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
- Modifies registry key
PID:2272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WicMskso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
74⤵
PID:2968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
- Modifies registry key
PID:3048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
- Modifies registry key
PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgIgsIcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
72⤵
PID:2160

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:2844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
- Modifies registry key
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
- Modifies registry key
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUkwwoMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
70⤵
PID:2136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
- Modifies registry key
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCAUMocY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
68⤵
PID:2916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:1564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
- Modifies registry key
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
- Modifies registry key
PID:1844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuwgYocU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
66⤵
PID:1568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:2036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
- Modifies registry key
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zwcUokMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
64⤵
PID:4512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAgkIMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
62⤵
PID:2272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:4888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:3448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:3692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:2624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUYAQQcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
60⤵
PID:4944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
- Modifies registry key
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWcMQMQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
58⤵
PID:1844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
- Modifies registry key
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
- Modifies registry key
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOQEsQkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
56⤵
PID:1084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:2756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
- Modifies registry key
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
- Modifies registry key
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIUAEEcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
54⤵
PID:3504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
- Modifies registry key
PID:4760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmAEYUMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
52⤵
PID:3692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:3716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:1056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:2396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIwAgYQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
50⤵
PID:2964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ruQkAEkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
48⤵
PID:2704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:4036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:2624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQgsIIkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
46⤵
PID:1908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:1144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:3496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
- Modifies registry key
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
- Modifies registry key
PID:672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeoIMwAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
44⤵
PID:4584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:3360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
- Modifies registry key
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
- Modifies registry key
PID:1564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWkkQIos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
42⤵
PID:3720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:3700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:4084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
- Modifies registry key
PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWsoMUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
40⤵
PID:4108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:4032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:3296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
- Modifies registry key
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYEMEMgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
38⤵
PID:3972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
- Modifies registry key
PID:2376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAUgAcUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
36⤵
PID:1768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:4040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:4696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncsYoQQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
34⤵
PID:1132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIgYccMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
32⤵
PID:4032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:4084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:4772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caQgkwoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
30⤵
PID:3604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:3556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:3668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwMMIoAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
28⤵
PID:1056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:4084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
- Modifies registry key
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwQQQkQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
26⤵
PID:1564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:4540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fsYQAwQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
24⤵
PID:4568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
- Modifies registry key
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMQMAwwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
22⤵
PID:2284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
- Modifies registry key
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gickQIIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
20⤵
PID:948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
- Modifies registry key
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeMkkgAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
18⤵
PID:2036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:3692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
17⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
- Modifies registry key
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQcMscAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
16⤵
PID:2200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
- Modifies registry key
PID:112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
- Modifies registry key
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqMMMMkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
14⤵
PID:2896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmwwUAoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
12⤵
PID:2520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:3692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
- Modifies registry key
PID:4200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuAQsMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
10⤵
PID:3496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:3500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcMEoUso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
8⤵
PID:3148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:4508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
- Modifies registry key
PID:3800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWgIYkYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
6⤵
PID:2016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkEcUAQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
- Modifies registry key
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fiYggcMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:1792

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:5028

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:948

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3448

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
Filesize
322KB

MD5
cd16585763956002f597aff5f9cec2ef

SHA1
bda581c085fbe22ef12706f2226ed2875f55e930

SHA256
91d57c245bab699cc1ff9d04bca287f09fe9dc007887bf53d3728a7e209515b3

SHA512
24c36df520c3bbc4f4f1b02fa80b54140c40a9196319015b1d2b8e0fd91cd1a103b696ea47050202eff1c4b6af2974410376a2514a21061cded5871eff8547d1

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
Filesize
239KB

MD5
73f9691fef006c70d1df1e283d729a46

SHA1
a96bac929c4a25258eca96ee07db2629f5f5cef8

SHA256
b7832748f73db2a9ed28f670044c22802c3ad9b5b44945d16c457e33897d167e

SHA512
5aac7932c7ad208d7a3ad1a20fba0a8d07108f56819c7a8db76b38ec14cdb615b8d3d59f51614dc5f286c33a3c46cec20c278dd52339a16571568cec590c67d3

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
Filesize
239KB

MD5
88280534316066d5f6f4b1c0dc5bd4ef

SHA1
022a74d5da0571bcbbd16db59c65ac85bb785cdd

SHA256
7d210533fafe99bebddc1c0e76f11b5a572490c30799e6bbd50c0cdbd50cbe87

SHA512
58122d5d0719fe4e9fef5705dd14b5fe993633f221cd038297f7b2baed0398b2e84f6a36b598bd2be45465bf238340b4ac5be0eb2881719bca5574be2ee9e717

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
Filesize
217KB

MD5
b38ab723fe26cc22a055b71906e986cd

SHA1
5796f2280fda7070f5153bc261130ea484ee330e

SHA256
98388c72fa525a990cec0812ce90e0ce14090c3cd9c14afa8cb62bead6a4cbd0

SHA512
906b95a855812438c91191dcf3a27d2ab2ec991a0e52de1df3f095200fa0d41175e315f76e2835d897506ccb45759b1b42d149a74236903fe298cdaf2165e940

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
320KB

MD5
570778e5fb5d07b6d513a0728ce8ea24

SHA1
c50892fa05d5df89298c4109574d36c0de1bc1f3

SHA256
630835ce347e347067a9a69c74754b46767f9325b0bbaf470b2f37cfa768158a

SHA512
b75288dcb85cd70e665ce6d8487f4104e44f1757a94e5557607abc490534e40225e94abaab6b80483567b94533113faf89e08ba65cc5612b13b1e396688b574b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe
Filesize
778KB

MD5
d9e39f669ecc037122da38832f58845d

SHA1
d9b8ad16e54ffa15b1fd2d850c05178bc635d26c

SHA256
371ee482c8b2254e3c90e85243df6b94b0512fbfbd9578a8bb24286a546545e1

SHA512
df4baf429ed65536d381b38fc0e61300f3403b61bdda8abf78b4e3a63bc8fcce0f09d6682e2ad8db9ac81f76fdfb0df26a3a935cfa6b9b3d2b80435d77e238ec

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe
Filesize
184KB

MD5
b8549dd185874141d10694162011777f

SHA1
10ac7c834c67bec17b5f0efc6cf923cd7167939b

SHA256
bace9febd19563895bbc834c7a2b56584223cd925f609cf195049063b1e340c2

SHA512
9c622be9f1f0bc59f07ca29ebce7893b910a340d24767d1377aa08fa46db0d5eda3259cb46c380af0c4f35100a20f6d8dbfb9f7c3104b1e5ccb5f5fedbe0134a

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
Filesize
813KB

MD5
4f03e0d2397bdeaaa7dfafea226938b9

SHA1
d9ef10f8abd7ebc8619c5d9255a655121b79ae49

SHA256
7bf7cd17f5c498f20bd65a78ecedad5a4bfe2b738d4a68fac3f22d564db57bc7

SHA512
218fcaede2df113c904c07c6a42647ee28e285f1f44ee6f5edf6be2982484aac8d6edbd74b1685ac31884ca9036cf07f743e15515e3467d42055f4077bbad9f2

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
Filesize
838KB

MD5
cc0dbb279b701058618bf54345c7eac7

SHA1
5ef9fe643dc28abb1c2341b5739643ff76b90d96

SHA256
beb0aac5277b26dad26ec345bedb38a6f6ef41f2645d71509e2dcef7859f0991

SHA512
5bd0ef50d39c656a58fcea6f3b3738d63fdf933c48e0a6aaaaf93d03e6140d8be2aed6298afc17a93394f89ff2295b3af4280a189b61f18df08aae464c5e6a6d

Download Submit
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe
Filesize
815KB

MD5
4668882d04722926f121a3039b21ffb3

SHA1
ed38537732406ccad340fb57ea59f7fa658b2963

SHA256
ffddac4ec02b08239c3d555a7f97ab437c3ae1a03d24b9132e407995d480b582

SHA512
e2e3bd17bf3d1f8c4e14dcbc021da149bc1d10f4a6d24ee33c6c374f785231f306fc6a27d1874eedf4d630c7c4f766dc77adc517b79c1d95ce2e32dbfb8a79df

Download Submit
C:\ProgramData\XiMIEMYk\lkQUMkww.exe
Filesize
196KB

MD5
a860621eecfc10066363bf756ae8b8de

SHA1
ab45424a0eb7564df7c257118206fa45a32dc9ad

SHA256
cc5b71429901c28ad5f4add4c2f78e745214d3a6c6b4a0eb2926c5017f01e1bf

SHA512
af378d95f633115e259c3cdf3368829c152e1fd7dd867c66c1d4dd38d6a317f29d727694032a155612a043bf2d1542a56fc3e40e10ee492c024f5d15d336898e

Download Submit
C:\ProgramData\XiMIEMYk\lkQUMkww.inf
Filesize
4B

MD5
fe674284ec8edd96e64cd2a58e67821c

SHA1
b94c94db793f52aa219e5a80d556b8a98028e365

SHA256
069690f6b3ac0e75cd136e39ea6d2bd74e8dda059176c77346087b54ea7f2c7f

SHA512
8b3cce7412d988942aa4d53b6336aed5fa947c83436deac5caac71ecc1c6c20d2f4eaf7a5bb1bb34aae274a405f57d140933e0f4e2c082933f93cfb95c9fef38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.2_0\128.png.exe
Filesize
195KB

MD5
6fc0ec0f5d63e66064af1fbe9a3057be

SHA1
8cd3ee178044088f50aba40c9f41b4651145421a

SHA256
54d610ba072ffb6e477f7303a3964f31ccac4cd6e609acd44cfccb43a476b8f7

SHA512
9bd53c21b36de84070544e7f2c5584d647b8e8a82a7e5e8e6c20c544f0a326daf031198f461f302d0e449abc9dc6ddbdcb0c8369d0c9d7a7ba5f4b925d5346f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe
Filesize
196KB

MD5
73cf2c82c67f57634c91364a37db7640

SHA1
6ded8ab8b235db808a8632fce13e1ce8aa8a554d

SHA256
172156a0de472e9fa5628caf8d9a1ff3e3460f88374e18dfaac9ffca992725e7

SHA512
b9c8baf34c12cfc76b2485d654d1af1eb01d96fbd9abf62f65a6e22928c3c4791f0511c3fd931c8896976f2187099babe84dacdf7321ff0356a6998da94f6b2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe
Filesize
200KB

MD5
fe29450c018ab3e552bbb9ad8e9ce6c1

SHA1
13fa41c00e060e29c1b69245409140fb5e4601f4

SHA256
ccbdbda2cbc04787b4d208b55d52d5e50f34fcb798efcc2ee8e948aa8da0d2f2

SHA512
231a3080cf7a17b473825aa982d4297664ffe1da161bf1aaccf410b26441dbb135a7e6919f1cf5175e77d75252e99fac46719c05dc299ca5464e434cbf331bc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe
Filesize
186KB

MD5
fdf1bf8703d4ce66e5f08094877e5bec

SHA1
283f89fb6240bcb15f532cea700ddb2ccc65997a

SHA256
56edc8bbba8fc38c7f4b56b084475bc827d70bd1e492468d4a423bc2c8735e9b

SHA512
28fbb9cb1fbaef2145dabd90a9267cf31f342ec43601128a792ab95cd77e2c16d48a23affbc3bd14b3acf77977e4fb5379264a36a354add00a765a32fbbe3f2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe
Filesize
211KB

MD5
53eeb53fbb54354969d0ebdba24a1541

SHA1
a82202d53c21e6a65ff436e24e66317f98d1a023

SHA256
74fa24d25da9ba700afb38e6c4e02730fa199af0aa51baf6192875a9a4f3a5a9

SHA512
a8f28abc3b17a916796998a7d6d49f659ca94817c1245f9cd9068e4152b148a3d0711a3a2b76b083693e2697fa6d85bee6d97bf6d02f2e8b0d9f591a3daf3186

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe
Filesize
206KB

MD5
7dbc53bfd784a4bd27ef467e0b2ca6bc

SHA1
401195a81b6e5a413c92c6a8ff78a9b97b5c7c7a

SHA256
b565372a196ca364d2bd64fc7edb8f6bf538ad4daa38985aee00fdc2941b3b76

SHA512
93e210ef45228b97d8b3f92e16fddd2c9d74f7a45ac9f05b39e8c146e4d2c5ea5b3892b408e412a6254a5d75bdc77052328b49fae129fc2888ae91364ca8f6ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe
Filesize
204KB

MD5
97ba921674e4afaf8900c707a6c36942

SHA1
779816967397c0706040fca3aa43ab7bfea661e4

SHA256
5a596ea0476f2aa983eea64ac5bfb6ccf8ee94030a1d497df8a84f41036f287a

SHA512
9fefbb0984452156ee9593630a6328bffd850144778a66fa75258694eef11f9535ee792eca47f5900fa00778f45179ef5681e49d0205fe2f8b5103e45794378f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe
Filesize
210KB

MD5
c47e4da99983663f20552eab8334a0bf

SHA1
e0acb13df6239620849dcb0b8e4b86f8da65534b

SHA256
bcd8ff25084889bdd53349e59c2701043c180872ead62fd1d2fc749717651849

SHA512
7e29d4bdee675cee4bde76daf717333d2061960a09e7f156183b6d9709b817a15e99b33fcafd6e463992338761f4203d9606c68d8f3990f4a184ff175512f8f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe
Filesize
193KB

MD5
84dfaefe3b909612742b57b1f0325d71

SHA1
2b447856199dbf9a948efb229b67d0d7391428c3

SHA256
e50a546ad16e97d490c4c1f0afccd8045a3c702d196c5b783855db6061f5ea71

SHA512
0e0159eab50eb0a4c13eca65207e18c99ff9a19486b18bdd6933a9b26023e83d132d071e363c0d566f2550f7b3314e9b650fb3ba603a04a5ef7f72b73c7ce142

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe
Filesize
206KB

MD5
f3a8af771fbfd2d82e7cdf1c643dc91e

SHA1
03254151021a35c2a7bac14f8960675feeee4724

SHA256
f45e83356f227670811dbfdbbb20c0654b9418f43190cb75f7fea5c947f1fc62

SHA512
142d0edb18de3921cb26247bb75fdc4162c61fb5e10589fbe5864bebf47fd574553873e012bc72080a9db83475babea4b8ff4ff95ae9677c1a469fe92f4f7d8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe
Filesize
195KB

MD5
7a7d621f86b64330b9838cb0d51e8c3d

SHA1
b44cd87f2e4da8f43f40bb0c8b04b3aa86cc9872

SHA256
72dae64c96d1ec7c7558994d6354b194cf5293aa6ed698ad7e66e3f73c2bb3f9

SHA512
bd713f9e595371fc58cb4806687c0cc3bec5897a042d62384a81aa1037ed3e7aadbfa71a88bddfd19b1736674ec0c7d64b6a7510af78bc7758e5bb302258c219

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe
Filesize
206KB

MD5
5aceeb70dfc919927f6e13347d8e8fe6

SHA1
6efdee850d2737be98e5951c9cb1cfb8b8332cfa

SHA256
672a37117e93f5dd8a48573d3dbd3fdd92b790e189d8bcf7807d723fd9e2bb59

SHA512
4cdcaea9abac4708aee2b3a54d3bb2613a36e27851bd16a7a8432383abc3aea00a0dbc60db6fc52c84b1bbdde3034555091bc68ac22ff4dce63de517f7ca01bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe
Filesize
203KB

MD5
d8302b80df68f84fda73b480bdc4d5ed

SHA1
dfd71ec1fa5fd023aa69babca49a0dd56adf3414

SHA256
ed19f3bf1ec3df8755fb10cf0d87f77f298d234f30a591cdd7e6dfd131d6b538

SHA512
fff05848a118a7a30a046e1925de3cd82423022c69c11990d109e9954f4710080f03953464101663b112f8e5d5f454016968cb9cb16d9842cf539d52c9110fda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe
Filesize
185KB

MD5
ca9fca2848dce3f2460a831298c535f3

SHA1
552bf108bc8fc7443ada7120ad40e3a184f81bc1

SHA256
8e164b541923b688af2d20fd3656501ad549ff4dc9438109741ef11390741bc3

SHA512
9ca34a213213645b33a56433a4eb4a4d4322b23c3bf63559562524da75bd8773406b9a6d4f0e12174891b327ebeb4db0a3dd579dd7b55f6b727d1cf3571c9ca6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe
Filesize
193KB

MD5
5949dd55a6709643d904c9ec7b5ef639

SHA1
31946321ce8679305ad17185ddac94eb6bb36989

SHA256
6fc0c0c35933b883c2ca3c4fdf084ba08d02388c71bce596307e36394a782bb2

SHA512
02f9b5f9b4b0309d8f9f0631964086401b32613448b93ff8d90de7af53ecd7807e029238e543da80613a9431712cb20006b074fa066eaf5aa936710e7c00c94c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe
Filesize
201KB

MD5
3d911240c5d8000ae059eee1f2e03658

SHA1
db1d625a60c0b150ffc6409b3b42524d2d73fe91

SHA256
26a5ce28e6952ad1c3e24f407ee3739e527575b8306ca619eba3220d1e5d5988

SHA512
9d075418a3bdef30acbb6b458dc0a0d6deca3ba2d10ac8d93781fa56530308f26360ab11161ae4390a3fced36218cf39de728cf6a72a62144dd3e12faebda80e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe
Filesize
207KB

MD5
98f24de4fa3ebaf392498160bb068cc4

SHA1
52fa0e31d55e3be30decffd30cbc0637afb7d4e9

SHA256
c1b45094ae3ec5e803d2a7b21d9c74bf5ff2a5536383762c16c7da3868781c0e

SHA512
0afa734aca7242bd30c92263406e194081164c9099e23179a7cd69b2535b9454718a86a1f653b417fdba3d3b6f49d23effb1d5ff401dc1a1dc5e7bcfbe8a3135

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe
Filesize
185KB

MD5
4b46593f889edec8d7a5ccde307cc21c

SHA1
a100c7e0019af2c32df18a9045f1425fa477cc5c

SHA256
4d7b67d62014750baef49da3a301e27fc3147868e3bccccbf4b6a98c0732a21c

SHA512
a144454e35738233b3b4eeefa75cbf3b563e79d8b082157fededb0523cd32265ea0f8cfeab8d9d3bc3f15c1aa9c77e1bccec5fb646e4d3c34008a5c3269b8594

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe
Filesize
195KB

MD5
561e1ce8b360f255cfeb16b55d7aad82

SHA1
6abdd9e33a1344e8ba20ce3b8698be1b74faea44

SHA256
97d83f7fc8f632d3d0015701084ea29e635ec49481628117d53b7113605b3ef1

SHA512
b1d7b7b349f4662798feafc3bbea2cb7d731d93ab63dce3f6dc07f58a067dc6c62285e7849b97c20e3fe350b741996aa4afdb25f495b3cc9addf81ffad413f68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe
Filesize
187KB

MD5
5293964de0a55d7d0be6f936c27d9677

SHA1
897a5858f9493718dc4721812ec8927d510164b7

SHA256
a06478b07fd4f24068a5afe6cab1985d2fbcc99b2efed001f025fe43296ddf85

SHA512
e84fdf5197d33fccdce0c6fa21a14b30e916e44d0d08bfe04524fa04f35aeb96da78d0cd57faf8a81aed0c190474143c0d393dfb9e0ba515e274da50149d8924

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe
Filesize
200KB

MD5
7ca8545c6eeae7ad5459a915dcfbd2ae

SHA1
76d2d377aded3bc632291520faff7e2cea952381

SHA256
abaa49125652b12bfbdc99d0b34e40935f21391d74c106bc1d488802137c5639

SHA512
82baf3336395ee953defb96f9fb582fd0ddd645ab093976120b007e4d942197e9667982287c57309c9c2cee62adcdef419c273e9ba2c37f21bc520c4cd521812

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe
Filesize
204KB

MD5
f756192dfad274152061e8baba4a41e3

SHA1
c1088d02bfbfbb3a5eb363956b713ec86e8b55b0

SHA256
a02e2c9bb2281478ec6338d9ebf581cb40c5fb18ab2662774bad779248bed2e5

SHA512
8a5bb5f3cb50f35c8bbd9ccc51e938b361580c506703e90d3ac6dad4714a4df36d3fb5a1cf222fbac8562c043df91eb0c174b1b8c9a34727a6625e4835a4ec08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe
Filesize
209KB

MD5
fe567389e278d1e44ac05b2c7ff7fd3b

SHA1
e1b9e956db3a93138f5620231c41d72b5642d2a4

SHA256
71372955ba5c38befd02330686b47058196bf3b947e29a8bfc3f1e1152775cc8

SHA512
caadd2ec1af8ca2bd0ab8562d10697900a41ae5416a5b4812c650a5ea3ff2ad060a4885522edeefd22223d8c594ebbb8b0e78bbf0ab84b12670bc289d745da73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe
Filesize
205KB

MD5
9a6ad32d1b71377abcb0f6cf42c5078b

SHA1
0bf84f92bf19f5e9ca84a2926502ec4fd0391159

SHA256
02a1402855a29e0f6fd6044aa1b367424b1542a74fc686dec1ef22f5c33a4202

SHA512
96386ff9f7e4e7452666c56b9883a66f638b00143ba3038bd1b8e24df5e78ced2ed32a5676335d7effcf7d18788ce3d5aee11b31ef6a2a1aedd189635614df57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe
Filesize
191KB

MD5
6f940ed86b16b02c6916296b12f9b22a

SHA1
ee04f81c11856c2d1c8bdc49c6f2732f4e34d411

SHA256
3b81cbea0f71374f5094c0be640cae25db7d4e70e2a39d3808d3533f374a3f89

SHA512
7df50c679e65147e039f94079a7bbdb1bb36bc413c8e5f76a342c7f43e3bd0519e6cc30877f64088c236da9ed3f1d164f04825605764bdbf31cb51fe5171888c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe
Filesize
580KB

MD5
b639ddc4e9f0e7aedfa2c3699520e9ba

SHA1
f5939ffbe2575f3aaa3210427d0fd79d08fea838

SHA256
5f5d911d0a699036818d03b342e6f4a36433d2404649c5498e65bb950c261e58

SHA512
4bc9242b9c3e0b2f4afd600d4dab9e30ccdbb229a8adc6ef219a8ebab19a8473b90d0f4b251774eecda180a5d2abf40146d77a406c05d4f1afc9597a5c37fefd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe
Filesize
202KB

MD5
d7f55ea8dedad36a1187e135d78edb78

SHA1
8d12f5eee2ef4bd9e25d3fc287554463b4027926

SHA256
1bac32eba7f694680c288b4b9f220a9e5abaaef96521c1ace7331d4ee0bcd23f

SHA512
4d3e8941ed4d78025d8eb62062e3f80c8803b69646011a4db15da4bfbb3be24d7af5a5a478315719da0b285739d03820cc9d399a5723eb9a23f0a012229c221a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe
Filesize
189KB

MD5
c93e0d913a0c66fee81b0a7b721e08cb

SHA1
e026bb6367a874c011c2f64d292d59b5ca88f490

SHA256
2bed25a93981cdd53aed6e3cfba41e1bbf80e61cb32c5ef37892eb7d8d761b3b

SHA512
e970c2095d614116a2fc0db368670d7fcc1cf89d4a0796f0148a15357154bb8971673d974ec21e7d8f5c426e2b52203acf021eeac89d469e7fbdf70fd0a5be1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe
Filesize
190KB

MD5
2d5f873fd4d5f5a388b55a86bfb5c662

SHA1
2deb18bba075a917c79b5b124425b1b9f3b5b5e6

SHA256
e12a7ca4a4519815700b404584dc044cfcf4206cbf218942a59c585e720d1164

SHA512
f18a7a9faff6f0dae25cdb9e0ef8eaedb48ce034bf83b31e17f0a69439af883ca0a3baf1e70fd7aa0c5244fb59c65b02c7b74b44bf9555102a60729e75580d8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe
Filesize
199KB

MD5
329cfa003478130bb28de2550dfe2c10

SHA1
9c43af262c8cd805e6cd78bceac5e8d8bd8b16ce

SHA256
7b465a301c4079cf8375c3975eb27aa39f8cb306e4aa3e78358eba998c1ec00b

SHA512
91fe52735531822753d33aeb361c7c87ca4a797ceb945d876376f90c294c7e6066cdef312720076b3c02bd1c26a94cebe7b29385c58841f899ab05b2b3a68d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe
Filesize
197KB

MD5
3e066da3dce3a85b10dc696005024808

SHA1
0aaca924f6e64a17f23f91374875142f8fa7edd8

SHA256
d18490c742b1608c4db4c328a2d5c1af56e1eb73453ddfd4aae039e8930ef5fd

SHA512
b378c051e5853f22529618a9f74fb8ea5adc53e4518a12ac54aab9183f4049a17fce3e0fe90b8befb79bc5d2210d145f228398b5ce29c078e8d7c1f554e29646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe
Filesize
196KB

MD5
5d38ef874fa01faa705c1307495655db

SHA1
16956524f590bd2c57eddfd71c678675e5b77211

SHA256
d0608c0dbb3a91d06fb723ff418908d53d1f2a3706ecd5c9dc5f20ccd76cae73

SHA512
53654582af87101b95532f4a8849ca51b74e1e3cfdd4c473bf8a4548e119a9db641999daccf11d084198b7c3a4286edd75bbc96891236702b6d1455f473b89ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe
Filesize
202KB

MD5
def1474b1cf07d08e7983650875877cc

SHA1
3da6de746fa48e362fe5c0723ecfeac9347907fd

SHA256
fcbb16b5bfac9812a0692c4febf13d80faec25fc2e6c03c0dfd4f2eb988e3c82

SHA512
59ef178ebb799b9ce25b4845fb27be65033c4954294d1f91191c3c262dfc5f299549fd1ce90686da11ad466ac315f5414e705325e7cfcbc39fa59cf30927fbfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe
Filesize
209KB

MD5
1812aaa316e7b6a4e12b264dc1e53217

SHA1
e200365696d5316446c8895d1a91faec2de6fe25

SHA256
6771c359245d5ba197dde4b43427273d9d1dffcae78a98ea79fd6fef850ed0bd

SHA512
09f273908a60395b094a85ec1a25582fba586711229bd377249642620a9dd3c42815b12230b86ab1a89799f2e52f3c3e681e4c68b93c77cba7c099cafa691ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe
Filesize
188KB

MD5
addeb71ddca7b66d6dfbce398579de0a

SHA1
0b97aecdea300b2311cdc92e3c864197b45c6a7c

SHA256
d73da08df907f28b09441a474ffe20d47e009e269ae74a2d563956b278f6b62e

SHA512
97dc1a6057300f8a026d75b67b9d37b5d1400af28614a08543785834f8ce130520623ddf8b8ab3b8f548edff400656e1fcf7eafe4b2ff491b55dacb418e7d6f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe
Filesize
186KB

MD5
19d3414e641e551d7d5e7d4cf049e372

SHA1
f699d923ec60cb3b51d07eda6003b661ede483b8

SHA256
c6ad5fb57a08d6eaba17c1207606f33a22f4ce68b1b74ded233c6ff61adb9850

SHA512
141351c480e9b52268f972160806a7bf704f999ce32ec47dd05ccd29437f09c9d9e35cc9e5fe106acb68aa16ae3024010b24a923ab95aa39d28c7e7edf607463

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe
Filesize
196KB

MD5
98ace2bff056d80ed5fcde90e8ff7506

SHA1
3a96cf3e3a6eea5dca7773047fbef494dffdaea5

SHA256
b3ef3379d5295c155186c7ed98246fa0f412c829c9c0b594b73c3ef015ea9de5

SHA512
2103e23dc603537f52dff16dc80f275ba260fcedb03011f9ce3b0f6b8a909305c3d001dad4e1f7f31117ad9cf0e1283496be005a5fc7a8c6ffdb347d282e4f7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe
Filesize
194KB

MD5
25b6bee8b65991269a5c0ebaf799fc6c

SHA1
1c860c26b45d79cae02af343312fd503039b581d

SHA256
05639bcc86c550a993d7271f4448ca912d9c4c6ae188b793b33b1a962fe6b906

SHA512
035440e47e78e024e418159cc8f1d76895e379aa6945253f30bcaf17496db251da768dd2d80a02e79aa863d66f829462656bbb7826d2c29259368367776babbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Filesize
1.8MB

MD5
ea58bad5740e4601b49f9f710ddf88ce

SHA1
30f4f9b2d989935157acbfc21d99890beaaa536f

SHA256
5350ebee428ff94249fd3939af4777e0422e5ebcd8602276f6ffae55fbf3fb61

SHA512
78cdd8042efcc1c69eb796d37b4fa88048a8ca11e8f18760237bd4b03990d07ad95150d9f4dc209883d489ad3b255f5a2aeca9d16fc17530f3f65b71c4742f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Akgq.exe
Filesize
834KB

MD5
65d952822ffcaf061351f8f26b64b9bb

SHA1
fdfaa2e33d276d23ea60f5e9615d37c2b1e8e0c7

SHA256
f8e87162984a2b60f998867e238dd2bd4e5aab74af24a3de492410672ba7ce2d

SHA512
bda1217fe6ffc0d469289a476e357c06680b40e9ed6b1aec552cdf6951867db68d038ec035c6e6bbce9bd832e7dc95e298d0224054d01999f46782f0da94accd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMws.exe
Filesize
789KB

MD5
3a1a495c8565ccce9dddab9be6864077

SHA1
7efc820a18a78496b578d5318e4722f11c5efe90

SHA256
df03c2d4f5cd5c931e04c2c612232bc8dd5ca3a6d2532e1d264dc3d481dc7a38

SHA512
843b3c696374a2931142842f18e9dd8e0e42c385313c54b562dfd80b25506075480f0a790753601d5a9dc24d381f657eaba39d5600828f0d35c7f4d0b372820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwYa.exe
Filesize
5.9MB

MD5
1f8c239b271de588b276c6947cbf729f

SHA1
46dd541bc833f2721cf4abe2fa949b410174c205

SHA256
135ef16048147c3f8b9b929bd84223e33a3441dbb07e713c96c03fc1c12f851e

SHA512
6894bf53c31bd0b3b54bd0caabb186f16f38507b66997745fb33ed805d6d8647dbd191ee18e2d3fec08581649deeab45e05e0acfbe648acd89575368e3eca5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMou.exe
Filesize
190KB

MD5
8e9ad1b19448889869afc2c07521eb3a

SHA1
ee58bbb939f2bee4658e636bf54121c5895795eb

SHA256
f9842a1c05bccdf80dc9225b3d850bf164a264c6aad00b28141914162c890c74

SHA512
5d2127bc630311e5e0307cf0d6ef9aa4d764e5f455b8e9242b7901277fd43676013c9055daf4f24ff1235dc386cb3df012997b11e6ff2e6b28f7a1f7806d7814

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQko.exe
Filesize
889KB

MD5
656230258941896fd2ef1ba468d0427f

SHA1
988c349f3783749018376afe28454a8984079a32

SHA256
f94dbcf28c889d9a775761f937fd8b9162c818f45d6425aefaad92f7b1541383

SHA512
d3a7a85758985f1f23753449b5a02fa7ca0f7471678a97175014e02efc231ab14ef5c2badc7e6c2f24f84daa0fee8200c7c19ca0c20066b21100e40830c7bc75

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkgC.exe
Filesize
202KB

MD5
964b480ee7764c6e8116025387ab5a13

SHA1
d649c47e9669fe79d9640dfa94425e1bd286e082

SHA256
a209d0cf41e8465663ce7b9c3a248f8807a0ece1b9c1b960b56a393fcc1caed6

SHA512
6ac6850cf326abd9432bbfca375bd5292dd44622a0af7e5aa0860b949c7dc70871f402812542a7fee20691decd61e22308d99a8d6e19f582d10cbee92b08c4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoYu.exe
Filesize
417KB

MD5
6ba70bda3d5f5a79043042ef70dd2369

SHA1
40cacd3f738bbed681761ac86fb2550df588548b

SHA256
b3d68d99282287d3032f8038f0dda85799e2038891d353623250a6e5d392d135

SHA512
1a12f6dc04231c2e18ccec362154bc6776c67bab2d8926122370f5da56db9b83d7f66cc1afbe26423d0b49f391e8240ab11617060a1f7e3ccebb84992a71beae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUgw.exe
Filesize
213KB

MD5
24268997e6382884925edb95e5d164e0

SHA1
b5ab553af9da9cf96bd704900d5c6a95f683aa32

SHA256
f6fac6f2e286453a9a5caec5f686f66033e635ffdfa38f6811187a7aaa38d874

SHA512
0f0b4b7212a2290cdc78e88292604a37bcc25099f0a0f6754e9a49192525f05dcfb9e8c6f2a34d5c4035bbfd83e546b2a8a35ca0ba7c6c3e889dd35e83b9d0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IokU.exe
Filesize
233KB

MD5
410bf26358f822b7749f55a3fae27a69

SHA1
bf6888caf19f30d118e94e4212235dd5f311b6e0

SHA256
81721028336ef237e0965fc51f5a82a8fb7aff3a60cb396422a894cea3925a53

SHA512
6bb0f9cfad6c30db62ee51c4cfaea247f78e6163a7008bf1cc59a80a1c8637459a2bd12b8fc109402f8788121391eeb75522a10a615faa6539fdac48cb8cef18

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUMe.exe
Filesize
648KB

MD5
586cefe49369a6ddbf9ecd92f5c72fef

SHA1
2af0e7b6819b5e8347141c6436e609abac4f52e5

SHA256
ac6f54755286b088a0860a27074784037a938db45e53ca9cbe8a5dce30a51918

SHA512
b82d68776e1433da180c0a61cef348c41b9c5a162a683747fc000ff6dfbd3309aec0c5bc447f186015352be3603322cebeaac4bb1354deb8f7dc134d75546c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kkse.exe
Filesize
210KB

MD5
232bad86a5db7e3af8ce74ce64233be6

SHA1
6cdd8771472218a5f1e7080574efa2202c05249f

SHA256
285f1f5245ac3d2214f945a52f2339b7442a2c3b16b7ea351c9998850cf8240c

SHA512
42cb2071eeef0a268d06bf0242dd4f5bcdc8a7c469c9b46d07fd6df8cdcc267cf4c3bd867781eaf5c4551796924901215894968b38ac7c859bc45eeef5446b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwwM.exe
Filesize
219KB

MD5
0fee6c647a1d42874aea43447e8ed467

SHA1
368bbc4ddb4d537f5fac12a240fbcc95738e0245

SHA256
a0932ab964dd169166c979b33e6f0fbf1ad35ef6f65a52551829c8d456c9055c

SHA512
b13def50b53e97b6981e954e924d616f92d2e7a606ae9a10c1576cd58bf9216a9e690574f06030205ef14af687a0ddd2ff658905aa6555688ea205148576bc51

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUUM.exe
Filesize
638KB

MD5
c26534593ed82079e9591a53ef601b26

SHA1
2411a75b8174ad22def887397f924eb5e6a515bc

SHA256
2e65e038c1e069ec7a783ac61fc1cc579af70810e4274f7d31ac38c697c94893

SHA512
e7f66e2f4f502f8ee4d04a2d0889f2f7c0c5a89163a30d54890e1b3b6c35b734b4ffefd336d5c20daffa85e2638869967b3cb45a72e9ad949191f7859dc2bdfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\OggK.exe
Filesize
798KB

MD5
2cc287ee3649cdb8a46f815b3af0134f

SHA1
6d02fefc43d33faafaea1f254f0a857691693658

SHA256
3243dd8b9e57d7ca1550e24bac5898a91b903c4ee13aa9e73b390508583c2db1

SHA512
1f5967f19270e40c7ff1c195c69b9d0c81267900db0f79c7c71b26d2c492c056259a6c67b8a1c0134600d87a27a750850a98efa0923a7497d71443bd7b28e37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQAY.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkcU.exe
Filesize
842KB

MD5
73efc63114f02d53a266db0a84782cea

SHA1
ecf7272b79f27fccdf8deb046e4ff62dcd0c474d

SHA256
e9c960ed86a6a7dde9a92c885e26e7c239807fb0ac6a74fbb41c59d826da1d4e

SHA512
ad35900e21fb67c25f27275f20ed96a9b5f5994b8721d4039d4a14371fa1a309ea557e1cc7bf2356172d185a14c30c8f4b6b9ca4ea011a53fe1015330775b3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgUm.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEIS.exe
Filesize
197KB

MD5
43d0d38616e035c5b66aaf1a4bd17061

SHA1
fa6ebdf32792c4bda44c2f96d5e724157a6bd4ab

SHA256
506bb70b0fe76f59420c41ec7a08d7f259a117551da6a9bc2e64bba909959bbe

SHA512
722bf1bf39ced7e5d961f38d2839e5a1080eb7916871f2622934232930504a294a352c6eb2afc459c5af584154b87a1ea2f675a0aaeaeb10eb1e6372a0b5eb09

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgMs.exe
Filesize
648KB

MD5
75919deb165c5ae6e999aebdf5a63666

SHA1
ba5a5f47705ff6be4bec7b3e553839f1510c6aa9

SHA256
804b669a8aad149f7ffac74a7f425f1cf6c43bbccb8ea02149e40d6dcacfc935

SHA512
a31f90ae6508c444b0867b782a01600c364781e9f1d1dac479c8b6a8326fe0a381b9014512741408bcef75bac4ddaa64216ec5d9263e89d79985ebccc77054c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwEa.exe
Filesize
469KB

MD5
632512820235bb27fbfeb1b47d480133

SHA1
44ba133d7f2d04421b85ee9dd1fd83bfb2ce1d11

SHA256
61b5425e74de86b5612716e78eee1921ce3d8496f0c8ba4bf2e82587b57b6286

SHA512
16de48d9ff65c30669a90222e283f66f1ab09519cbafd697283fea89f44d5f7b306c9e48eaba8e904be7923838af137f775e6c4c6c44c98c9d00712ea174d958

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEAc.exe
Filesize
215KB

MD5
fe6886239ce9b787351f606c100d0f43

SHA1
cb6f076c00f80735baa0841e5ad1c852cffae5f6

SHA256
d26e29747e99efa06d15b82ecbe2808054df64b44c0e3e7272181e637eed4284

SHA512
a3f30769e9188df4e6d3b4744bc61a6a2e7cf38d686898b4658a9cd13ec9a20e489ea4b4dedc8622dee557dad246d4187335dfbf031972f63a4f7a781fab8a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wssk.exe
Filesize
212KB

MD5
d63148b43171a9469964a519d83523bd

SHA1
5672a7fc36bd9ae73d98853792ffe137dbd18b30

SHA256
d2bc829d52d340db3f022c9bcb3888ccbc661d686b6b543f93fd471da8a8af03

SHA512
779d87e4c20526c1429cfbb8c5714c51b81d66a16edcca81216fcbef3d87a1aead9d50040fad9a927f8f2b669e2a5ec313800519e1c2dcfc318cae380e619547

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsMe.exe
Filesize
202KB

MD5
b9bdb9f76483f3aff5b4d22629014f5b

SHA1
72d30c1c2a085c6bc758a6c18e0c8d5459f6b253

SHA256
b4f4dd9e6be6857f1a1e54915ead17b3bf0de5e5dda03cb627870f484038f852

SHA512
73ae672c086c36b50f3fd8b48c96ae53dfef6c460cdbb8a65761eaa42b1f8dfb1457aad0f616398aa7bd74df02c2ddd3692cf6bcee6f0fc2d131c729cfeb530c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YscS.exe
Filesize
188KB

MD5
1036e5e6855711b496d38abd1b39c85a

SHA1
cd24935f8cc067fb7e7caef2d488575878f34da4

SHA256
89c61b79a3d1574c0cda5ce026fe315627e3aca02f179345b02bd76edd4dc269

SHA512
8b41b025bc73bb923c0ae0748328a7867236da170d8010e04f216350f0663bd218c5922438368f5ec83c389ee4655cef5ed90d3a2148ea18854d573017bff047

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEMA.exe
Filesize
445KB

MD5
d8bb3ce4b82f3bffc502c0eede9721c8

SHA1
013666bfabe7159bc7e1ff6e93453acdbb09f7cf

SHA256
eb3a1cdd2cc1965278ea682a8d091cf39c09538e73d063f9c381683c770f1b9e

SHA512
7de3011eb5524cdbdd9f6c00a6ac61acf7c5f8c17090c7efcd12e47f18948de815366056803c72eac60820306304f052ba8896df6379357f7968718982617567

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQUy.exe
Filesize
635KB

MD5
fb86ecb14252e47881e46856b87f4e91

SHA1
b0032641e74c57702637ca3164ac554db9b47a47

SHA256
a183319ba9bdf9a1f7b4268ebadd5d0950ce86eaf12fffe47d8e89f701ea15aa

SHA512
c3f28f5d74125e605d4d45ab90a25fabeac348cd3f1180edfdcab5f666845bf7d464b7df42e7cc48d17c0d50952de29979145136bcde32bcde48b1767d83f658

Download Submit
C:\Users\Admin\AppData\Local\Temp\acoA.exe
Filesize
522KB

MD5
30ad5ae59f22167f64d1175aa48667f6

SHA1
09aae25c5ddbd28edb87f8a34ce2e3a565334473

SHA256
584eacff2ea4673bba67b3f9589090bc6d4d668c90f707ca154f23c2f751840b

SHA512
89fd697e6ca62fae27712bbe05eba40e40b30f184a8f09f9ccf9e7f68604d3314860448bcfe708e80ab9063a182f93a3af22346add52f72975a2e97995b6f35a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aogs.exe
Filesize
795KB

MD5
0beb7cb0ff8de6cd733875335394030e

SHA1
6274c88cd15bd5d910b380f50d93b61d5e16ca8d

SHA256
d4e57c61bb82b9becdb629d6377fd412d90018e5a31ffd361fcac8dfc59d15e4

SHA512
c70e0aa1053f7e38b1b51c70e989bf40c4a715685a4204a0641bdd08bffef27506ac40d8375a52cbb520d076275e14e814b2dd7e1b2271f5b22e12e1720452f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIAC.exe
Filesize
327KB

MD5
26966d58c7392199387a15be527cd8ad

SHA1
36a712f41b6f873a6e5fb2a2f3993856d6be267b

SHA256
f148f11a629264f806e301ddae6bc4ed3268ec679a0d080fbc5063ecf56d5563

SHA512
dad668157d453eec067d0ba75e41b3261a2f28f914e70b534a0d939d1168050a3235030669c401e54b9fa977678e41d30d84c23e13bc93fc9165969ee147786d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekce.exe
Filesize
194KB

MD5
7d1cb21c68ef1fa710d2a8291ef8f6a1

SHA1
371490277bea8b1da5aaf85940d91b882c88f5f7

SHA256
11766ec0cb347c20ebc0fd76426104b56974881f7d5aaccd922c92aecf90deb4

SHA512
0c32c0e828e7c652f2a506f4586e712bddc109f05d43d781c3e2d59cacdc926f9cafb6cc88371665b4bd205c16663daaadfb14d20522e629246a07199d3f41ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\fiYggcMw.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEUa.exe
Filesize
190KB

MD5
1c260d112de51a03ffee285114370183

SHA1
a163616260f9ee8b2598c9fb1ea90ec1cba01173

SHA256
a54d03a13bc61b960add60e81ee9a3f192e1d52b854267fae306c8a346d82bd3

SHA512
104c0dbbfa1d019ad2f15937f725d66ef38bf4d3815086d78d68a3a7fac800c45e7d07c2f08e394e99537e5d57e6e7716331dfceb53bf20d5c00abf07670d556

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIoi.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUYg.exe
Filesize
323KB

MD5
f1e46c45846777b37be95de6305f17d5

SHA1
09dbfe74fbdee03811a29a16970c679b48fbaf9f

SHA256
313ab89aaaea6300cba95bf3f33267ae4fe541d1f23b05d7e675c75d4f7c98e5

SHA512
d4c68964ceb4b3b2d84345494f813c5857364e556a40fa3ab7cd14c41af260c6c79214ca40fff324bcfdf24792a61fad5da4b332c5301599ac7f213f0df05c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcgo.exe
Filesize
235KB

MD5
b5176dd8d1e9c1d62048d708c43c0145

SHA1
c699bc1d9d6f0c43a7dac581a7c687516100e1dd

SHA256
71c37c4649a0a710cb79aa718eab6f2669e77382e7da0737d261b8eb6446b050

SHA512
22c9f93269d52a35d86e02528602fabb0cf51de5510d883d2fa2d9c63ec4d3f45d7687f5ed35673b3a2f2dd2910953c9c3042cc8d3389985cfbb9e3a7f2753cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwsw.exe
Filesize
198KB

MD5
0acfe7725dc6ab8a6c654a9f390e41e4

SHA1
d45aa4533050cd74359147c7f5f5b38506278804

SHA256
03bbc7984f5674d75db2113664b14b87cadbae237024271fe42fa6ceeb118ef3

SHA512
6c5cb99675fa63f173bbc3f59b8d6b2ae3f1f6e52c5416e4cbc66d04ee842f65ebff4fa13a29b788eef0097fb950009107f5af75fe0fb671e97a4be228fb5f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUQI.exe
Filesize
189KB

MD5
2ac08cad0519979b40eee16a04cdc82c

SHA1
194e7814ffb7f3ed43c400e30797b08030b93c32

SHA256
53baac85e1b11fe074f948c0a41bdac5667d88869d27f077a5386b79c86daeb7

SHA512
3644dd7d5f97d70a409c43bc261d1f170ed328ae662a82fb9ff9cc6bfd20c6e34a6281dfb46773bf96270e2f97d1071c1f963fa5d0ba81ae9a19f73270aa040b

Download Submit
C:\Users\Admin\AppData\Local\Temp\isYo.exe
Filesize
200KB

MD5
15b6431b1e773f5a5603f20d61804cc7

SHA1
5017e1d303f2112b6aa6ab96ce731aded09a4710

SHA256
bc0c50370daa6c9d04f8b81a0f04315fc730f8d17c06ee0764d44eeaa3bc6a77

SHA512
9647cd6d831396a1b875aa59bad5d4f46cd1fbb71b94bbebee639d249b74675ab9cdaf275ef769a1657eb8b0922a4b612895d3f43cf62010eabb82d4b61c4aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAIc.exe
Filesize
653KB

MD5
47d6e324901b5c42467d589f09e75680

SHA1
9931fb01f3d7f7d588655907d5bd782a0494d1e5

SHA256
ea7f003452ddf5a09b249f6b1b642cc1787aeda29c0293433e96e111534dcec9

SHA512
bc3f15f402c10968778655c2a219ac5e3d11752abe9927a4b1f4099521a6aed43fa97ad74637465e4d065b39cbde0e85081347d75d11b18e0aa29a24193e9e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcEA.exe
Filesize
419KB

MD5
86a5a47b2a65daee559fcd547fe2e1df

SHA1
e4840ba2773616b7570b46e0aa969162a127f71b

SHA256
628f2316799649dcdd275c9f8b57fd829da572ba3659e6e21b008a4e1625cbd4

SHA512
444a6667113a3ee9c539caabef3429d1ba2a8ae677c78ab5041832f6eda76790af60ae1b4649a1f83125864c53c02e0656c3a8755ea8e6b4722635bfa7df9ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\koYE.exe
Filesize
201KB

MD5
b93c52100257cf38ba1e6f2f4b593d1b

SHA1
ee221c524a14512afc4ec332ea3bb74b31f8881d

SHA256
a078b325b11d661dae81bf2661e8236fa32cf797cf50dd9516f5f0e634d61637

SHA512
be07052959c22632d8e1e0a8912309374208ff839ee81678a999c623fdb2e27d892004f7d49318f1424ceb53d30fc14732bae473037d7327df9db4fda7640d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwQs.exe
Filesize
5.9MB

MD5
9dcac3f86bbfe8b44f2e98e2eb408b2a

SHA1
b02faa4e95ba7ed8530c435ae2c0244cd88f81a7

SHA256
f5451073a6dcb6a980fe6505c753333d5e7bb1a576f57a0050e21ddf00b97fdb

SHA512
de078dc8bce7d0fbfac4e48622b407a6fee6d42d266b7b154f240b9eec7ab80df3a5b9587082c5ad949f29598cb1c37abee663a2ae826e1ec1f9ae245fc4b90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUIk.exe
Filesize
195KB

MD5
4e520d6e22ccb4ee45feff408474ea68

SHA1
41daf009ff7e630be90d4fada9d298fa1c042677

SHA256
4b0ccfeeba08b430f23d35b8144ca26ade1de6e9c04819ac6c247c24f2debf0b

SHA512
9268390ccebc957abbb7c29de718910161fcdd745ab52d92fed8dba87af8e10a9645dd7b9518fa96badf7736a3af29afdcbc9768f09ad9747dfbfe55d6cf9a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcAG.exe
Filesize
5.9MB

MD5
935bd6332e4c0cad6fc602b8314bec40

SHA1
0e37528ef5fd95d2c5d98533c626bb17567f03a6

SHA256
65d07c2fff6192e122c6a591e1b9110de82bcdccc6354ae70a7d394784f20c52

SHA512
262914acac6f6cbe0282cf3b6aed9ecfb71a761d09ffc94791d48aed761fa074752faf2d833b5a95dc2b1c0e7b334ad674e2e82036b01b75e257c79669a9f35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEwe.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIoS.exe
Filesize
197KB

MD5
c78387de2d5790a6114ec2507f8e6aa1

SHA1
245e754fc97c1aba10970137449f57cc799e2928

SHA256
7443981cc37e598d7cf4245a914cadb74ff6ea079ac81952b02ddca595d980d3

SHA512
68727c4ab5c75bc6011281579e2ae1f8e2b8d3106121fdb13b7d3bf23695eced1c4475d685d5800fa2dd575e45d9836781c4041bd6da2fdb3972fe2231d15e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\osUm.exe
Filesize
229KB

MD5
e847d766906d980d8855d8ef60b0d2ca

SHA1
0ae8a3216216cfb92ce82b268bf3ce9ce0be4242

SHA256
9c8b9d7bc3ebe1dd595807e088a77756be30571963a3d89500ae8f350ffc7be9

SHA512
97285965e0129734393ce00ad09d963b8ba9e1412f75a12ab1641516eac652dd5239c5e773e34fb83eb333555adcd03658049c5b3798d79b3b5bd62ed60e9a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qccS.exe
Filesize
193KB

MD5
46192ddb72a548d564c74a066b98f4f3

SHA1
8d5ffe517c2222ad965750586ab23abb974a9d39

SHA256
d9b424dc511398a7571bf039a9a2fd0ade8f7727a6b9ce016171a64b17b676c4

SHA512
ca7911360fe10d503aa323bc0408239d76cb830a497578562060be8b8d2011a0ed312f27b1e40821583822d424ae57a8aa76c7ed81fbb82a8f108834e3018936

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwoW.exe
Filesize
212KB

MD5
1346170483ea447179349cad62078508

SHA1
96bbccf7aeabb831c47e51dc3b1ce19e2b4c0a8b

SHA256
61f91296f491c10b1ef24b5f398b23cabc20fb2bc223242658993b8728b94487

SHA512
93487182d8ab91b1ec09f1b2c0ce702987308c8382a20da68ece92115b66bcd738717a5e187e9b393940f92e8b1c01d5ca450149ed3c1bf6905b7ea87622a1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUkA.exe
Filesize
201KB

MD5
c9a6ee51d50c855dc644fec53ebc584f

SHA1
655d58141f9e05ed17006873cd8499cb81726b51

SHA256
5a40bbb966e676518b7d5db2e301908a9de013dd03a509ad0131ab7732825fdf

SHA512
efb6764291cb42a2a1cd565d683bee7080e799af6e18e27290be36a26dd7524e567cc8b2832052013c83576232e04c5fc7caedeb94a15079a9e306c9bb0a3545

Download Submit
C:\Users\Admin\AppData\Local\Temp\socg.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMIo.exe
Filesize
201KB

MD5
27b625395602f1f9a211ac6c05dfe33e

SHA1
ffdf8337ddbde95e408680d06257b9146a59b045

SHA256
8aad76dbd26947092bef730b611b95c436640ca4b7913dc2b5efe3fb918a219e

SHA512
a8b54600a384e1a4725be4263d590cb31e93e06434a75ae5a9e694d050f93397a4700806abe842bca8b24ef0534466e70d7c16ae13212fe38f4e5784c54cae61

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkoc.exe
Filesize
264KB

MD5
c116780d616ad45146026b7018a72127

SHA1
b7d85cfe6affbbb408773d73e7ca06df0bfd49ca

SHA256
cc48757d45aba56357e703ff5e055647f402b0a436caa0fb2fae220150875832

SHA512
647ab2e63ac939980ca3bcfbd437a0b1cb7b754fc10affbf92f734461cced796615c45c939a4cb0b8c4c681b06677939538282a4083429477d90c5b98c34ffeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wksM.exe
Filesize
197KB

MD5
56dc95664e254d594457dab1c7f999a0

SHA1
00679eaded6ed8d17345bba2cd7c11e04db95069

SHA256
197fdf0e22e008861ab9fe3463cd7438007f2dd7c17ebe87cc1808695fe924a8

SHA512
e149875221377493b09c1abd3511a0e2d53c1bfc527f72d04c9e51d779bb9aca1ca123596dbed5f2918316da2256eb758ac10a1c4652bf514e812c062c1cb9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\yggC.exe
Filesize
206KB

MD5
c38da9cf6741e305a4752a870da25718

SHA1
70c19750f8fc93c40f06b53acd1d80e92d8c120f

SHA256
f6e914101c4a49f7cb50e175c9db415b3eaa8b62c34f38291c80c68ed40a68b4

SHA512
4aaa2d4344d65c7c5b80b49ec6e7b46ce9a15d5757c2e9c56aee879b31030e97a32bcdf4b01b0d06a87f88c158f730cc4ec6e513e8b9f7b9f165a0285e881e77

Download Submit
C:\Users\Admin\Downloads\ReadRepair.gif.exe
Filesize
634KB

MD5
455de56d371d35ba714372e7bed1a997

SHA1
3537df4447e15973ebc39c36392380a637319e12

SHA256
89f79870b5261c570862f51debd73ee7572dba2afa0413d064ab098213b5c10b

SHA512
bc9cfa80bbf160f60692c78ee4db573d76aaba5a30312198a1e1796efb373bf3a0d08feab44f926a9da40269b5e92d586b4d09e24f054c6ec5fbdaa671dd4f72

Download Submit
C:\Users\Admin\Pictures\MoveSet.gif.exe
Filesize
437KB

MD5
15ba822cdce84c1b302168b16df3fd1a

SHA1
f4a40287544ae9c15bf018aab671d2a05320398b

SHA256
82af84690a4c37ba36211673d3ef7158218806baa17c7554a61f266f92e1261e

SHA512
134d3dfaf69b1551919519471defeed88dc311ddaa2b9709f320be79f2c34ef2095c296ba1fa309108268450da12b27f47a99378fd6eb5449ada9fa695cab84d

Download Submit
C:\Users\Admin\Pictures\RegisterLock.png.exe
Filesize
505KB

MD5
743af75c77068fdda55fd03db8e41f0b

SHA1
9bd8762c378d0283b7d33c336475a093cf5222f3

SHA256
17f9833ff6d051f82bb929309fa5d177037da12f3ab5dfbb088bcf4357c84de1

SHA512
75561e1129707b2d5c671814793976b340e5c8dd03f2013b36e7fc5848b436f21a9ce0891ac1ebb141b8a4c8f339f8b7d9452b694c86188a3b12673d190f3b28

Download Submit
C:\Users\Admin\Pictures\SuspendUpdate.jpg.exe
Filesize
594KB

MD5
a6564cb8ace2f0e37e47be75b77cdcc2

SHA1
aa59e89dc25c86982fa5e4a9933702c092e75e71

SHA256
2faadbf250748f8052c83a543996493f0cd577021ba3385d5566e889486a613f

SHA512
ac39d5d7376bcbac10bf06e42f1d81e9615129c3b241a9e9a02587df433f9df59c82f03a68eae148d3ae712b3c7815fa88df28ecc63497c697a9bae62c14b169

Download Submit
C:\Users\Admin\WIoMYwIA\LEUgEYEA.exe
Filesize
201KB

MD5
1ac45c9ac07650089d7b33e7de923645

SHA1
1aa5e39b1a95b4d6d0b7b29a6eea78626e2dfc15

SHA256
0734634fb342dd66b78f43142af307ef57b8a882bcef6db67e945d4ccb4a95a0

SHA512
98a1c999b8f00617c2e1ec63e4f21c9377584b34bfc24c82f4a5d109ca0d6888706a0ae33df450a760f4af5226e69ad5138f5eb7ad0222ca94c2e0697c44ed77

Download Submit
C:\Users\Admin\WIoMYwIA\LEUgEYEA.inf
Filesize
4B

MD5
3f11379021780136094f8126dd579c5c

SHA1
600d02f367c2d8c6037155c6d1699a80c50c1918

SHA256
dd9e65d9c19e0f2e589bac3d1431acb5ee1d3b83247befe47075a9e8f853be47

SHA512
aa9e80f882c3bc750d6c5be06fea90c1d5124ac60a5e0383a9331c127a824c927c0a6a871efbd0e3b2d7746280e870a17f654db9873597a7e9db3e8bb40d7101

Download Submit
C:\Users\Admin\WIoMYwIA\LEUgEYEA.inf
Filesize
4B

MD5
a8ab1e8ac9867e41336deaeffbcc8e68

SHA1
b866da2b067c4988039f146b2b9dd7424aa18812

SHA256
dfe3c21ed165bdfdbbc39469ac3a4b6598c58f7a376ab532b0164f27a2af7543

SHA512
c3fe3e75f401b0707a28048da5d2afc904b7f657269e7515779317e4a0a65ced5a7635f4c953810d8c6de640d9da9453821047af57143545f49b09812c4d85c8

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe
Filesize
5.9MB

MD5
70366872dff60bfd10afd83a9fb33dfa

SHA1
08a3b81020dd10e531ee32966e8b591954ea583c

SHA256
7600ae4b89ac85303a8b81731369b52856e327b594e7f99d62def714dd87e2b0

SHA512
48fce7517565bce5684fda6c00b193ff6a394a58fb4b01273811a182837f27536e371566677a1a232c8c9ab4a0996406a17b541a93d1916c490c4d0b0a0c74dd

Download Submit
memory/392-211-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/392-222-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/392-298-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/392-290-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/540-428-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/540-417-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/540-289-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/540-278-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/840-156-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1068-351-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1068-364-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1572-308-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1812-475-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1812-24-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1812-33-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1980-326-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2016-317-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2016-305-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2036-355-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2036-346-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2124-335-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2124-325-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2128-197-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2240-420-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2432-466-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2432-457-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2436-398-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2436-411-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2516-59-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2516-71-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2560-456-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2692-34-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2692-45-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2752-99-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2752-108-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2768-161-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2768-172-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2772-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-2141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-182-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2816-168-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3048-434-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3048-447-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3084-67-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3084-82-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3144-58-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3212-281-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3212-95-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3212-83-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3260-236-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3260-251-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3376-345-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3376-369-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3376-332-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3376-382-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3572-239-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3572-225-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3668-391-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3708-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3708-2146-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3748-134-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3748-120-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4068-109-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4068-121-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4136-440-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4136-429-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4180-19-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4180-0-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4204-210-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4204-201-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4224-261-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4224-272-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4272-373-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4272-393-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4272-401-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4272-360-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4496-476-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4496-484-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4656-262-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4656-248-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/5084-135-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/5084-146-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download