da0a38dcf456ef59cbe80d302caf783aeb4e637ae4b9c71996d749e62927246c

Analysis

max time kernel
152s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
Size

185KB
MD5

4e8bc681c6d1b3ea2c1196ef8840dd1a
SHA1

46cb5b8e1c28da417cfbb47cf6453891155e91da
SHA256

da0a38dcf456ef59cbe80d302caf783aeb4e637ae4b9c71996d749e62927246c
SHA512

861a936cd1738b5b2e3af88bd53a60618653d8b263bf30e2dfccafc4bec72cccbe91938ff1958992c70b0a42a020e8d06f7bed6df5837430403ad1be4e4944d7
SSDEEP

3072:LPD6zEMcVkaVwuNglk6QKdoRm1UcdJTVLezsUKJZHIrHWpAg/TA2VNW2Y:L76zE5uK8n3Uz+JZH42pA4TA

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 32 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 32 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (78) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

iIgAMMsQ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	iIgAMMsQ.exe

Executes dropped EXE 2 IoCs

Processes:

iIgAMMsQ.exeeSAIIgIA.exe

pid process

2076 iIgAMMsQ.exe
4196 eSAIIgIA.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exeiIgAMMsQ.exeeSAIIgIA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iIgAMMsQ.exe = "C:\\Users\\Admin\\piYAEQEA\\iIgAMMsQ.exe"	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eSAIIgIA.exe = "C:\\ProgramData\\YKooQMcY\\eSAIIgIA.exe"	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iIgAMMsQ.exe = "C:\\Users\\Admin\\piYAEQEA\\iIgAMMsQ.exe"	iIgAMMsQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eSAIIgIA.exe = "C:\\ProgramData\\YKooQMcY\\eSAIIgIA.exe"	eSAIIgIA.exe

Drops file in System32 directory 2 IoCs

Processes:

iIgAMMsQ.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	iIgAMMsQ.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	iIgAMMsQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
5000	reg.exe
4392	reg.exe
4032	reg.exe
2300	reg.exe
4392	reg.exe
3516	reg.exe
4704	reg.exe
736	reg.exe
4572	reg.exe
5064	reg.exe
3516	reg.exe
3404	reg.exe
2352	reg.exe
3380	reg.exe
4844	reg.exe
3696	reg.exe
3500	reg.exe
4344	reg.exe
1712	reg.exe
4132	reg.exe
2332	reg.exe
4640	reg.exe
3808	reg.exe
4476	reg.exe
2176	reg.exe
4692	reg.exe
2368	reg.exe
2352	reg.exe
2768	reg.exe
3484	reg.exe
1384	reg.exe
968	reg.exe
2444	reg.exe
396	reg.exe
3548	reg.exe
736	reg.exe
3800	reg.exe
3864	reg.exe
3616	reg.exe
1804	reg.exe
2184	reg.exe
5008	reg.exe
4352	reg.exe
1376	reg.exe
4480	reg.exe
2348	reg.exe
2248	reg.exe
1776	reg.exe
4576	reg.exe
4292	reg.exe
2056	reg.exe
4100	reg.exe
3872	reg.exe
5000	reg.exe
2688	reg.exe
3160	reg.exe
2452	reg.exe
3812	reg.exe
4552	reg.exe
4800	reg.exe
5060	reg.exe
4748	reg.exe
4864	reg.exe
1384	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe

pid	process
1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
3276	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
3276	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
3276	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
3276	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1684	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1684	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1684	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1684	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
2892	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
2892	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
2892	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
2892	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
4320	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
4320	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
4320	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
4320	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
4220	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
4220	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
4220	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
4220	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
3404	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
3404	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
3404	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
3404	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
4312	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
4312	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
4312	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
4312	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1624	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1624	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1624	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1624	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
4068	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
4068	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
4068	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
4068	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1272	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1272	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1272	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1272	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
3148	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
3148	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
3148	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
3148	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1200	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1200	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1200	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1200	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
2688	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
2688	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
2688	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
2688	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1668	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1668	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1668	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
1668	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
2140	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
2140	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
2140	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
2140	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iIgAMMsQ.exe

pid process

2076 iIgAMMsQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iIgAMMsQ.exe

pid	process
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe
2076	iIgAMMsQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.execmd.execmd.exe2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.execmd.exe2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.execmd.execmd.exe

description	pid	process	target process
PID 1108 wrote to memory of 2076	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	iIgAMMsQ.exe
PID 1108 wrote to memory of 2076	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	iIgAMMsQ.exe
PID 1108 wrote to memory of 2076	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	iIgAMMsQ.exe
PID 1108 wrote to memory of 4196	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	eSAIIgIA.exe
PID 1108 wrote to memory of 4196	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	eSAIIgIA.exe
PID 1108 wrote to memory of 4196	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	eSAIIgIA.exe
PID 1108 wrote to memory of 4220	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	cmd.exe
PID 1108 wrote to memory of 4220	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	cmd.exe
PID 1108 wrote to memory of 4220	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	cmd.exe
PID 1108 wrote to memory of 1376	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 1108 wrote to memory of 1376	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 1108 wrote to memory of 1376	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 1108 wrote to memory of 5000	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 1108 wrote to memory of 5000	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 1108 wrote to memory of 5000	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 1108 wrote to memory of 5060	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 1108 wrote to memory of 5060	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 1108 wrote to memory of 5060	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 1108 wrote to memory of 4148	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	cmd.exe
PID 1108 wrote to memory of 4148	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	cmd.exe
PID 1108 wrote to memory of 4148	1108	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	cmd.exe
PID 4220 wrote to memory of 3276	4220	cmd.exe	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
PID 4220 wrote to memory of 3276	4220	cmd.exe	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
PID 4220 wrote to memory of 3276	4220	cmd.exe	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
PID 4148 wrote to memory of 4100	4148	cmd.exe	cscript.exe
PID 4148 wrote to memory of 4100	4148	cmd.exe	cscript.exe
PID 4148 wrote to memory of 4100	4148	cmd.exe	cscript.exe
PID 3276 wrote to memory of 2056	3276	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	cmd.exe
PID 3276 wrote to memory of 2056	3276	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	cmd.exe
PID 3276 wrote to memory of 2056	3276	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	cmd.exe
PID 3276 wrote to memory of 4344	3276	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 3276 wrote to memory of 4344	3276	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 3276 wrote to memory of 4344	3276	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 3276 wrote to memory of 2248	3276	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 3276 wrote to memory of 2248	3276	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 3276 wrote to memory of 2248	3276	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 3276 wrote to memory of 1776	3276	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 3276 wrote to memory of 1776	3276	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 3276 wrote to memory of 1776	3276	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 3276 wrote to memory of 1504	3276	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	cmd.exe
PID 3276 wrote to memory of 1504	3276	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	cmd.exe
PID 3276 wrote to memory of 1504	3276	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	cmd.exe
PID 2056 wrote to memory of 1684	2056	cmd.exe	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
PID 2056 wrote to memory of 1684	2056	cmd.exe	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
PID 2056 wrote to memory of 1684	2056	cmd.exe	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
PID 1684 wrote to memory of 3044	1684	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	cmd.exe
PID 1684 wrote to memory of 3044	1684	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	cmd.exe
PID 1684 wrote to memory of 3044	1684	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	cmd.exe
PID 1504 wrote to memory of 4352	1504	cmd.exe	cscript.exe
PID 1504 wrote to memory of 4352	1504	cmd.exe	cscript.exe
PID 1504 wrote to memory of 4352	1504	cmd.exe	cscript.exe
PID 1684 wrote to memory of 3800	1684	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 1684 wrote to memory of 3800	1684	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 1684 wrote to memory of 3800	1684	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 1684 wrote to memory of 3516	1684	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 1684 wrote to memory of 3516	1684	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 1684 wrote to memory of 3516	1684	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	reg.exe
PID 1684 wrote to memory of 3404	1684	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
PID 1684 wrote to memory of 3404	1684	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
PID 1684 wrote to memory of 3404	1684	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
PID 1684 wrote to memory of 2508	1684	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	cmd.exe
PID 1684 wrote to memory of 2508	1684	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	cmd.exe
PID 1684 wrote to memory of 2508	1684	2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe	cmd.exe
PID 3044 wrote to memory of 2892	3044	cmd.exe	Conhost.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\piYAEQEA\iIgAMMsQ.exe
"C:\Users\Admin\piYAEQEA\iIgAMMsQ.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2076

C:\ProgramData\YKooQMcY\eSAIIgIA.exe
"C:\ProgramData\YKooQMcY\eSAIIgIA.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:4220

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
8⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
10⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
12⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
14⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
16⤵
PID:3816

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
18⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
20⤵
PID:1104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
21⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
22⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
24⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
26⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
28⤵
PID:3804

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
30⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
32⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
33⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
34⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
35⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
36⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
37⤵
PID:444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
38⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
39⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
40⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
41⤵
PID:3808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
42⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
43⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
44⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
45⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
46⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
47⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
48⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
49⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
50⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
51⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
52⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
53⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
54⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
55⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
56⤵
PID:884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
57⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
58⤵
PID:4176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
59⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
60⤵
PID:3276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
61⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
62⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
63⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock"
64⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:1392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:3808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aawwEoEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
64⤵
PID:1128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:4464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAsckAUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
62⤵
PID:3832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:1684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:3500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
- Modifies registry key
PID:396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:3044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYIMkQAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
60⤵
PID:876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:1624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
- Modifies registry key
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
- Modifies registry key
PID:736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQkUQswU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
58⤵
PID:1352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:4444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:4284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
- Modifies registry key
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
- Modifies registry key
PID:3160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICsEsIMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
56⤵
PID:1016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
- Modifies registry key
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
- Modifies registry key
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGkQUwIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
54⤵
PID:2112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
- Modifies registry key
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AggAgUAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
52⤵
PID:4828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:2256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGgsIAUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
50⤵
PID:896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:1812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:1796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
- Modifies registry key
PID:2348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:3380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
- Modifies registry key
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOEkkgok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
48⤵
PID:3132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOIoMokg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
46⤵
PID:1804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:4904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
- Modifies registry key
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
- Modifies registry key
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AogYsgAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
44⤵
PID:2892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
- Modifies registry key
PID:1384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VowUokYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
42⤵
PID:4360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
- Modifies registry key
PID:3380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
- Modifies registry key
PID:3484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYkUsQIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
40⤵
PID:1128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEcwYAAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
38⤵
PID:3800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:3764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:1420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
- Modifies registry key
PID:736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lygMQEsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
36⤵
PID:660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUQEgQoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
34⤵
PID:2544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
- Modifies registry key
PID:2368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqEQsgkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
32⤵
PID:3568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:3832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
- Modifies registry key
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUMUEswU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
30⤵
PID:828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:2180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
- Modifies registry key
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgQUosYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
28⤵
PID:3088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:4032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsUsYUAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
26⤵
PID:212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:4220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmgYIcwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
24⤵
PID:232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
- Modifies registry key
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGQYsIUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
22⤵
PID:4176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:4212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:3280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyUQsQws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
20⤵
PID:4464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
- Modifies registry key
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
- Modifies registry key
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fakgUsMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
18⤵
PID:1812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:4692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
17⤵
PID:3920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UyAcgooQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
16⤵
PID:3472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
15⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
- Modifies registry key
PID:5064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
15⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOAQMEIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
14⤵
PID:3812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
- Modifies registry key
PID:3808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaUEsUIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
12⤵
PID:3016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:3648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:3616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
- Modifies registry key
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\magssAQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
10⤵
PID:4464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
- Modifies registry key
PID:3864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkEIAYYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
8⤵
PID:3920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:3484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:3516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
- Modifies registry key
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYEkkMEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
6⤵
PID:2508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
- Modifies registry key
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikAAIogg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
- Modifies registry key
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkEowosk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3920 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:4312

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
Filesize
638KB

MD5
af6ab13b22ced496dd86c41aefa7676a

SHA1
c64af026bc6724f2d0d547c8779c92a199d12c94

SHA256
ada3aabf7dc8f8f7321a81fbae8fff1ff6ff8458562cae63f759af656cd4bc21

SHA512
77e6282c439769e5d69d1f4ff15cd8f60d1d7c7faa90588289101d8f2e78d3f6657cf7bf8155266076ef596f840f34d9f155c205f27cadf9bc59d0c73d3ca844

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
Filesize
320KB

MD5
c9fe9f09f8a31c3e597832dff8144653

SHA1
ecfbb11c0e740fc9d20843f1f89d2f404eaf9edd

SHA256
c02d4063f755e208e70c8d4e921564223cd001916690b39d2778c44e9d1f7193

SHA512
73137a1058a078240216d245359f51f6323a4bfb479094e86e377a1956aa4819253ae63ee685c6144c0b6bf5ccea1307575f7face10be725f05918a8e14f8a0e

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
Filesize
245KB

MD5
1a52152f26c4aa99ae54496c1b6b365e

SHA1
7b3fab2bf8e1502bc3844a429a9fed507ba5e978

SHA256
843a9e76ba654d9259b0874183fa2f8f30a918aacbbf7e857dea138d1739ad7e

SHA512
12a699db0b860aa396a44ef8f181e820616a30675cefcff8ca1fb53fa4c64f3778ffb69114b1fcfcef59c8fef52ba99bb69046be74b09996c75335b7410dd74a

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
Filesize
228KB

MD5
ef4c197c66416150f76661dff2bd1856

SHA1
aff833a8a0f21fc90fc117ab2fa9ffd76326cf5d

SHA256
6ee2ed76d31c03b21a82c4100074850b7847251aa2c4a7f0e3a3a60a64932d94

SHA512
b5e126a94d4c9cf01b1192fc926f786a6e9c82994161481c5db29d8be787b1884198ba0e3cfc9784e14392b793874879bca3d944523838f01717efbdff51be92

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
Filesize
227KB

MD5
2a17d6c86a607c0d14ad083955e9a653

SHA1
0c87615d1a09f9ab49790942d5444dc13f16b29a

SHA256
7cc9199b072bf49b8e45b075ee24882d98ad53e3a4c89f83a4321b89736f64c6

SHA512
6fb32c7f640a1e0e059e72ed519accf08ee15f9ea77018f012f4e18ea4ad79a8681ad15821b07579c4880067effcb530fa77af5a29e2981bb4c1f4fb81e2d3ac

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
Filesize
233KB

MD5
56c329b78ca9fa3c6496ad3e5d666ad8

SHA1
bb112f807e0b13a3975af0bdf91523c57185a461

SHA256
0389b16de4eed68de8e8af5ce19ee11defc79b8d4b87d1955c1badb8aad14be7

SHA512
b3c4e4e80d2aa1d3a3d837b04c74080ffe16a727bfe608714da720704e209a27f9a1fbce1e9b370fc05a5f21cc4994c69867d249c19eb72be7d818d2e674bb65

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
320KB

MD5
8b6438a40e96457961fa4c01edd836e9

SHA1
cb45eb0502d05269d7609be6bdad10168abedcad

SHA256
40cf5a194fc43f7771843069d48a89580d47c6759847203e767e1ef10714d0b7

SHA512
0f3c8c607bdd358fe302f9514d7a0cb496120225dc0044997be7d741c977c3d00fb234cb7415f3b3d57533946384fea071a0ade0f473187cf9b4660f7d3b6caf

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
223KB

MD5
f249f6f357585bdc8fbedf8d32767b1e

SHA1
a27d310e15b4b35b9d0fb3e21113602fe354d218

SHA256
26c922832421af1dac6dd2fc6f33fa788941a251e5885f5dbf30ea5bd64851b2

SHA512
da321a4a8e825e604aea4b9871bcfbb2e9371a56d8e80efbc5550d08189fe233b7a576fb765eb7b3352f1f49af343458f27d23596876afbc4bd4ad6a50032cae

Download Submit
C:\ProgramData\YKooQMcY\eSAIIgIA.exe
Filesize
190KB

MD5
81ddf9f000c0ed2073fd9d1dbed30f12

SHA1
51fa6b6ec1f2ec66277a13453c5399599546b968

SHA256
440be958062eea045ee58733974a4b934eb777a9deb04d33bd205aa1ddfe0084

SHA512
bbb7a0449d86933a1255cc741123d0d65648b331c35d8edf297935209d00e9f4df6a772a63ea49b3a959a1874b16d81d4f1a207547fe7d8110099bb47ab5cc73

Download Submit
C:\ProgramData\YKooQMcY\eSAIIgIA.inf
Filesize
4B

MD5
0d245fd3f5311091e4ec1d883d0c0e41

SHA1
798fd27f8a5b041aaee45e8a6c206fee00ffc927

SHA256
5f56adaad61b66faeed67d387a44fb4a4b36c6f8cb8b9b5be96cfd7612a0961a

SHA512
63fd34ab0ab1e4fe1f2a3404a6437c4afeac75bf10f846ed547ff5f199bfd1c6dae6ce2b32536bf0ae4113e9956fc7d4e7841236f767e7625cb129fbcf7e6802

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe
Filesize
207KB

MD5
7d8ebb42e410d2381910b34f35104f39

SHA1
30b4e5f389baf431af6b9a447961e5b801961718

SHA256
607b808a1914567026a68494e7a6c959b3ea43c83640c8ee78e95dee877bdec8

SHA512
d9627201a8b217683ec86d233b17206a3147cef660b544d3f4a3476d1bc0bf5627e29f475d8de59bca371889e3cd9dca3592f61abd38d0d4a183f8fe78238b19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe
Filesize
191KB

MD5
a175d80d33fdc2f04e896d3e3cfdeed5

SHA1
2fb4db4710f7fa62860c8e24f9000b7a8b5a0d7b

SHA256
9f4c332679a4792a8329ea37902fcd58c2d2cdc575c3a4228c6ea51a0432020f

SHA512
d397e87e4b3aba2221e5b1c869f9135c9ad0f2a766b52d9c5a9f05b93eb0f64f869a732269a99b5191e028d423d13af2b53467ec8ec0f0d75b95401655e72be3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe
Filesize
204KB

MD5
92d287adabdf714ebce45955327eb92e

SHA1
2ab4cc9f8a8da850281e503373d6f5c9e550ef35

SHA256
7b03ecb8a104510ffe00d1ac031682adbc79edc250cc2d12f193c132633b1a0d

SHA512
47ba64f8767fe1809d0a46d092263f2a27be9f47c3444c59b8c2af13bcafce3653a8eccc55420e2e76a1899ef25098b4d7b36bfd032a91820bd23b95d09c8491

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe
Filesize
188KB

MD5
242c358afd3bda1c06f3adfc8d3440b9

SHA1
0e071e44d35edaef005d5c93cda7b65c55cb9963

SHA256
51e10ae725183b97e5c96e921222807e8198eb335135c2ede536d65924cd542a

SHA512
c0cd1126186ccffc9b7d43e04233ee6ca4b608eecec119b4d5591a6e4c6996533266ade66c2d463099a9e7351063c28a9217ae1b4daeccde242b7c60072cc792

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe
Filesize
203KB

MD5
34f69d7e8875228d2c26f50eb7c2d931

SHA1
c9b28217e1eb867945712126f33d773ad6512045

SHA256
586af025eb1a2b5b3fc24ffb5d2d59e00d74661d99a2c561569e583384710193

SHA512
e952b89ac39a029c887dc8692c7d3943e319b3e86b3aae886a6b5093571669be397043b3cdbbabdb2125eedd1749b8c4396e31dbc066cb6a3e0c501871ab43fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe
Filesize
197KB

MD5
b34175abe5395798579f5bea24ee96a5

SHA1
25b5baa388566e685b97b51040a7a6245f7fb142

SHA256
db5a18c5c0ecf9ab8a3a48dfb2bb46280c76dffd7068ff935c5e4480deac94f1

SHA512
2f98a7177d89a52dc41aaf2b10930da73f48aeb5734fa3cf4eecfc592fb161ec3cf752773d9c3fee12b5c638814c8e75fc988eab2de0bca7fe96d32cee80ff09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe
Filesize
199KB

MD5
a475dd6aed68845d1c1a682eefde341a

SHA1
a7c09e5e0b03678fdb73b187f35827e570d8cc0e

SHA256
144a80a083f8c4c184d93ac0fdee964af601e981210030293c30fcf90047e16e

SHA512
a1c9a79152deabb7bcfe83dc41fd9a3960ee65bd9b3bdbd53e9ca40501adad3e023d21082948e5c5f9fe7a693c59e8db1543093861649fef2e19d3b209e09338

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe
Filesize
199KB

MD5
348b9b785a7fdace58384372dcb6cf1d

SHA1
6ca335c56e0ee2b5a51125c889f3a58e1bb97b34

SHA256
b4677f1974bfda2b7d668c9142c19d640e036b63bf2ccae8c3fabaa6fbaaa08b

SHA512
353928e1b4447071b45fd82d97638d5d5c439fae0a8f172d4422d49fd658894ad9bdd692e0252173b373cb61c1a442c722c0633b6d673e39d0e2b1ef45136e4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe
Filesize
192KB

MD5
7629d132b50bc410be1c7b4da9d512bc

SHA1
3a99c57a401f7236ccb3956eb5043e7709e6db78

SHA256
3668e79c2b633d2dafe7b9b9d2c0711386be2a113ecb0dd2d7288a48f56a75a5

SHA512
02bd573ddfcee44a197ce464e5f1d744f6dbac7eb4a78af33a9a03560036d8df939a984a4aa57f05aa7a68c5a5116102f89a81db3267ea80dc91f92f1d1746b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe
Filesize
200KB

MD5
5ca4d97fb3764cc1137cf2aab42b1fba

SHA1
ccb4997bd273e02e58afe12131b82f76d669054a

SHA256
b72844cfd741c7a3d04b6c27766ff3897ad8d8b2d7db463fec77d057a629625a

SHA512
695816f826bbbaad644b743bd1875e2acfe8c32b02fc0b157fdc57e68fb29fae62707457975ac26ea533737262f9c81ed0155aea0e4a090d00c41ec0d5fc46b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe
Filesize
196KB

MD5
dbd680d32d7cc82c80ad1964fe8c1364

SHA1
f3e312a6922855cc40f1b929659d5d45acb94d46

SHA256
209cda3da23823b5672d6ad90a474f58de8cac4d2b022433450be73bf052d17a

SHA512
d86b4b7c03a19e7ee6fd802a3016926dfa2f849784179da91a47b7a97bf55b3f97f92b9ddb6f0406e83f26e14855c8c3584c28489aaa42c0e78d512e45f52090

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe
Filesize
202KB

MD5
29db700de4c4eb4cd046831dbc8754a3

SHA1
de9ad87b972a974c7eb5ea97d0b3c985e1396a68

SHA256
ac8a78686ed0c037671bd1c5d80d412a3a735d9dac5a01ba145af3f43fa1d5c6

SHA512
ad20a1b7086e431584947f43e7fb65887ac955f402ff24cd7e0e99143368e6954747b38b5d603441902d08c1cfed63dbb43861d4ea87b8f741e9c88a143ec79e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe
Filesize
199KB

MD5
ac9a3af270273113f046b2fe48c4bb6a

SHA1
6f35375cb45071aadcab64930b5f524e1a30275a

SHA256
aa3cbd25d53781b8a07a582d996745a75dc995aaf4bd0b10fff2c713a76eebd9

SHA512
d881f88943bedec89938bfc354bf86d887bd74ebec9428db5919e36c60ed1a3834a0bdd0e1e4060c61da4ea5245cbce0891e1d5a0c8116a9987753c491758855

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe
Filesize
201KB

MD5
41c2ab47070f9fe42b944bcadc29ccaf

SHA1
2c4856fe1c7fbacacb31ec41f85013e707f23fb4

SHA256
4e2ba47dc6d099a707c6bd1acc3bb914c58cc15aa12027b1901795ac627b64e9

SHA512
9405f5a21371c458e50c7dfbdcce2f4f936ace67f7d7d14128e3fc70881526f70995cb6fc553d400377c7164a6874ce5e6dc1ab202f0abd259fa9cedefb02b64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe
Filesize
204KB

MD5
aff39a992cdfa0551735d9a0399222fd

SHA1
777316915b51c2e8503ec4c5a03a4aa51d4afa8d

SHA256
6adade88d20688bbdf168e4a0d2268df227f37542f3d4ae0e8bbcff9edd62eb0

SHA512
3596ae7e18736b4b3a7b32d18a13330e5a7eecfcb287394404e01c10ba9ae4c5bdfc1baa4f1b4dce32f6adca0118e8bc5c3ebafaab0bfe2e73dd6eb529dbcaa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe
Filesize
184KB

MD5
68076cbaaea71ca9eaf532a9a7017fd1

SHA1
b35afcc2e354907a0917a7110e61800c21a89aa3

SHA256
4aedb42a5f07774127504842d207b1658e75697e1a40eb89b8ea310bc6d3b736

SHA512
ad1854860e4d8f09d1fe98665fa365b9fa7337c44cbe3a7cd96f16f6829cddb6e547a5044c5abcc7caccb011eae40e923c2a018dbd009e941918e6aeb03e5ba6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.73.6_0\128.png.exe
Filesize
188KB

MD5
f9b366ae23fe999a92689a08770e84d7

SHA1
3dd4ae21281cfed95cb6eb78a09ec8bdf8515445

SHA256
95e3a0a508e7234379c41754eb4436edf5f5300011daf4a6a07c02c5eebf5475

SHA512
dd86ba10c8ea6e61a0dd3432e8bdadbe03f0c5a217bb86e20942562dbf9654188b586765d5cce022130ee2a18e6388dd55ebb817265cf22e9a212eb922ec7519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe
Filesize
195KB

MD5
5174e4236036d95c5e2c65444d35dede

SHA1
bfee7ce616237634681a0a58052c83dd22c7ea8c

SHA256
2a4957fa73d871da77d4df8d44dda8877c63691f7ed51f1ca6d226e54241b757

SHA512
1742c5310ff387eb2da5a6b071d044a4bd530439ca42f062bee704df0498a89d827d70cf98f8374081c998f5074a0119702a982c58b04f6ed104d4291b79433c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe
Filesize
210KB

MD5
8d7217836eaf5c49fce8b6cb8a2304d6

SHA1
2c82ddb65cbce451e0c95dd455e42a861646fc1d

SHA256
28841dd2e25ca853e226d3acd762015170abae7d8f709dd9294ef8e7346e5183

SHA512
66d8c6352c3e4c8e766ea58c973c86482dcb6985f88cf48abf64be75ee5c9b2ed906f1cc8e072c1f68e384fb61c2a6574238d921d57848c1bb8f9c9bd4dfef19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe
Filesize
196KB

MD5
ee0a39ea353fe62c41a5e8d0910dcf71

SHA1
de31c4e2deff4242ab4f75345a0ce0d459817ef1

SHA256
5e67c7ac7ac69d20d65b6d0f569210d090b8cb9f25199c6f9ec4e56baa1f17b8

SHA512
62e5b8fb06bae3a0a63aebab70cd0fca0db3b25ad418e2a6b15dd327a49c1bf00b8afcbbbad1558ee4b8ebba7c812ffdfef8a0684da7dddd62657b951e32c129

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe
Filesize
568KB

MD5
f99ebc43a9bb779df97d5b39187af235

SHA1
f75f325dadf7c65c886520109486e3cccca4891b

SHA256
2da60342f8268b7b62429ab932ca6848dbbdbe5d9a89fee237bda9f30b372f90

SHA512
a04c6c0eefe215016d77f20002c0e2ce0c61c88affd7b8b169928bdca97792526bdb135ac85c19099852da6185047fd523cd7f24008ebba18bf77291c6eeb6cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe
Filesize
201KB

MD5
b899e43537fabed671e6121e415a6d68

SHA1
eb2b0f6ad450504f83cd006b110e1622338ab779

SHA256
8241f04e565c0dff9277c36cd3e56fee5dd880eb29f91702cb83de4fc408ce70

SHA512
9c728331856314d2389b4d0f4a5ee25f1b90b4a074ab067611679f18526a59052f03fc2de12d323b1b3f91fc8f76e48c5a59071bcbf2e587b1e45ca6da85aa72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe
Filesize
186KB

MD5
1e69436e4e92e495fa78aa95358e4187

SHA1
210edab80663dd9156ede587f4362112665bc11d

SHA256
d21635915826edabc350ba787d0dd5cbf8405289d3cc31c1d0348633a15a888a

SHA512
ae7360f50010c1f224ed156e9371bee0802612b54d789f8249e17259722795a98a56890531bbe92ff513c587e9b8c4c7faa57c578f92ca73cc72afaa7dd6946d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe
Filesize
200KB

MD5
649d253f55d681acae43a4304cb5e7ea

SHA1
cfa5e20a373a4668ae0f9372bec4f672e037bb5b

SHA256
74f708b81971e6a7fb17bd6fed80d960907cb117f4c32744c9555591aa539036

SHA512
a565fb254bfbd5b3c6248b68a37ac0200c8c2c7f5f49686e4af82a5c8ed06fca41c59e61315e11bc9fcd3edfc7050c93aa26dcbc13f462e68650f08f991deb10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe
Filesize
204KB

MD5
3a61c7d34ded884305d4eb80d4e82242

SHA1
1ae22a2dd369c43a532c0784dc0b3c3564c5992a

SHA256
581dd82cdd76bcc92ff897d224494ee2e0ebe388e1b79eb7da51ca7a6cded9cd

SHA512
1665afc19ff297143eafe5197e0832d0b26d16ed482f11f95932df4ab1a98dd07670e8ec6ca37a9c6c8ca5a9f598bd2df736813ac12b37a3c9cc174860dac7fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe
Filesize
197KB

MD5
dff7432f9f66e6a4e0f976b67aa8f162

SHA1
d4d5786152b82554b0803bd9ecaad99d205513c3

SHA256
bb86e20e7cc2c7b08debf5fe9ce47ef47cb606a4ada22d568236d9dcb5da7f5f

SHA512
82646893db39be8ad00883a1edd192cfd5d7b3502f1c6a780fb1af50ae2cda67e0bfb26256f784640bb45be7e493e04ffe115cf4c1cdf2f2c3c97a6f8e9e6664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe
Filesize
188KB

MD5
e1a4469b8656b901b6b145f5c4418d6e

SHA1
6bd4c7c36cdcea324634b2a93077af73e2ffc158

SHA256
1aaaadbe157e17f6a4324456b541697f5bd4ff53f93818f64b732217e22dd6e2

SHA512
059d9befcb9c22c7ddb2870837bb1c2451b55168eaebeb6e8432360dd3970cc10dcfe720a1feb122b8326c5686de69fbd0ca4fdbcafb8a5a719a7926fe66f873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe
Filesize
212KB

MD5
1d54e38e8ee20a133bb963cde1bdac69

SHA1
8e3a042d902e41ab7b6781b10c1b9c36396d6ad4

SHA256
9aba6273f815432236c92661bc25e620e6573bb88256553761481890cf5eab95

SHA512
44c7f46ebc00838a5b8e9cfa9de1987d09571f116dd6f35ca55401c92b874c479e4f3a1d7c640c4547d7be8934a84643f6535d8875593377445f71a1739d59f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe
Filesize
186KB

MD5
b537cc3ffebaafe9908e3d382f751fa5

SHA1
29234eae616812908ce20694371dc2553f9a01a1

SHA256
a530a5b80d7e0befc1c83b4d7cb89ec6e9b0e3c366e0b62216ce32249c9f88e4

SHA512
0f80d025e585bb35372092a82e7a543f6535d44cde95430bb7b4ba53c39f43d71fe3ad8639e82289da314f34488a855df4dd47d83a148922509f1607d9b0d1be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe
Filesize
192KB

MD5
106814eb7d3bb81dcdd0d3af672ec405

SHA1
9357391cc3eb8a6ac7b1e5b02bb2ba4b5ce88c34

SHA256
20c785b0657843701df0851633c1f880941c0f4c767468325956c107a877a820

SHA512
cfbe5255bc6bd50946946adeca96e75fccf545e4aa2a226a2b8d2f8a07b7c92df4a6809f2f79c3f4dad6452aa661442b581570084ccb068f41c62cb4d4cbbfad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe
Filesize
199KB

MD5
1d7174d5bd02cdabc7b47abc6edb4755

SHA1
ad0a6d4cdc8b91de3ed0237616a44ebfb026f133

SHA256
1de06b0bb95c58617d6e40b3ccb8e94bb22ac61478c38e328d50d2e47e82bd1e

SHA512
bfec54a63bcc09cb1134e83f3607042d401981dd94fabb7146482a499effd8ece4c826b80e879a9d8f0858b9f28a9b6769af23b82a17129ef03e5e241ea888f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe
Filesize
204KB

MD5
a5939e289c912d1c5a8dfbb7d0978ebf

SHA1
342f2a94dd15046076ae42e4c415f8fef39b46da

SHA256
90d9aa550aa8a6e710f090cde5c0b5fc01b0214c2e1caf30bacbedac66cc76d6

SHA512
730e64951980ca48f554cf666724e14b4ce8c03ee6a44fc00d91dce7898fae424c5b79c9883ddb334d2217da2898980bf72e703a6bd880ba1572764a25472132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe
Filesize
181KB

MD5
17d20cef9cc090fc9afa0d20e7c4f4d5

SHA1
e8d128e8f210b49e6a15da2782e00de3c2974528

SHA256
d2c3922c5b40971de199cf3c3be29d0689390abf898d4260e2251da6514d92ce

SHA512
ecafe5b398f23d91bd133d75f719f7b3624e4c1d0da7b505055636d7b77d404c5a4744e2fc9886cfa867cf07f6ed83d8a57963206e910ee3a47c7ce0dccaa602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe
Filesize
206KB

MD5
0fa1e8d68243b4ad2a52f71525ec15fc

SHA1
cefc164ccd13e79d6ad475dc86efc54ae4a5957a

SHA256
0d21cc96e994956fb87d97790d5ac0ef71a6e862b6bd5c4b1ed4c161759f6123

SHA512
73725436e6d69d8ba05bfaae7842e46b9ba510e4d82e15c6ce2249ae3afdf09b07a07237fa4d1258f4ca0a6e4acfa31fcd93dec131c714d28b7b9d7d72570385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Filesize
1.8MB

MD5
98c8fca9d945821d8feba5728c552806

SHA1
682f40a74f9ea9c891d44cf0e300ff853020e8b5

SHA256
ef24806433cf999f663e0d02afe6ebaa7fe6e599e4b8e1bc088c6ae0efdc683d

SHA512
11bda92bd02576d1a8c5596d3988caac14f5fb1a527658efe4471585c41f1b82bbc298e842cbfb1bcb62851bca5c094d703fcc079e6e204e28f8c4ddc065502c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe
Filesize
184KB

MD5
3b775f432b5010864fee196f1e94d171

SHA1
6935989fc11cfc7561e73045f8e117aef3671de1

SHA256
3e9522a8f7bc17f291a13f8129e33b8b6eef46d36442afd8943b8b9a68ba25b3

SHA512
b0326ce077a15f73bbc6312e0d639104cfce2ce4bdeb14bbbaedb814f364fbcf9132c3b6881547b0e630515c1f287b4e16cca2d2dc3551ea89e3f8d2a3a24745

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe
Filesize
194KB

MD5
1843eb772067eca06765bbdde8dd5271

SHA1
0f07ed5fcf281369cdb571c97312e1ffb82bd846

SHA256
83d16d67d61abb38ce097d5ac57af1f3a691c19ca2fe9ec46bb9887593173a69

SHA512
2161aee693293082af773ca66a3a6bd3f6149bdef1f6824cb2a1e8f9390a3af6898d1569bab1b5c39cb17bb9e8e4d1a54fd4efe6b6e1ba31081e4995bbaab690

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4e8bc681c6d1b3ea2c1196ef8840dd1a_virlock
Filesize
2KB

MD5
da5fb10f4215e9a1f4b162257972f9f3

SHA1
8db7fb453b79b8f2b4e67ac30a4ba5b5bddebd3b

SHA256
62866e95501c436b329a15432355743c6efd64a37cfb65bcece465ab63ecf240

SHA512
990cf306f04a536e4f92257a07da2d120877c00573bd0f7b17466d74e797d827f6c127e2beaadb734a529254595918c3a5f54fdbd859bc325a162c8cd8f6f5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAwU.exe
Filesize
205KB

MD5
69b7c20304a4dcf82b76a4af4b0727fa

SHA1
32f5f3b0f55cd4ba0d69bb41640ab2d0dbe732d8

SHA256
e640e71e3d7589ac31204e10d82cdfb850f9daf5d833e16912cf1fcea4176c0c

SHA512
f64c8f5f8a0b35c13e80b8a6da0a4c4ead7babcffcd7f2ccd36d182c1d04d666b8a91968708102f516216b1406cba35f4f77ef0834bab4c62a3751b83b5f8789

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dcwc.exe
Filesize
194KB

MD5
b7e53e61dd21e51c71ff351f1c289637

SHA1
459efa34353dd253db5d21b63700d2ea1e08dc1b

SHA256
d2390193a6dc4ad07a52646cd72a79ee025fd5dc7c19cd1706b0f32adc3e4e48

SHA512
cb6cf6133b3122263e54e9daee1de0977762121eea412add29e7948cd427796ffd20bfa1ab514921e52284ed232274660e1335bf8f5c0f4494cf0f79d6854557

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkEowosk.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEkG.exe
Filesize
653KB

MD5
6d993f493227234e23a8c78d3bf5db30

SHA1
082cebf38987735439cd1779f6974ac955bb084f

SHA256
d3ca62e69bbb72d9a9b00468ccfee790405a1dea3687195e446000305d6e90a0

SHA512
c076034da3bb2ba6843101850d0ef1d5bb99aa9fbbc2f35a1b461ffe97da8c4a09f8b3e88384ed8a90942f0f283888350d006c653b33bd6f203b5f3e0d77f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMQc.exe
Filesize
5.9MB

MD5
0f66fddc3cb531cdebe19f91605bb853

SHA1
52a3e1f16ddcd36bfe50de60f238b59faa1b1ba8

SHA256
c3b98e1c165cd926affc0c643d1f30a2a4e45808d4014fc3bad98722090097c3

SHA512
67584615815f8f8c38adc33e3b7cbdde25e6ceac0359926bfdae0fddb23c64f5fa33abb03d39f54dba314bf10ff399e29dd54c976ec7e1ad37cf91266e6ebe1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsUg.exe
Filesize
784KB

MD5
0f482bd1049ffee2901509e9898dcb6b

SHA1
82cdb776b4337b3e33b858d4e5feb02ce1ea766b

SHA256
c64e6708d099f94b496a1af8b4a9bb3fa98dc84543de69babd1931e2866ab295

SHA512
6f70ae6c0391b1be05acf9e11d5d68b48e53292344764bdfcb9c2775c8461b18830ce23557bfe114a3f8553988777977b744e2d8a581f21eba4d4c1435f51dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYsu.exe
Filesize
200KB

MD5
813d7aaf4c83924959fb85a1cb940fff

SHA1
bcc923424d3d6b3a6bf7c743c4aa0d863708dd95

SHA256
8db1051a746c1638f7a342d254e7ff8334781ed3b67e1abb6219e9516fbac07f

SHA512
17691c3c5661a52a77816580f81a977547c715d7a8274f0995cb0f01399a6f1d1a6305b72b7824f1edd8b1b8c4b0ac5af27d290d7fed807afd1acbc0a9dac135

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkMc.exe
Filesize
202KB

MD5
6bcdb0fa28d4c14624867821989c381f

SHA1
0960be442c2e259fc54cb2da7af6c579ba334085

SHA256
fa4c5545d3016c5396cdc28b1969ecb3ed03089319087e4cd5d27062c1288c8d

SHA512
9a8ffc0361a09f28d955f6aa543a317db294022dd1847d0eba45c016704f1edad5dfbb8eb67ec77df1e984e7551885491fc7d04ee7716a1bb4076b53faf260f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsEO.exe
Filesize
437KB

MD5
cd435dbab2850df1890f33e2fa5d0d82

SHA1
94411200cc95aa471253ce1d82d7214d1366ec9c

SHA256
b2c1a3fa312dfff2b59189764ef9f05a33c49861b7895a0854301e22f1e05ca9

SHA512
e8f8691dabd9153f0c3459d8c094cfc3ac21f4ea99e3cb838b61dbf86baf0981ce48d1d67808ebcd3596af6bedcc00be9d9ff11255352f1e180a380aac829ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsEO.exe
Filesize
187KB

MD5
beed0b10afb96cda763fe0cb434a603c

SHA1
3f021d93037831fd1109fa1eea700bab97f81d8d

SHA256
96d5eb18ef75b6e7bd1e2f4379262e766e45204e81ad974d7eeb2548a9a8f6e0

SHA512
304edd5a59165df1c2cd65d820c3f01778c90467362107d9e665d500e960b9322c21aabfd1baaa8cb89dd347e21c70b3102792cf0d87234a03ea77a2801cfbaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEoI.exe
Filesize
748KB

MD5
c0e4fad5723a3d0e423707d43b5a1714

SHA1
d2fb99c9301b66e4cf0341d96a384585bae3aaab

SHA256
47403cd9a680d49bb86553f9b1f94e2757a1397e144480f88f48e021bb12a8e1

SHA512
24b64504f24623783d3f24bfbfda3e169260431231ec781686d720a2c49a9b5a59231e98a8b47f731b294b664a9e3a18c14820236ecc9c1f212baa48da941e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HwEw.exe
Filesize
688KB

MD5
45ab29bbbd2d97831a28e025258223b2

SHA1
f65b2546113309fcc73dbd9cc5b7376de1f5c562

SHA256
df764fcd687422fa17343d088733fc998206fd0c7c92938d95b9d6e970575d72

SHA512
1864a637e549dff14fecc427d9343aaceaed52fc0d71000fad8ebce6669fa533246a6dad27bbb10b924108113678005a0798dcac89e0941f9c263805bd0a3ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIwu.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMwK.exe
Filesize
215KB

MD5
8e8a2e47b6b54c0527e4df417c9402ca

SHA1
0a408a73ca413e8d7ea932c28ae0ac27b027f805

SHA256
50d129777a082c436dd6a499cb8adf8d784d55ca6d55b1ac307f3206680a0d8b

SHA512
75149fa4776182091ab4017811389940f23e1855cc9bb52a90392022a339074e6b149e8f41a609362e6ec8e86dff3daced1b5c21e1d985f065d0506ac49a81f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\LckM.exe
Filesize
422KB

MD5
798c4b9512d1b071dcfbc73d904f9453

SHA1
e652bee7337a39b78a80cee05932781da3b81b6a

SHA256
b8b5abc083958b49580d9c7cf1696be5b9bf73f0ecf592f1a4a555a395d43250

SHA512
59ac3691f48a90c33fd77517acd24f8f7e8e14927fb6166e10da2874b7030bccd16473d6d79da9069ae0c0e0c5d960e7e3d6a08221c8c9f2d5c2b3ef75e17449

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgEI.exe
Filesize
208KB

MD5
6354cb5279a553743b38ec96f7f24464

SHA1
8c12756e22567f0c701de30a913f85034cd7dfec

SHA256
0a78dfa07b270f25ce87147b42e7fdf8d0dd3838d7d0c0a2a92bf76213deda35

SHA512
d88cfffadda0ba7cf2e2e64123067b93cab6e04b367d0bf24a57c4be0d04f3e2a4231fcd7f47208d2aadb371ce248b0764ae739c035137b9fbd46e089b144b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PkYa.exe
Filesize
211KB

MD5
3b5f7ac35c1ae7af6fa78da97d914a73

SHA1
49392e0e15d094928504bf1981da59b8b502afe4

SHA256
5e5e9e14bdf03baaebb86f26ae3241c6d825b40b68bb5de8bcda19f304ec3ffd

SHA512
70929403391d272e9849a7260480f01f69a8a3c07a1f47179465c8bca22ce707b6ea4cf9da994140b1c5f471702c4f62c687a2217e5f0b1f2b26ab3932afb6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYcE.exe
Filesize
222KB

MD5
88b004fd278caf2721c05037542e2ec0

SHA1
7a1c4f2bfd639cd70637a33361ad159d677689a2

SHA256
d3d5e03e963eb66f3b39d346635178a8c312976adf3f2e842950b819e62b8429

SHA512
75059380b60a55423b8d7e5a8e624b2578d34d0fc77544946c57119df3652a77610f91bdfcd3d70986c547e51f42d2a94a5fec75f1d768bff2db578256f95ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYoS.exe
Filesize
194KB

MD5
fef77a17835af162f108053d08b78644

SHA1
dc5fde2af0e8de9eb1c79e5cbedaabd3063f710f

SHA256
7e2b5845be150bfd416a55b3b5f6987e97fa6134b8c32f40192ffa139cd27db1

SHA512
220c4f56a66d2d6c29a6b54f37e605f74352788579b747336b9bac7a026452e131d7e975817ed7e27b42793a4b7293363f0e60e550829ae1e49c79e5399bf83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUEE.exe
Filesize
224KB

MD5
043de3c6283bd9fe9eb998be9d071222

SHA1
e6f62925b1b51ef1c18af5b5f99fe5d4d8504210

SHA256
8e51789be78d2761e2ab06128352bf20f742193e872d8696d5565d21ccb989d9

SHA512
30aaf6f80e241290e75cbdf3f0f5d7d4cc366cc320482edb28a9cb892ec72e783dad0ecb0a821ee995c68374056cc58fb9c674f4d65c120cb3649345c868f3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TkQc.exe
Filesize
192KB

MD5
a745e9150d8cde15d728c4f6e9f938d4

SHA1
6cf2847d4588d76129a0cf301355152fcb04db67

SHA256
9268122b62358eec49b06cd466cf6a71a3423a9ef19117cee2d0ea5bcd5d0808

SHA512
86921454de99561747be64496fa2c62194ec52eb25cbbed2db389222a61e940a49fae32c6922ce676f5de3ec1e77856309046122676a832261486bf89bb75621

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToMe.exe
Filesize
211KB

MD5
cfc29f797792630c8d2be34ee4d4c630

SHA1
c372739e63a852d5b4a7f82b725b621e02c94d12

SHA256
f076ca7b47f600e6901e312b5038e008b2aecd10e34df4d32c153921e5e1011f

SHA512
abe84b7a6b278a5fac2065239438e2abc78c597507c6a5cf60c6946e18d156a78d0b32d28338cbccd7165e7b65b07ab7cb063deec0c6683edec739b2350f8747

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcIa.exe
Filesize
318KB

MD5
1ab3a3a5cefaee86997a6f7a5b0c3a87

SHA1
c842029d804a6783d678382787dce7b1f42307cc

SHA256
d180944a99388748a175ded0d855ece820e1f0e56312f0eb0a5a81b82789cd2f

SHA512
394a3242bef89800e3811a44ea97964e3692ab9e8ba38769a6702d3888300a72d473545afeaa393b1159d381230d198774addac35be4b832a0c9484a1b988145

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vksm.exe
Filesize
196KB

MD5
8494940d4cf9e862a7ca2991ea9e8b2c

SHA1
702f60834c348990d404dc84a9bdcdabfba95529

SHA256
a799f4c698420cd58255e9ff375b7760781c7fb8463c5e57e30e7c45b7cadc33

SHA512
dd1dd2e0bacf7cc24d13d04f91a8d19c5e0b86df9a9697b67755db1903260af2da3ea4612c7515d24a620a326212fac8191dd739c7c44b3cdac9491b260196d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcQC.exe
Filesize
644KB

MD5
01aaf2edd14bc533688176c0e9d0f951

SHA1
812866e5de6039ce29ac7b007022b682d394056b

SHA256
6c55dcec7f06a9cb08b516d38d045ce40de3439f024bf5466763b69d86fe921e

SHA512
baf54ab66ca922e7343ca4057a34a0a9809f9736941c2678ea6e0dfb1875f9b199784f7fe86bda2163fcbaec6009e3cf868dd4a2df7442bc01b38b5a3030c5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ycww.exe
Filesize
812KB

MD5
bb9d662d3866187bb027bd7de599483c

SHA1
6465478e26de87086dd0c56e93456294169b99c0

SHA256
d509c02c36bce83bc122ae39d778dd73ae2a9aab409cd6797db70ad58d169d55

SHA512
c448d6394f1210cb26783787fc85820e7f6114fff3afe21d9f4807a2709b578183697a375d7fb45044855759faeb3b34f16b3df8b79f07fc5219ae9878f47367

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgQs.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIoO.exe
Filesize
185KB

MD5
e604ee3eeb35e0bc70b7685df4395771

SHA1
038cfcd9b8b490a5e2c1bebffc98297561904519

SHA256
121adef6bd7a7b3fa3d6b192c3fc5fc83020b7f785f48131934a6f25aedf2b87

SHA512
6d79fdec62e65e05b7596c242b95fc89cf427ea2335fbc9eaf6d8b08b9800e2373fa1520f3312af90db7b169417e3be34bc0fead00cae760901726e1b6651289

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQsC.exe
Filesize
317KB

MD5
74a0924153821e5ed0a1bb4d125a9fd8

SHA1
a364589bf1597c62b7243ed11067690998d27545

SHA256
613f98a1666f98595207c9ea2fc3c71dfc7d0575c31e37f5bb38f327a4612462

SHA512
337aa84bcea5b090e99e9933616a0b84b62023f80c2be802c7fd78d79b3a6485f5f812c81e8201ddda27ee7be293a606f61f3c5b2fcc8a12743177493f6e5fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccAW.exe
Filesize
180KB

MD5
cd403477b15bee4be3ca8625d387312b

SHA1
728803e24aca79d2c3a98b0b0248f3004fbd812d

SHA256
cc17da3ab4eee319cb314b7058a519534592bbb3fc8f3b2d9d7b62eba6cb56ed

SHA512
b503c827ccf9e2034a7fbaba798b0b75ba9895fb97ae977bbebe96bdce8d283de1992fa6b70866d7f6d5fde18c84e54994998cda25176b4a76de54e5fa818b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsIq.exe
Filesize
194KB

MD5
08290454dc9fb120778b6fe9be681677

SHA1
afd3b2cd416f985c9916cfcce50b7316b72b24dc

SHA256
6bc5069289239fce7bc72df9246949d4c6800fb8591b04f43575dd5c6bff0339

SHA512
2a08b4642365e7373f6a5f49aecb89a2c17096130c051a11a5e6d8515a4a236bcd1a918a097b75d95163cbd8cc56a31cb10846e9b56020246aa5e5d1dcd65bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUcA.exe
Filesize
202KB

MD5
d991735f50a5b638ca2b2b4f1183c130

SHA1
f0d96c82183f8242d278a8141db95b884ff7f9b7

SHA256
3ca5257b11d09f123a41dafe6a5f5d48c282296b00b80b35b1743e712a6317c4

SHA512
6f4c2cc23d6164c78f58634bcc8132ecc262708741f55b72ef8472b4d25a93b34f25f58671d684370da4a65a9adec659cdcae4e9833fcc639c1f9da163e7157f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUcY.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fogS.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\issq.exe
Filesize
200KB

MD5
946b169f9a4857d1c82fec3db0513c9b

SHA1
7a8e584bddae6fb22ceb6fb4369f7080cbafd1f8

SHA256
45799e75824b4662e4776ff418e93b1bd7d3ab1d18aba06ea15d38894c35d38a

SHA512
0fc5e70b98ce8705c643406017c479c2ecb7701a9eb8b857aa363074730664fb9311fdfa76906d45f0a5b2e1da6e472554ad80592f5f00b6214e7f18fbd2dae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYcQ.exe
Filesize
823KB

MD5
9e305cae566fab29a1c2a83fd398b4d8

SHA1
1c362012f226dedfb42bb03dea0ac5a5ad499d3b

SHA256
c2f209b2913fcf3d1979c7a0c95d314636ba4a0436ce339e10f26054e54d3ba3

SHA512
4909236fe58b2695d8897d046ea7e383069179f99f5286f9394b20672a5b1f8dae521acfe4de12b744235205cb3e8ab11e30a83bcbbad2d49eacb5659807ac43

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwQo.exe
Filesize
206KB

MD5
98dd69c0533801e63e98b8174e0e55d9

SHA1
8c2659bb5557eb0a982af3fcdc4a7ac003e755f9

SHA256
532d6c25c027f9362f569931ce83a420dd15062e05f1fc4a39e7b9c16cc58872

SHA512
d4ca8ea5bb50ac5cab34cc7c59a03a3109c6d4c0dab992a2136286b8b839a12397d5b962141067be4609de100446411612be151e3e8d59a7ec49c35b211b5a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUco.exe
Filesize
814KB

MD5
1fd8b71db39cf69ed09acc27fcd7ab7f

SHA1
1969f1edeed2cdf96339accc94f43128401d7a6a

SHA256
262a496aabd913d1495dc24429b3578772c685fec4b57afbc21f5e66859834e7

SHA512
319f55bfa59857a0d4a27ebc29bb810f3b1043ccdc06f70f80b90537a9be32715277b286682278da5d4fe1aa4dd3dcabd54f9c8eb6881b15a3b87676c6a64c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcwm.exe
Filesize
798KB

MD5
71fc1a9049aab1947bde72ece28d6cc4

SHA1
5d1a1a81cb65ceaf226cbdff11c7a55c476b4641

SHA256
73881ddfe532187ca4246d7fc2f814dbfc9bcd1a4cf81a633bdc77ac56f73d79

SHA512
8f6e30ec11e543164e1ebd5deefff3602f06aa667ae573b7c9e93da1f169338a9acc889358cc61c501fcd1c5d965042392daee0e7eae865ccdd22223f9e6833e

Download Submit
C:\Users\Admin\AppData\Local\Temp\noIs.exe
Filesize
189KB

MD5
fc5bd3ce304c8c65f20b82d0cb583978

SHA1
92dc179604a21fffedace8678cf837b04e0c7d18

SHA256
7a3ac83fdf4255aa0af5949ba716abbdafff814eb543e869201238f30ee7aa32

SHA512
92425ef73237d6351f4e2c272e0c7c01a60cc8f1866208a1a4ca85e0e0a2d20cefae3d85532fb84c393158ff14f4716f23d849474b55486162a1cc571991f2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsUI.exe
Filesize
189KB

MD5
ca5a1f8435fe0738be28f45a137256e6

SHA1
411686984c52b5067ca409c7f6f7ababf4f54e1b

SHA256
85b1cf136ac7607ab2984cf7477ac35f6a072c92cab69a207abbba42fd81a9f8

SHA512
adfdf3bb23cbb5912338880f337993ffdff2096a08ae9a74842e4a3d7c266b027a61848cc3ef660173b05057500aed7addf8be86dd3374a89cc0aa2285d37e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\oskC.exe
Filesize
235KB

MD5
49bc4ef9ef35d0edab02d9f189669ead

SHA1
215572465e0e8aaf16ca8b289d4208c362cdf48c

SHA256
0226cd7cdfb2043e9b957bb9e725a31fdea98593d8a4b63e6e6510fd5e8f942a

SHA512
cfc6c6130ba6246466b07b7c8318de3bd9025e7dd1a9025805fd2d8eeb5e1fbd3fe6b11ce928e314bb60bfeb19b0adb2a6686d69e8eb27a08c9ac903b7823ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEQS.exe
Filesize
5.9MB

MD5
e20d55ea6b57abfce7b6e277dfe9bedc

SHA1
e69cf3ae30182cc86f2d32ef63e6310513b39b6b

SHA256
615d097a282bb8d915278c4073417c17daed4820fa01b7e27735fd168d14f605

SHA512
b2633eca8d26778437393c49ccd009919186872b5c8ce4a4e962564a5bfb74e5c3f0ed4e64d70154b46af1959223b7010be4479e17da726148eb34beb7eb5764

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYIK.exe
Filesize
787KB

MD5
0794fe6dbf2054d2f13bfacd066fbdea

SHA1
c38a58c681ac5fd1b2e5f66bd500a1931aaac747

SHA256
bf7532bf50bf4d5025cb4059c25e1f668ff2d1d8c0bbcbc4169fac93fab9b68f

SHA512
2f59eaafcb2bb14171862df59a482a79c97cb4dece61b489dd1d31751d3cd4754c69251cff41a0b0568051d0b7c79b5f47dd14fa83d68c2274635db25d831020

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgQo.exe
Filesize
203KB

MD5
5ab792cf2a0dcab40f9b7f8ff0db57a8

SHA1
284263a174adb353379b4d5af5d30c62493f3532

SHA256
41d524cbef3930733d034d7c3db2b51c20a4081fa1e2eddbef0115726ee8d573

SHA512
59449d733fc753adf5599c7e75bddef2ae5ce2478d87b869bb0929361ef3b1841ec4cdb866446fecaa046b6910ebfd202df3616cabd94b7e620482034eaa05d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAwg.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\rYEA.exe
Filesize
5.2MB

MD5
2177e2365fd6e8f3e06699d8d491c553

SHA1
ba74955fb7746486006ed2768edc631d2061f636

SHA256
dd5c12374867055d223f31e395e78c4c3149e887e62b86f22b567768654a2f9f

SHA512
ea74d845e47ea04ecf6fe1884bd8bc4f0ffa1a6958c3e5da78a7c856cb49d19003f4cf60c37bd1a9c27c8dd6cf05c3d5d31ebf1bf79d4faa3af8fc57c8828314

Download Submit
C:\Users\Admin\AppData\Local\Temp\rYIu.exe
Filesize
650KB

MD5
90f3d6d31ddd0c92397971b99a0f24ab

SHA1
de7aa36595d0179aeab5cf588fd01f0c1ad5592a

SHA256
b35db81acda69cedd6128c96ca42b75d6cc3aa3862efae277e2f4782acb4c9ef

SHA512
176ecb55335dfbdb4342734a4deaae155b9702fa9aa96ec9d71de112620b709966cccbc9d139e0df3d96cc6fd0f24c69ccee21ed83fab1482b5ea641540dbaa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYYO.exe
Filesize
790KB

MD5
dd7c3f2218113220a36714a4fbe777f0

SHA1
1f57e518ff65e6a5b10aef5699cfb1077446ceb5

SHA256
9a6dd6652718c25dcd54dbc789f56eba4f13ce193b6ea5c781783a8e73a122c8

SHA512
782b05dbeeae84dac90c108c348a4524147d40e01f96ce9644e0c9aa3017ab38f66c6efea795b1f7064dd9e1d69650bc7fbb8ab501154014376f4f54d01a7130

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugsW.exe
Filesize
196KB

MD5
e30b005ea5a78c107011d8f542b59ab1

SHA1
815f32a2e4d75b55934a1afcb38d4d8ffa0a62d7

SHA256
ad44cd46389aefc39b975b9e04fdff695d60c0a4ac5814b3b41f6a67d74ea42e

SHA512
2ca8868ed2e0389a3bcf995039a17c00e396bfc08d67c961cda6c55e9f501e6d645fdf6a987c41c795b3ffd22a38c84679e24b94326f62186e8e4f8acb3d27bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUIm.exe
Filesize
183KB

MD5
773128ea0194da8c8365a24a3a1c5ea6

SHA1
04f58de35acffc425db684f56ebd603b83093011

SHA256
a5c61e51adf8e8b9dbc9d2591c64345a7af78f366997995cf2153d491bad3e4a

SHA512
292c90b0708c9a9802816926e5c422712cb4f433110246e4065c797d3d55d558eb6ab083b28b046449b66a95248c197b3cf183e8c6a983406011e4ce4d7d14ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcci.exe
Filesize
599KB

MD5
4dea928d10a4002ae6e90304288a2a77

SHA1
27b9027d3aca69aeebce85c71ab08a43dce3dae6

SHA256
49960bb822259f85c64a2ee74220a3edb17bd659d9da7385e67c26e9966ab24d

SHA512
96a34c11a1746a0d939f6f1e6d367a5fadc9e9b8acd68d686b2edc0955f002cefa52b8e73b765989ddb4debc108dfb020e040a003678881921c278607a8f811b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUMG.exe
Filesize
637KB

MD5
a70b59aa1c316c9883910cdef6be3525

SHA1
7b621ee45bd7f006901238b9301586390fc3085e

SHA256
fe83e4d2478dd7dbb3dce6910002409a5ce3495814d63040e67c6f7f47bcfb41

SHA512
9051249526d820f7ebab454e79ee62a69d5a9291e293c75c0417d0537d8122d2411a8815b5977d452ff7456d960f293a4717811bbdd55dd10124dfb4d1f4333e

Download Submit
C:\Users\Admin\Documents\RequestMount.doc.exe
Filesize
551KB

MD5
8d6266608393c8a5e28872f087ae278a

SHA1
e1e42f0cf3e84396501443052097367fe8cd1f52

SHA256
d0d4a49c9e0669fda3c7faefcd35bd6d703b9cedc81b533668fba7a4c03f10e2

SHA512
9bba6961353a21a80bccde59dcce7109369d12f0b8ff45cd8306d64bafd51bd05947f721f45a9dfd3e8a9de4a6c89ecc4ebb1f1f7c1feb8c2100f5d9268d6736

Download Submit
C:\Users\Admin\Downloads\GrantStep.gif.exe
Filesize
678KB

MD5
dfaa76095269a1f14b90f7fe1485290c

SHA1
1571952b5a8deb8ea2b273ac1b807ad2493a4a2c

SHA256
6ee2196f90bcc0e6129aae05a806ab5d6efcf4067316249924ed5dea44c04e0b

SHA512
f9df4df7f95b4c7f23c4020de36a0785f09873ac3d3bd589ae2737eca581a03cc3ae69a37d7ae41dcf051a5bbf65934af3a90eecb43d0210805f2a555f0f446a

Download Submit
C:\Users\Admin\Downloads\WatchSkip.gif.exe
Filesize
902KB

MD5
79f5502203a24bbb9eec604c8e1e3f78

SHA1
14c0c86c15894839f7988a14cd3df1f9f9251b42

SHA256
9bc5fbee6bc983172728e72357d0e0b35fa8d2ba61b4d43b75779cbaf5d4fc96

SHA512
109bfa33d690c12a6efd225a02aa9b2cff3bd06e1ff61776b0c180b99b599e86fe35b9c50b1f78989d4450b6c3e897be308cfc8fce334d7950a5a11a39e4240b

Download Submit
C:\Users\Admin\Music\ConnectUnregister.jpg.exe
Filesize
648KB

MD5
f0348b943fb38728f2eda2a639d60962

SHA1
2e29b09af220b6dee5734d491e9c2621bdd57ca8

SHA256
c287389b46a32c059f781c7f15264e5f24cfafe12e4a2d407129a618237bfaa0

SHA512
515a3b20e6cc9379450954605b11cf8de0c75789bf62f5ee4acbdbe13dcac330178009381a745b266106aeb519e31518a507a765ff822be0787e3ca97e0a3180

Download Submit
C:\Users\Admin\Music\EnableExpand.exe
Filesize
556KB

MD5
31c256d51477cdd158dba84a5ecb7315

SHA1
ba3a4570402f030969cce9b0c08c863d9d750c5d

SHA256
0ba52119c20373198d58acfd1459c4735dc31b537087059caf23d80816b4cfde

SHA512
efbb8a8390488497940ce26ca8a3a5c3e3707bdd8df7ff22d47d9c160319162c40796dabf97c7fb1ddb1128a89cbae4c9b1d7cf43f7fb1e2a3058cdebd313592

Download Submit
C:\Users\Admin\Music\SendUpdate.zip.exe
Filesize
731KB

MD5
0e5b0d2f88137c6cefc70c007edbbf60

SHA1
a9bce87af2dbf4b3dda916cc737dfac33591ce4f

SHA256
892568ec10af400b81f3a308357467849480d44cbea834e663f3d1ad1162bc97

SHA512
3a13eb6b2d62d652a154547218c12645111be9f7dbb6087a612bcf9ac1f5ea02671463c0d8d065f6fd9bc931e1139d600fcba7e72c5cc5af69cbf9b7663403e1

Download Submit
C:\Users\Admin\Pictures\ExpandGet.gif.exe
Filesize
433KB

MD5
36bfb1cbc51e7ce618bc6dd10fb66555

SHA1
083b1b984a9bfe6af86840a2089a39b847f5a3f4

SHA256
354571877a717ec65f7f9c6ca4fad4d593201b08539787245b299d229c9e7da2

SHA512
a72e7247a57cbdc0432d4364f812c02924c5b659b929666f6fa0bc87624779370d547ee20db8ebc0053b8295dc04b0234f1f53e9d5b5a02ac177a3175bdb5117

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe
Filesize
206KB

MD5
3532db33ae2dc4e0fcc1f8c94778eae9

SHA1
7c9c3c592457657c95a5c98dbcac0d62a299cd38

SHA256
28c93287cd89e300f42e9cde86acfc6e9e269e33780bf06cfa9930f239230427

SHA512
67fee0f93b7e269a435db441279cbd9e57d409fdfbad04ceaefb159786851a4f27acb1153a062ea09938ebb3ef3e5a527097cc30c20e1b84b4d2086a1b022dad

Download Submit
C:\Users\Admin\Pictures\OpenResume.bmp.exe
Filesize
827KB

MD5
f8226d06304e16f9c48a2759a1fa4afb

SHA1
62b3e7aa786e8f46d7f898f5f208fac844be6449

SHA256
e438b33c1c1e06a0e01e87201d53bdffb54dcfd5ca7e0337b6f724e7d386795e

SHA512
71ab38d641492e18a2d39ac079e1407e84353de92d6fcefa9b599b15dac01c30cfd85fbc4c9b45fc749f61da3a47ec2ba032e534222ca61a0b8e46e1d194c777

Download Submit
C:\Users\Admin\Pictures\ReadClose.gif.exe
Filesize
803KB

MD5
8cdbea94b4c146b8a65bfed6563a6609

SHA1
a6ea2e8aa435d66be3ffa8b76efaeaaac631a7d8

SHA256
baf9b7bb8fb495dce5bd8f54e1b33bef43730b27f845113f692cbf80c61e2ce3

SHA512
501e6aa1c4d3d73cb1c82cf67ba614ffbc8ff157d68a747aff22bd31ced9802e519d3ce02157ec892be47f90116ecb5315031e4318702f0d452d51b2ecb020ca

Download Submit
C:\Users\Admin\Pictures\SwitchUnprotect.jpg.exe
Filesize
728KB

MD5
ddde681b812fff94dc9dc3437aedf3db

SHA1
c1a2dc22d8c3e2ea61bc3ad5776bf830b5ef4d94

SHA256
dc20c0de6391021620112b0d61276911536e90b42630eb397a90b633d64a232c

SHA512
b9a077a2b9f7ecb45fe048dbae52bc31b5cc0df6f3282f09d5c9b5e9cdc58ff7ff93e681971a0a0ee232b1e0782979f819d8ed5036ce9fe1c0f57a24b6f491a2

Download Submit
C:\Users\Admin\Pictures\UninstallWait.gif.exe
Filesize
418KB

MD5
d7275cb6283ad1b1a6bd694114e1437b

SHA1
6c317e75b8340428f6434f6d8ef96de5ae0d4d88

SHA256
f368b686557b0006b32c55be0faed1e340bd537fa211a5cce8eb532d2f52f2ae

SHA512
7d3212ac55cd0723eca6be56f1d2ae30327a5cde8c0c87a8eef74e33ce9fc8103b715e2cbd326e529e7cf05421e15c7d47b2b037ebff1688b27e9a3c0cd46431

Download Submit
C:\Users\Admin\piYAEQEA\iIgAMMsQ.exe
Filesize
183KB

MD5
be943cb54138ab5348eb00d9da4c7578

SHA1
5edf2910e2b4ce71b6bfa13bc72a20a1e5a5fcf2

SHA256
617dbe48b5c067aa6bedf66bbb20360bf1ded9a623e531d09a5f9a090a79d175

SHA512
1c88fc588416e6ff78e187a002fc84ca0b0162a801f75347c2e7473f826bb8dcf16e463d85ebe794ca04d83896bcb05d47546b2da3672e5cd8296a7c13aabdc0

Download Submit
C:\Users\Admin\piYAEQEA\iIgAMMsQ.inf
Filesize
4B

MD5
bc1a2813d4b3b7652e5bfb91a36ded2f

SHA1
ded6e0d432e2fd8bf6b987a51c74344e195079da

SHA256
4105768b675a7420719148aefe804ef31cd620b9478c8d44e50bc6330beed360

SHA512
58f0669771380787db8edb7073fd257f910f5f50ba78c53021ae4d80025b799cf8767fc701d62412c1f45dcd83acc9cd02c24c99c501ba75b6b9a976f46defdd

Download Submit
C:\Users\Admin\piYAEQEA\iIgAMMsQ.inf
Filesize
4B

MD5
5c6e5782eb212df4c840ea9d0094d8bb

SHA1
8e0180260dac5af57666ab1e2918f12d57f19840

SHA256
202566c5317b5c74ce498e96bc7a13022e4c5c29e6e4c55ac4a359b61509a79f

SHA512
aa0eeff8eb2b3936e0a28911a2cba0d79a305d143f126af74eb4fc79d27f4d88aed58ef73df8496e9624f6930addd92aff1b95311458a1d9e0253cb63f71b362

Download Submit
C:\Users\Admin\piYAEQEA\iIgAMMsQ.inf
Filesize
4B

MD5
f6ee220e66f973256039858bbefa80f8

SHA1
f5452c4b7f38373e01e730359213be356c6c69ae

SHA256
71f9229573afd3a87a78e55686066d28bc664fd76f9055babc7e85b907e1eb92

SHA512
11d9b989f836f65674666565251b16f30a182530deb0af1969966bd31c9956903307a6aa6c77c4933aba7931cf54e85a299f1c93de4dbf3eb94a1ad9178c4f0c

Download Submit
C:\Users\Admin\piYAEQEA\iIgAMMsQ.inf
Filesize
4B

MD5
e6b3638398d9e872489b25f0d30c64f8

SHA1
bc44be0037092db84700756501fadaa000c57226

SHA256
a52cd99095bd03118bb31a23b9e756344e2d2f91b41548dc4aef0f7b2e1dbcdc

SHA512
613eb32d932371bd66f5d76178cd754d9fd533f40f4f57d5751f820d8bbe4188e6cd89a8334ce412c690d7505282fd410e4748f37cd2a86e6d4fad8b336d3471

Download Submit
C:\Users\Admin\piYAEQEA\iIgAMMsQ.inf
Filesize
4B

MD5
c6a90dfc85e23302269ff477488fb1d0

SHA1
999eeb17d42b6f71a9fe5fb8401a20ca1bfd9e8a

SHA256
a4ca228be381457e3a76f1d716316fd5e56fb931a94f1f35327bacce0ed80a13

SHA512
c7cc744e4110aab29595e6f98a7da0a177e980f8b82afe69a576cc6d62d6e8520ace16552bd6375e119b9e666ef94f0e222edfaedf17c80d35e4bc5d96064673

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe
Filesize
5.9MB

MD5
c7cee8139bc139a4bcb0718b4068556e

SHA1
ee1c5b66f6f9d49c5f6af7de56a96d8e7d50572b

SHA256
b19cf2562f12eac879860b1f4e720481c9a0d2f0936b04af0ae5cd2ade47d12a

SHA512
1a6ae8fcc376e007737e4bc6f9576dc89a4cdea54f00f7a2d9fb9a9e00dd85393ad3814739a1b89d6cdf552df6099064feedb8509e7fb1e514618490bbe933b4

Download Submit
memory/444-243-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/444-251-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1108-20-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1108-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1200-175-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1272-310-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1272-144-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1272-135-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1272-300-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1432-378-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1432-370-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1624-117-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1624-108-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1644-329-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1668-202-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1668-190-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1684-45-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1708-240-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1840-299-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1848-369-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1848-362-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1880-358-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1880-351-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1976-311-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1976-319-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2076-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2076-2122-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-216-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2304-261-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2688-179-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2688-191-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2768-338-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2768-330-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2892-57-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2904-291-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3148-153-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3148-163-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3276-22-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3276-32-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3404-94-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3740-228-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3808-262-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3808-272-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4056-349-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4056-339-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4068-136-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4196-15-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4196-2128-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4220-82-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4312-109-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4312-96-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4320-70-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4444-273-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4444-281-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download