hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

28/02/2025, 03:08

250228-dmxswsyvdy 10

28/02/2025, 03:05

250228-dlbt2aytgy 10

28/02/2025, 03:03

250228-dj7tpaytey 9

Analysis

max time kernel
123s
max time network
139s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
28/02/2025, 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

defense_evasion discovery persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 39 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 39 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (72) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Downloads MZ/PE file 1 IoCs

flow	pid	Process
53	2908	chrome.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\International\Geo\Nation	sKIIoMYo.exe

Executes dropped EXE 41 IoCs

pid	Process
3992	ViraLock.exe
1560	sKIIoMYo.exe
4632	WSoMAssU.exe
904	ViraLock.exe
3384	ViraLock.exe
2080	ViraLock.exe
2948	ViraLock.exe
3552	ViraLock.exe
804	ViraLock.exe
2672	ViraLock.exe
2944	ViraLock.exe
3976	ViraLock.exe
4824	ViraLock.exe
2648	ViraLock.exe
4008	ViraLock.exe
2324	ViraLock.exe
3344	ViraLock.exe
2380	ViraLock.exe
5032	ViraLock.exe
1388	ViraLock.exe
3264	ViraLock.exe
3640	ViraLock.exe
3244	ViraLock.exe
4956	ViraLock.exe
4592	ViraLock.exe
2912	ViraLock.exe
3528	ViraLock.exe
2600	ViraLock.exe
4012	ViraLock.exe
1808	ViraLock.exe
2580	ViraLock.exe
3540	ViraLock.exe
4424	ViraLock.exe
2120	ViraLock.exe
1776	ViraLock.exe
4592	ViraLock.exe
1536	ViraLock.exe
2312	ViraLock.exe
2008	ViraLock.exe
4660	ViraLock.exe
5664	ViraLock.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sKIIoMYo.exe = "C:\\Users\\Admin\\liscsQQY\\sKIIoMYo.exe"	ViraLock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSoMAssU.exe = "C:\\ProgramData\\IKQMQkwk\\WSoMAssU.exe"	ViraLock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sKIIoMYo.exe = "C:\\Users\\Admin\\liscsQQY\\sKIIoMYo.exe"	sKIIoMYo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSoMAssU.exe = "C:\\ProgramData\\IKQMQkwk\\WSoMAssU.exe"	WSoMAssU.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
47	raw.githubusercontent.com
50	raw.githubusercontent.com
51	raw.githubusercontent.com
53	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	sKIIoMYo.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	sKIIoMYo.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.4355\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1B740BA0-F581-11EF-BEA1-769F5DA3B549} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000002000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133851855425585358"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1786400979-876203093-3022739302-1000\{EFD23620-0CC2-4DB2-81F0-0CE9754AFD0A}	chrome.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1240	reg.exe
2848	reg.exe
1028	reg.exe
5788	reg.exe
2324	reg.exe
696	reg.exe
4652	reg.exe
2580	reg.exe
1888	reg.exe
3840	reg.exe
4544	reg.exe
2088	reg.exe
2008	reg.exe
956	reg.exe
3592	reg.exe
5000	reg.exe
3640	reg.exe
4284	reg.exe
4676	reg.exe
1616	reg.exe
1536	reg.exe
1980	reg.exe
3908	reg.exe
2600	reg.exe
4544	reg.exe
4592	reg.exe
3640	reg.exe
1068	reg.exe
4012	reg.exe
3564	reg.exe
2572	reg.exe
4016	reg.exe
4660	reg.exe
1544	reg.exe
5160	reg.exe
3732	reg.exe
4220	reg.exe
2044	reg.exe
2580	reg.exe
1972	reg.exe
1140	reg.exe
1776	reg.exe
2516	reg.exe
3644	reg.exe
2444	reg.exe
2612	reg.exe
2516	reg.exe
3644	reg.exe
1792	reg.exe
2612	reg.exe
2444	reg.exe
5152	reg.exe
4480	reg.exe
3528	reg.exe
832	reg.exe
4252	reg.exe
2204	reg.exe
4676	reg.exe
4284	reg.exe
1396	reg.exe
1376	reg.exe
4528	reg.exe
2516	reg.exe
1792	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4352	chrome.exe
4352	chrome.exe
3992	ViraLock.exe
3992	ViraLock.exe
3992	ViraLock.exe
3992	ViraLock.exe
904	ViraLock.exe
904	ViraLock.exe
904	ViraLock.exe
904	ViraLock.exe
3384	ViraLock.exe
3384	ViraLock.exe
3384	ViraLock.exe
3384	ViraLock.exe
2080	ViraLock.exe
2080	ViraLock.exe
2080	ViraLock.exe
2080	ViraLock.exe
2948	ViraLock.exe
2948	ViraLock.exe
2948	ViraLock.exe
2948	ViraLock.exe
3552	ViraLock.exe
3552	ViraLock.exe
3552	ViraLock.exe
3552	ViraLock.exe
804	ViraLock.exe
804	ViraLock.exe
804	ViraLock.exe
804	ViraLock.exe
2672	ViraLock.exe
2672	ViraLock.exe
2672	ViraLock.exe
2672	ViraLock.exe
2944	ViraLock.exe
2944	ViraLock.exe
2944	ViraLock.exe
2944	ViraLock.exe
3976	ViraLock.exe
3976	ViraLock.exe
3976	ViraLock.exe
3976	ViraLock.exe
4824	ViraLock.exe
4824	ViraLock.exe
4824	ViraLock.exe
4824	ViraLock.exe
2648	ViraLock.exe
2648	ViraLock.exe
2648	ViraLock.exe
2648	ViraLock.exe
4008	ViraLock.exe
4008	ViraLock.exe
4008	ViraLock.exe
4008	ViraLock.exe
2324	ViraLock.exe
2324	ViraLock.exe
2324	ViraLock.exe
2324	ViraLock.exe
3344	ViraLock.exe
3344	ViraLock.exe
3344	ViraLock.exe
3344	ViraLock.exe
2380	ViraLock.exe
2380	ViraLock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1560	sKIIoMYo.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe
1560	sKIIoMYo.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
5896	IEXPLORE.EXE
5896	IEXPLORE.EXE
4308	IEXPLORE.EXE
4308	IEXPLORE.EXE
5896	IEXPLORE.EXE
4308	IEXPLORE.EXE
4308	IEXPLORE.EXE
4308	IEXPLORE.EXE
4308	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 2196	4352	chrome.exe	80
PID 4352 wrote to memory of 2196	4352	chrome.exe	80
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 5096	4352	chrome.exe	81
PID 4352 wrote to memory of 2908	4352	chrome.exe	82
PID 4352 wrote to memory of 2908	4352	chrome.exe	82
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83
PID 4352 wrote to memory of 1716	4352	chrome.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffc2f88cc40,0x7ffc2f88cc4c,0x7ffc2f88cc58
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,18162590228072094298,16946664772943103211,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2064,i,18162590228072094298,16946664772943103211,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,18162590228072094298,16946664772943103211,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2444 /prefetch:8
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,18162590228072094298,16946664772943103211,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,18162590228072094298,16946664772943103211,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4628,i,18162590228072094298,16946664772943103211,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4644 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5208,i,18162590228072094298,16946664772943103211,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5352,i,18162590228072094298,16946664772943103211,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5492,i,18162590228072094298,16946664772943103211,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:1968
- C:\Users\Admin\Downloads\ViraLock.exe
  "C:\Users\Admin\Downloads\ViraLock.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:3992
- - C:\Users\Admin\liscsQQY\sKIIoMYo.exe
    "C:\Users\Admin\liscsQQY\sKIIoMYo.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    PID:1560
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe "C:\Users\Admin\My Documents\myfile"
      4⤵
      PID:5268
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank
      4⤵
      System Location Discovery: System Language Discovery
      PID:3600
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:5896
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5896 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4308
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank
      4⤵
      PID:2844
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
        5⤵
        
        PID:3040
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:17410 /prefetch:2
        6⤵
        
        PID:5360
- - C:\ProgramData\IKQMQkwk\WSoMAssU.exe
    "C:\ProgramData\IKQMQkwk\WSoMAssU.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
    3⤵
    PID:3644
  - - C:\Users\Admin\Downloads\ViraLock.exe
      C:\Users\Admin\Downloads\ViraLock
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        5⤵
        
        PID:2660
      - C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        9⤵
        
        PID:3640
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        11⤵
        
        PID:2640
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        13⤵
        
        PID:3992
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        15⤵
        
        PID:3320
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        17⤵
        
        PID:1724
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        19⤵
        
        PID:1396
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        23⤵
        
        PID:4856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:904
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        25⤵
        
        PID:2204
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        29⤵
        
        PID:4252
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        30⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        31⤵
        
        PID:4564
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        32⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        33⤵
        
        PID:784
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        34⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        36⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        38⤵
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        39⤵
        
        PID:3652
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        41⤵
        
        PID:3384
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        43⤵
        
        PID:2444
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        44⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:1460
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        46⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        47⤵
        
        PID:2088
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        48⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        49⤵
        
        PID:4432
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        50⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        52⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        53⤵
        
        PID:3552
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        54⤵
        Executes dropped EXE
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        55⤵
        
        PID:1792
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        56⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        58⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:1464
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        60⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        61⤵
        
        PID:1848
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        62⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        64⤵
        
        PID:3640
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        64⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        65⤵
        
        PID:3268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:3840
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        66⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        68⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:956
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        70⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        71⤵
        
        PID:3584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        72⤵
        
        PID:2808
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        72⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        73⤵
        
        PID:1996
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        74⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        75⤵
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        76⤵
        
        PID:4008
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        76⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        78⤵
        Executes dropped EXE
        
        PID:5664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        79⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        79⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        79⤵
        UAC bypass
        
        PID:5804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWgIMEow.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        80⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        77⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        77⤵
        Modifies registry key
        
        PID:5152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        77⤵
        UAC bypass
        Modifies registry key
        
        PID:5160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jecMkAcU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        77⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        75⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        75⤵
        
        PID:1076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        76⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        75⤵
        UAC bypass
        Modifies registry key
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQYUQkwI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        75⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        76⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        73⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        74⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        74⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        73⤵
        UAC bypass
        Modifies registry key
        
        PID:2580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        74⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAgwsYIg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        73⤵
        
        PID:2116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        74⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        74⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        71⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        71⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        71⤵
        UAC bypass
        Modifies registry key
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEQAoMYM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        71⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        69⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        69⤵
        Modifies registry key
        
        PID:1544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        69⤵
        UAC bypass
        Modifies registry key
        
        PID:2008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYUsoEEM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        69⤵
        
        PID:3264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        67⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        67⤵
        Modifies registry key
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        67⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEEUIgoc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        67⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        65⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        65⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        65⤵
        UAC bypass
        Modifies registry key
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmoIcYAg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        65⤵
        
        PID:2312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        66⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        63⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        63⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        63⤵
        UAC bypass
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\weEoQMEk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        63⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        64⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        61⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        61⤵
        Modifies registry key
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        61⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCgkgwQQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        61⤵
        
        PID:3584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        62⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        59⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        59⤵
        Modifies registry key
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        59⤵
        UAC bypass
        
        PID:1972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUQwIQIs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        60⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        57⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        57⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        57⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCYwMUMA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        58⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        55⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        55⤵
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        55⤵
        UAC bypass
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MiokEQws.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        55⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        56⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        53⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        53⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        53⤵
        UAC bypass
        Modifies registry key
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUoYYgoo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        53⤵
        
        PID:2572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        51⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        51⤵
        UAC bypass
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyUcQYgA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        51⤵
        
        PID:4016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        49⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        49⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        49⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIUUckIs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        49⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        47⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        47⤵
        Modifies registry key
        
        PID:1792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        47⤵
        UAC bypass
        Modifies registry key
        
        PID:4544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qcEcYYos.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        47⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        48⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        45⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        45⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        45⤵
        UAC bypass
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgQwcUkI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        45⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        46⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        43⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        43⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        43⤵
        UAC bypass
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIAscYEk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        43⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        44⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        41⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        41⤵
        Modifies registry key
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        41⤵
        UAC bypass
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iaUYAAcw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        41⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        42⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        39⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        39⤵
        Modifies registry key
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        39⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSwAsUoY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        39⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        37⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        37⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        37⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWcMIwUY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        37⤵
        
        PID:1780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        38⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        35⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        35⤵
        UAC bypass
        Modifies registry key
        
        PID:3908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUYQoccc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        35⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        36⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        33⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        33⤵
        UAC bypass
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GycsYogs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        33⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        34⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        31⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        31⤵
        Modifies registry key
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        31⤵
        UAC bypass
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIcwEoQY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        31⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        32⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        
        PID:4824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        UAC bypass
        Modifies registry key
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwAoEEsE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        29⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        Modifies registry key
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        UAC bypass
        Modifies registry key
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySwIAgYM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        UAC bypass
        Modifies registry key
        
        PID:3840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuEoIkws.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        25⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        Modifies registry key
        
        PID:3640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgYkwEYI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        23⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        UAC bypass
        
        PID:4528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWIQkEEM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        21⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        UAC bypass
        Modifies registry key
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmcEsQAY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        19⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        Modifies visibility of file extensions in Explorer
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        UAC bypass
        Modifies registry key
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQAYkwQE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        17⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        UAC bypass
        Modifies registry key
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKQcAowg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        15⤵
        
        PID:3840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        Modifies registry key
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        UAC bypass
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmIAogYU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        13⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        Modifies registry key
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUUkYEUM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        11⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        Modifies registry key
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        Modifies registry key
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcUEAosM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        9⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies registry key
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKsEUYAk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        7⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:3792
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:832
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:1776
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkcAcIMU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        5⤵
        
        PID:4428
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:1668
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2612
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOoMwUYE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
    3⤵
    PID:2640
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5024,i,18162590228072094298,16946664772943103211,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5580,i,18162590228072094298,16946664772943103211,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5744,i,18162590228072094298,16946664772943103211,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:3208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5700,i,18162590228072094298,16946664772943103211,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5764,i,18162590228072094298,16946664772943103211,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5212,i,18162590228072094298,16946664772943103211,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5920,i,18162590228072094298,16946664772943103211,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3252,i,18162590228072094298,16946664772943103211,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3168 /prefetch:8
  2⤵
  - Modifies registry class
  PID:5856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6332,i,18162590228072094298,16946664772943103211,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6096 /prefetch:8
  2⤵
  PID:5672

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4816

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x4e4
1⤵
PID:2112

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5696

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Options_RunDLL 0
1⤵
PID:5640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IKQMQkwk\WSoMAssU.exe

Filesize
186KB

MD5
c0623298a2f9b9aef28ecf9363650ddb

SHA1
5cc5de2377a207a240748004b4810811109c7ea2

SHA256
4c65ec5a02877e35e7e02e58aff41fdde0c8be6b99c5275c289812055df6c93e

SHA512
507459fa5c92cf60cedabe8366f6b30c04499652939b066c1485846ed8e4b40ba9139bb2e1c77d3bed37c8e20cf844e5373d297314a3fd593e00f022f6eb5b22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
845040729dee7541c91df1e364454969

SHA1
738418876f231cc6834911e448c418e36cfcd7ac

SHA256
2a2a464d0edf1750731d3f0466d92cebbf6c561a864ea5d36fff074daae718d5

SHA512
8530d9c6e497824a39efaa96d14e8c87911fa7f7e6814a1d4cde363fd6a9798f6bc406398342c044178d884cbed95a9221af342a157deb162e7c0dd8934fd2ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002b

Filesize
245KB

MD5
6df86f586255e5175034fafffc119a74

SHA1
550880bee4fb465054c26515acdb41c689c3756a

SHA256
2191375c9aa9cb01c0e31c14e3d3ff2b751310c3db312646e9c4f9ed92379986

SHA512
635128f2c13c79164a23062370788d310488f5770836efd5f04ed65ee562801987226b66eedc6528c3b60e70134978794d6a6a68bb5134bf965a962ea91d83fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002d

Filesize
34KB

MD5
529cde777731881b18c42494aa30b722

SHA1
2e2fc882487d542c3716e00afff919e651eb113b

SHA256
22a02b6b744a59d92eb71960424cf54d1db789512293c002204ed164b0f0d0ec

SHA512
41b790c30a1a89d605b0ba2d0762798b46ee5ac3ea607aa25e56e71db98070b354bf583a73175ef70a6fff14c96b60dcdbbb417e49d95a354abd6552e7f63355

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002e

Filesize
34KB

MD5
55f3ed1cf8cdc90f3473db2943c69a16

SHA1
c90ed816e9cac5899469d1e91a73388751bab205

SHA256
b1cd402531af27e9df61f25ab7557d9f32c4ba800c8cf941ae01ffd053f4e090

SHA512
b604ce12c77bab0232bae06aecbab138617462c10c3d01a2bb39a947ca3ba39e2b9b7581ae4ca980a7f7bcca14e4a1c74141beed08d16ad9a8f8b87ee35b1f3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002f

Filesize
26KB

MD5
6ec4513c5fc4f74677200e8f2f8962e0

SHA1
18c61abadc72355a3231b70c2f86fdaf2e5a0ced

SHA256
0b944509fd937842589f3a7bc48f1b8448975d0823266bcb5ad543e8a1b606ed

SHA512
6fa5a8e8812f53e819e2d9fe80a91aadcbfb6cbee1109f93d2cbec28b2c57b652e74fa1accf8cae49d99a09ce26db567f193a8f1cf6372ce24542a2df7481824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0abc397534103b82ce4b96cd04b3953c

SHA1
1d2531f03ee034a6edcd7ca5268d7c6bf2f30018

SHA256
93d433890fdc137025364fa0db12be8e18235e66a1d51170bf448fe4c6a5ff6b

SHA512
b04f0bde573e976d7684d8361b2e1e7a76bc02e56b8912244aaffe30596cc9354361d83046ba7d2768f834590944580bbc125ecb7007c5923eee679864939e4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
3fc15618dd4c547e24bc6e4985260fce

SHA1
6885816257380f851aaef5f81dfacde3f2e5cc60

SHA256
182db2efad1b18a2e5e7039635fe877dcae19139f082ae8d6395dbaa5c450d57

SHA512
dd7fa91c6ef00893883335b8940d4c527cf1599607b8979612147f81ccf758602c667dc10061d0e29d03e4342f578d0970df3531bce3c48a1ec9e83abf934db8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
17cae4b4a7385fc1c8ee9fd71f60b40c

SHA1
e45f72a3b53e2af6dd65f3eb5a72965432d593f6

SHA256
6a2cbae5c3ad62addd09652eb9f162eebce66d573950aab64d7a48306f79cd8d

SHA512
62da8fbf2aa7727e0303915e859ea3a6e55d939c047b0bb92ff42b3e324d8d493b5b1390ce337fefb1bd4df420d4c7d9ff078ea75da9c7d4731cfc030666d6fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
10KB

MD5
c09f978c508c577d7cfa74afc6b3f65a

SHA1
dacc1ef9c6c26f751d3eecbe84c1f919d66f1f6c

SHA256
f4bf277948b16a30af52553104bea78947b6781b59acfd640affedc1d01c99df

SHA512
dce1774c3e109d8543558af189f6acc49a2a117ccf3b44669b7a3c199ad8a69ab25120dbbdaf230afad06ea5aa65f1c1fd5964c5ec61645121e0eaab2a30140b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c7f380cc4aec477dbb07a224bc29b3aa

SHA1
8356dc9029ddd164fd9f05553dda9a9e0728d919

SHA256
becd0449963c72cdc4eb85be5c0ffa8627248746344529112c5a0b843fcc6411

SHA512
494c2f69e7b87e6acc18d45f0b23f2558bc319074dd373b57e26da906ac16c7e8dccc6eee95f032f1c401a547c532b1dd00987587d515d0de195ca8612c5622c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
37797d4dfff97d77b45799a8b2192379

SHA1
a808b7256b0b14812e49c7aa0216b351282f3d51

SHA256
300146eeed7a4fb526ea8acb80490e8600748f234e0c5aafddf6bac87c0c77cb

SHA512
4b04965cb70b3a3d053e84f34e23ae552bd6cac5caf1fd27773896bb51615318b6ad35af869d97baebb3e7c1903cc8b9ed1a445f9e2c9c1e682ed7f0708b747e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
13ae9537e180bc3ccd32a8edbf0c51b2

SHA1
0d76ddae1fd28639362de72131306aadfefaf0a8

SHA256
e3fd0c6dff64a6eca7199d66e0d267ee3c13f2d937eb532acc8ba93110e45bb6

SHA512
37696c661724c76e150973af47a33c67067c7dfac28e51c950c6f35bc375912e0a29ec73c987db550de0fe2dadd70c19dbc3377d20bfac8803e82507312dd356

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
496f4264dc07cbe18502835bf165d1a7

SHA1
c6eb523859bef0dda8d9dda0a76b10da1035fad2

SHA256
f13db1cec4a20041711b241ed020b3a444e9425a199dde8f8ff821ea5731f8ea

SHA512
92f1817588e57a90a0bae7b1e0f41af2b9c32b4687dc404b9e4ca263f0d78440e2b3e39404e3348a41239d2892f366e8ece4d691ecfcb4e68e22563738f56905

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
46bfa502baefdbe34a9e0639546562fd

SHA1
01904ada058b1ffce8d81fc375a33bc41948c4d3

SHA256
ab9593e0a6b48393ee9323f288aa5327a42fee09b10c0956ec0c6afad76cd31a

SHA512
674faa567fcdb0d35b0dea8e9b0d726491e8a10f2df6473031734ac9d3981ed2a52279e1309b44fa3cabd630137fb7ec03e1f758bda5c490b65631c8f95521ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7672775270381d962041439e6678ceaf

SHA1
42ac22c26ae7f7334228e3e551abc019c36d9f94

SHA256
1c6d0903fa76285b2d2c0f2a6c6edc86e707165e81a5eb1929a83355828e089c

SHA512
2165a834dea571ca56d6b355b39fee3978e51805a64e2a348bc83c7e1480a74bac376ca7357e0954a17e2abd88c38877d17c8526129f96b7553ad4bc8899fe9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aab0562ff2ca38412f65ca7fb03d4cd0

SHA1
cdae3d5d53fe6ed39da00bcf1ec37762ce281ddb

SHA256
264103075d1435ab044b457dfad182eb35fe3deb6857e5542a9f6aa2ba0b858f

SHA512
678306e24be62acb73f0435d91913bbe86df5358af60e80e471a1f047d0e4a4a8606c99aa862bbc0d5006c07d6cf83d9f43b7945aa75a2efe0872834943a9d26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5c60c74becde549e4f2b09ebd1d0432b

SHA1
9141197d54022e334c568c8d899d0494a3553f85

SHA256
9a0aaefc58ebc0d969f857f8f78af7cd589957699df1176729fe5f3ae0f6e9ae

SHA512
440df028019fc45b814174f7801400107bd12b16e34b507071b267e19c375695d7a97f71da8df2100dfc440247cb0e56a39a22e836d66bce999b15f09eb89855

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b930009d60eb1228980cc00f94e71cb1

SHA1
a6e4bd23a135fdff502c165ef29a74e0d9b22065

SHA256
fd21136cb90e13a4dcac16f8d5f8769ddbd7d750ffb47f0ed40708826071077d

SHA512
f4d901ed5450bb20ce361129ed52af1964408be7e29905c0e5551b96adc785c376400ccd9d42b0766ba4cca0d1a1b0d584c25ac73b048f15e0c8fa2ac6c9af3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2d26398ff9a66c8bc0d7ef46390fa5dc

SHA1
51729429da2e436464e4b32647897c9d1b24ba7d

SHA256
6a8aaae4a3629a143daa77edc79e1fb3403cc90a405fcd1a7b9bc09f24d0b846

SHA512
f36c38472860fd9a8b22d1d25562737ec159a77da7deb7f87eb2d59edf324490b1d03a98cf6604eaf9d32dc5f8b059131411a722556640d7f2702a777a703e03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6fddb1fe63b87094d5c11b0f9cf4a306

SHA1
6a3e2c1d6656f6ff3083cb80f300d60b40ca596f

SHA256
df1f31c582c7ec7c28fda3341730ef362b73c9943a9cd8805be0c6dd1353071d

SHA512
7f87b56beffcddbac6a3dec6ac57deae80c6891191b2f892968972b0d5cac2c4ae688596429b5c6c74fbf25d60c32506250316d61dd6e1d3f02caf718225f47d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
24db79218a07fa07be8e6761b4aaf690

SHA1
c2d6890c4753922da3f722ca135314e6c98a4645

SHA256
f2ea0fff67a1c3ec2bdbf41e74f2a752e453a68040304350f1ecaedf4584b8f8

SHA512
7428c15663d1e05059887f84d9c3a6a0f48018c088a3a0cc2f107bde326662986e67ed62e08781edfa815e9f01f81293966468dd3ba9bb2710bbd41a4d6918e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1adcf68c41f66781222969990254b556

SHA1
c8f4b79647eff79e9f4d716da7ac1ce5c0c3f675

SHA256
78825be5931056eea6be4773f2ca30d808333d90ca609672bdec5d2f36c378bd

SHA512
9237a8cf8438a91f5201f8f9cf3688f36585e05de8a9f255318b36bf2d5b8ba08674e2f8f9a96c233a2ab72947a3d24e9b7d48beeb10b6124179b7204122b10c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
59e4ff78465b755ea9ab1a2d86b69537

SHA1
f807170cdd08c39610ea3f812990472c6067fa82

SHA256
0e83fd263e3f0320e0605b69551b6a907ee03604e223e8c6b91288c44ea5e321

SHA512
dadf33efd02047b72067275e5e8cf671f25fe4c29ebade03b05594a8b6e97ce1d5dd9b61322d66d43bb74cd68b47094f947db17f91f785074fd17a2d2b3916c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\14f66039-8b20-4a4e-ba15-e27db4071c73\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\14f66039-8b20-4a4e-ba15-e27db4071c73\index-dir\the-real-index

Filesize
576B

MD5
dfeb8213d6ba95bba4e93519fb687302

SHA1
ae332228a1f9b0235eb43142dacea24b7bc9cfbc

SHA256
b9c074244596b7efdf1d8643aa0d099df6363154c590487bdb2c0f9ca4f191d8

SHA512
8c41c92d285b37767675e1ad2ba40ef8eacb0c6aca7c5884e193d6a297f906980b283f40d0581e0aaae852b4b4006fd96f6523792652c5053c959501416e8fc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\14f66039-8b20-4a4e-ba15-e27db4071c73\index-dir\the-real-index~RFe58ec8e.TMP

Filesize
48B

MD5
4ee843c728fb2b6707da55026f37ad97

SHA1
14c16bc91630dc29eb7b249b3568afa93691b268

SHA256
1b30ddce5c5f0f43ed8fb290be3c23abf419c7b915579721f65c5358f6d15484

SHA512
b641852b15d7044dccb5e38379325dc3730cebcd76bb95bd9b55abd0b1c1c08a5c27354c651b4c1fda126c9d42834ac4e2caa6fb8c973f5b1202b3a798a2ad69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\abf1261d-4b58-4e96-bc07-e74838e45beb\index-dir\the-real-index

Filesize
2KB

MD5
aff96a51ec8cb108d6fe7d9d1c80a913

SHA1
3e85bb7fffe9a12da77b80456040c235584b0bb5

SHA256
8930cd71c292875695e1b7c90c7912441530a4f95eb3c81b4fa404b934084a56

SHA512
f11004299ed603962f3a1ac7adba08ad1b92d1cf746f7ae1a58d465d196f9f071861fa76492289617c79ef5cc0db4e9df0ebcbf7b5434285f1a2b0a248e7fb51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\abf1261d-4b58-4e96-bc07-e74838e45beb\index-dir\the-real-index

Filesize
2KB

MD5
9323980e44b9e8575285acfcc43efdf7

SHA1
7303a87ee4e46bcc0c12a021edb82afe03e58ea1

SHA256
c4b9e8c7fbe20b637b0833493e64788457b58f9065406c5d5c23032f1cde3c85

SHA512
aa7478d8ced582041e4463c512920a9b6c5c3f9ee2eab1d8cf77b3a903e0c0bcce43773c1fdec792b76f4b0e71cf4b47b2ffbb206c85b84a45e86954785a4989

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\abf1261d-4b58-4e96-bc07-e74838e45beb\index-dir\the-real-index~RFe5884ea.TMP

Filesize
48B

MD5
729a5c97aee7e419682d71f50f943b38

SHA1
071033d686c85b229187b86f605ddf9ed11e399a

SHA256
2c324efae331250e5612bb0c68c0380883376cd706f74e80e2481ce7f8582073

SHA512
3463cfc08cdeefd1d768dd6ddf1dd29ff234ffc14042c1b5e7e986bcf7da0c64e5b08b39ef85f6dc91d887857b7b484366642aa929acc0a6560e8be619bc79d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
382a065c0f5801e7dcb5776b37afab0c

SHA1
7fdd2bcf4c252199e9745e3f6c5b4d999b1db046

SHA256
c8fb90022cef02acc7ceced83d9fc1437d12269c95f69b4e691978f8fc939904

SHA512
fabc61f214596d90cea9eca0e9b023d6ce395eebff05af634bfa895d7f2ce3d4b87a93381335514518c8fe32c7438e9333dc6c8df6313099df2afdefa56ca745

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
5dd324ad206a503ada4b29599de5cabd

SHA1
869cc7feeb6ae3d2a83f84a34ee98bff857830be

SHA256
205e0213122c2efcad3e25e156e90a8eb87bb86af6ad1d0b284b35c64178d1e9

SHA512
21d2d637c46f808fab384f81abf9aa437350197ece183d0f5a3b213616567940ff787d3c94d0bc5ffcbf38ef7974bb3c4eaab0625eb8ab6b5405213ec94558c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
114B

MD5
fd7030ad64a8788c82e0aac209a04cce

SHA1
dec3aeb98709bae21fae29b24ed7bcbc6b25fd7b

SHA256
9d322bc53ba8d165a3b059d9a7dceb5014a69af9d3dc4bb81cc8bfe9dba4c160

SHA512
a11f8d620104e81bb2470d6f435321407ff4b66f303556bb476f18903069ad13e2a2ac4c998e83d22fcc69c14ca0741c89cf9bc91383e1f95f8ca96ac05636e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
187B

MD5
de17b018ed80c0f3ce49e383c6f202f1

SHA1
2b426fcdd11bbdba79e48e0d987472cdeadb261b

SHA256
d587e3639eb118e0c0197ef48cd450cb3d34eee7e81f3d805abf603140a6e28c

SHA512
bd01c0c800c3d17654fd07f89ef79b752f1805aadfd2cc9354b2b63296c2f356d7ca85819b86798049515d1c543cef3575754a848eadb0914e6726054af4c08f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
e33890b056f9446a223d03ae9ba876a9

SHA1
003f3d676a7d21d229af93bda96bc98d5b02be6c

SHA256
b29d8d415c0fec814678d05704bdafb5f68171ebcc5cc021edc5863db61fa1ad

SHA512
830b324a0ee382373833baaeaa21520b730e5ede6518fc0bff4b577e8316bd61306f066864250f8c7ba8c449f962c24ee16e56aaa3a715f61428e2a556efb1bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
178B

MD5
6a4810dc7a30fbe570a6696820e5cc7c

SHA1
2de0172f7b7c869c5b5ea45a00334ed1a0e6cdda

SHA256
b987c24b8d540d0ff1910315ff112ea6b7a2d9482965abea4ed00a0efaf76b1c

SHA512
c78ea1fb0b9b64ac285aa188d0c6c39bc86898895f52db689ae60837dcd594f568601c231c59286bc779956371875e2c9115b26f0b38630f7e81c76474dbb54c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe587153.TMP

Filesize
119B

MD5
777af01814359b813044ea7f960772e9

SHA1
3debe0811a3eb2bee5d9f2bfae0955c1f4578858

SHA256
e4c80c3ee3abdbe43bdc65780b699b9156dacd7749a500825933c11b7b1a46f7

SHA512
4bfa7a96802bf4125afd292001981f9bc488f2b6dc977af40d50991c3d41673ca86a5f93e48cfbb39992815a0d8a5db535835d514cd4ea2be722c4a738a45ee0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
aed3d5a2bfd489542ee258d24aad2da7

SHA1
349b6ead41d5e31c431bdec87168f5ef2698aa4a

SHA256
3f2d758da997096b3a8fc78ca0274b1efd67cee1c005c3008a327e7005bbacde

SHA512
d4751953ec35d1924466da8522248680364a025654c5fb29cfa529da9d6d392a6c8b04e983358964c714a7d5f5c0febf906d8c62c9c025de832f28ae2dbdbc40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4352_326839918\Shortcuts Menu Icons\1\512.png

Filesize
10KB

MD5
529a0ad2f85dff6370e98e206ecb6ef9

SHA1
7a4ff97f02962afeca94f1815168f41ba54b0691

SHA256
31db550eb9c0d9afd316dc85cdfd832510e2c48e7d37d4a610c175667a4599c6

SHA512
d00e2d741a0a6321c92a4aab632f8f3bafd33c0e2875f37868e195ed5e7200a647b4c83358edcef5fc7acbc5c57f70410903f39eac76e23e88a342ac5c9c21cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4352_326839918\Shortcuts Menu Icons\Monochrome\0\512.png

Filesize
2KB

MD5
206fd9669027c437a36fbf7d73657db7

SHA1
8dee68de4deac72e86bbb28b8e5a915df3b5f3a5

SHA256
0d17a989f42bc129aca8e755871a7025acb6292ce06ca2437e95bedbc328fa18

SHA512
2c89878ec8466edf1f214d918aefc6a9b3de46d06ffacff4fdb85566560e94068601b1e4377d9d2eabefdc1c7f09eb46b00cf4545e377cc84a69edf8e57e48b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
10467efea364812633ae07ac2fafed8c

SHA1
4f0214e6bfecb4675d94aa91e0db2de0e4be93cd

SHA256
6e2e539d500302644d4e4f6a2d0088b4d755ee157ed141698da1da50addc3d71

SHA512
eb9133a53f74a1931e303ff43dbc1e1d9ee585dacf6a56c9a6918acaa99128e3ca8fe910c98000882f727840d32aaac503e7c3438200e5f9fa42f1a2ced98b48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
ce02ba6b0684caf3ec9f8393e2e031cf

SHA1
8bee1079ef053941608e35c11639f672959d53d0

SHA256
ce2eb3ec9ff80c62744ed48995b6545a6defa3a84bc074b49d9ef8a5721a5baa

SHA512
b70d290703f70ffd074716fae4e379f9cb2546795913b0cedf5b18c9c6701b62b000fb74f257144599f523d301c6edaff0e7d33db66dfc2331d11ff170ac3eb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CU5YRHNE\qsml[1].xml

Filesize
228B

MD5
94c6cd907be27bb37c32e0ae2f069232

SHA1
645d12a6b4c298b8615d1b6f7e7b8d43316b4432

SHA256
0500f788a88f4824081e2bc036bdd80b16e50443567638dd38cc1f09dfc00963

SHA512
08b8df497b891480f3bf78e26509ff10952d56b003f5d8d62263cf12f34894c7743410db9ab14606260cca6e6694666c562077e58d69a50592ea57668000966b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OJIN4Q4O\favicon-trans-bg-blue-mg[1].ico

Filesize
4KB

MD5
30967b1b52cb6df18a8af8fcc04f83c9

SHA1
aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588

SHA256
439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e

SHA512
7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OJIN4Q4O\qsml[1].xml

Filesize
227B

MD5
b1a1154632ca7ca00d204ba72cbb273c

SHA1
be51c6bfc9a8aeef0ca46fdd99c0974b82f7369c

SHA256
68501ffb71a5e359b35a98a37c63eeb30186e5474323bf952bc2dd3b52c41831

SHA512
9751a11b2839f123e97e332007e1ac9b05d6d426962817fd21e5b253dcb77a02d922255b818383438786aea24bc192bac1ef6a518f2b1553aa367d0164f71248

Download Submit
C:\Users\Admin\AppData\Local\Temp\dOoMwUYE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\Downloads\AgAS.exe

Filesize
827KB

MD5
740054f204e04d89ac3d3492303af00f

SHA1
be51b020670afca498dcdd7d155db6f79d647b78

SHA256
8de32a2d6730c3bb48738fd5e80c4cd2c102c00184107f454073d36a2e5fe00e

SHA512
617955bace06eeb7dbc452672e25982a7331cff686ea2803b60008221c4058e0b1d0ef222666df3c6dcdbb6a0d8e10379536e240f7f8cf1a9dd86dbdd6a428f9

Download Submit
C:\Users\Admin\Downloads\Agcu.exe

Filesize
650KB

MD5
fcd4a527ad285652931120ce8de767fd

SHA1
1e7578dd04b0145d379ea2d14a4e7eb1d90a2abc

SHA256
8f2e7ba297cb108e8a34113cd0438632c7604d19a459614ed9e5e85459e3747d

SHA512
64d69df5f0a11740c78068bb4cd6edb05076c9ee31bdb5c84a52f19ba58dc7ee76dd32c873bb78a4f65556e858cbf79e8e53089a19eef2aaaa897a8215555dec

Download Submit
C:\Users\Admin\Downloads\AkgC.exe

Filesize
835KB

MD5
c1e269398b4c686870c0753f099d309c

SHA1
dc030ebd6a83c5de194a3c26f6c8308764d94494

SHA256
2ad0ed158b46943ce321aec5bfd8a4bc5ada9d2ed071036cee0352edec1160ab

SHA512
29233bcbd44247383ed1564e73d395d91ec8e585504b08fc50e2f860c166050305b0312b906b2cc55f8b122edc653216db5f7706386e6fb6e88ecd0ffe6be6b9

Download Submit
C:\Users\Admin\Downloads\Awwo.exe

Filesize
189KB

MD5
b17834447dad4ca9a60dbdc221c80876

SHA1
36e04dfb62161d0c0cd9e00855de0cb3cdd306e2

SHA256
c1a592f328b9c7f34d2dfd9ee2f71a0293eaa4d9188422e8da8cdc0a6cc44e11

SHA512
15222b6edf303f7332e144bac4047a4104944c9c5ebae3efd40a0feb854eff7f6cf76777da7f41ef41a9d61d2b9622b86d10d231a45f68dbb77f053ce0595238

Download Submit
C:\Users\Admin\Downloads\BMMk.exe

Filesize
203KB

MD5
4c60a01ec396b0fae2837bc5132c5cba

SHA1
c73a4d7777234000d1c6b2268559831949e3c1c5

SHA256
c93d1947efc132f4390d625d8d2132ff31c57d1e7277d5ba342e5e8b3359992e

SHA512
2cae962580a405444959f12cd227b1d1ada43d2ef209bca30c86a75bbac96dc11707609e7d5dcf30b0548e8d20591bbc8869cf9acfccbf20ee5f4eb622d67a38

Download Submit
C:\Users\Admin\Downloads\BcQS.exe

Filesize
186KB

MD5
909eaf42ea646bcb97fd7c74b0cfe659

SHA1
51c3d4fad08cc128a3bf5f2c61e654be82abce4a

SHA256
fedafd2a8d76c141babc4908589c920fbe8bde565b878296852a1533e94648b8

SHA512
d82d1aeccf1d2f193b5337b8c5b075df0062e472f5753a901e529d9751f440dd645f290ff8c066ee5c07959258361394072250203e7c72bcd731c866553ff9e8

Download Submit
C:\Users\Admin\Downloads\DQMW.exe

Filesize
181KB

MD5
45c6d400ea6609775e8cd5b40f7654dd

SHA1
6302ef1162ed9f311915a8fa94f68bdcecc68e53

SHA256
775cf9cc9d85bdc3e2c82d0a16cf9c10d61dfbb77cc73391e9b72556a6d1ea9a

SHA512
479dac8ba472f5dd1ffcdd822e4b40e48ed9e3a34bb71e087e6fa916b3ac6413edb875e9519e23989bdd03a95cde66331511d68a800f32f293d64741a7de1236

Download Submit
C:\Users\Admin\Downloads\DgQm.exe

Filesize
194KB

MD5
9e2164203232435909a25ddf295807b1

SHA1
634fb9f1d6532e5f1d5907f4ffe434293a3409b0

SHA256
9f2229c5db686c07f945163fc2c1e6c5fb2c9afe9c50e04909413c40bed610bb

SHA512
0ffe602f60f72c4378c71291c791023ff79e9cc0c3bae5e87388d17e3b719ef2e1e080fc2e62fd1d8656c3db90864227d877db17870c59f81c5ef714264ce16e

Download Submit
C:\Users\Admin\Downloads\DkUk.exe

Filesize
189KB

MD5
327643eecd39a82e7a695e93d99be060

SHA1
fa073385b2b02e292944b20a6d7b25d62f16883e

SHA256
b0f2eb0751fc56bb24cced5decbcca67a03730180d467361c7175403f5790d37

SHA512
79ddcf21ad349d3918f0b1b87ca8b6c3f94e82b107b4c2610f04f2c0144f3bacd2b593456372fa29c662559d42b8a6722d49c07c07cf564729bae6cd99268fa5

Download Submit
C:\Users\Admin\Downloads\EMMU.exe

Filesize
185KB

MD5
026878b0ddda99577ae0e5d202f282e3

SHA1
c6f2089bc05c7575e6c9a31f91a6e391e673958a

SHA256
fa7f1524f08097e658a3ee692d6e49817f733a7504b497487281533fcd6fcb97

SHA512
206644d6979a9bfd46826f28f6a933a51f8604da83cdd7dbaa9c9ceab5ee14ca5ceb856004233283f62b368c89a728a4c2521fdf06e0905b55d05779569a6fff

Download Submit
C:\Users\Admin\Downloads\EokK.exe

Filesize
198KB

MD5
631ac5227214f3d0dc80cf79f402a299

SHA1
59e127daba5e6d73fad51aa9a18db1c6b34b8095

SHA256
54ab853d08b23fd068c2f5b2c0d0468db73cccc42c2ae642b359fcfe10123a6c

SHA512
06ac98a0b97810c455367a4d4727f515f592048bf5c870a5d1d3f24274166355b987a63406be65df07a01202d930545c7fa90184dade8e5cc6d13a5c3bb30f16

Download Submit
C:\Users\Admin\Downloads\HEcI.exe

Filesize
187KB

MD5
c28f9ba10c2f8af9b0cdcf0ce9ac8346

SHA1
275b67bba1bc9a038667a653a3410d156697ec45

SHA256
e147150f90f272c7126ed8d95da78b933dd8f8a6c470e91b38ae8a207e58d3d2

SHA512
0e4dd9c9594554f0083f07dc3359d38a5f70cb78f474a2902f91cee7ee0c1eb195c9dcff5c0ae45e0d63364347c9f217727d45ee21c236177cec775e3e05cfb2

Download Submit
C:\Users\Admin\Downloads\HEkM.exe

Filesize
1.0MB

MD5
8fcffac2cab4df8b53d2c3c4a8dac2f8

SHA1
d8b71afcd5191ea4c1bfaa5b70b1d33a52cddb6e

SHA256
5e955fbca2764bd93034549cea2057e49182745cf7bd9b50e53ed1ba10f1bf7f

SHA512
288dab37be19edb0ba770a5b7229d9314fa16ae5ecee8d4dc40905f79ada8bee94ed0c9c6f4643e7aedcd8068cde6ac50fe225dce6c7c9aa0e04b652afa3a80a

Download Submit
C:\Users\Admin\Downloads\HYoC.exe

Filesize
813KB

MD5
e9ce5ff2b883b966e6231ea357259b19

SHA1
5e36c9ee4a72c3e805b218abc099d99dd493e238

SHA256
fa1a28c63e04efcb928b25609ec52203d9fa988ab7c6ce84e8919c8d56d7dfb9

SHA512
c3700eebc2786f168ab23d8f8fdb0cda712f912bf64b8bfb68008753188777d0510bfb65ef20ecb68cd08b935ac8cee543dd195faeedf86123c7c5ca97223c01

Download Submit
C:\Users\Admin\Downloads\IAIm.exe

Filesize
192KB

MD5
cf9abf9f976fd3593a348bf221438fbe

SHA1
bcae5e5f51d12920add145353bef9066ddb973fe

SHA256
d63959675711c9704ddbef230888d75e17b0e88a1dbaee57c63862d53641735d

SHA512
377ccf7b488039639c92b0760d4f5774f92763b8ef0e1891e9eaaefcdf789e82673808f22ff136ce11210661ac1e58c89fb6197addf6171252f21c33f47cc5c7

Download Submit
C:\Users\Admin\Downloads\IQkw.exe

Filesize
201KB

MD5
e56bf957bd8e8d640798ed4c7901cd8d

SHA1
9f8d18ffd8d96ad13fa3c5ceb31c88ddc4ae3efb

SHA256
7db4dd19ed25524be6dcab62f79825a4aec18591e06f315c2ae7671c17258130

SHA512
fbc74458fee8ea5df08de1480af9a7b40b45e630bc484239d1fa6b9b87919305fe7cbc0f4a2b4c5ef03686714032076f56d3566f9a573a17e2f9ee7abe72c3ca

Download Submit
C:\Users\Admin\Downloads\IkQG.exe

Filesize
208KB

MD5
21e47c49cf30f9183cbc262ff10c057a

SHA1
65de47653c4dd7f7363e21bd68f1e577c743df0c

SHA256
25b8c23b86a1eccddc8e3b0e984ee36e47ffdb10656c4206e6ecf3f015879db7

SHA512
720ce0f5c3a30292773800ecfddf8807fae6af940929346c4d29a1b1b74b1a7be2f66cf8205c9d1981a1c37e7bd420a8e052d1562fe06e2fcb45d48de86b9f06

Download Submit
C:\Users\Admin\Downloads\JoUu.exe

Filesize
317KB

MD5
3c4466804b794b860caa59051f4b39dd

SHA1
c04dbfda2515d6aa84f7840a3d587be2a3abc9ad

SHA256
d9ef59208b0bc34a915806784ebd17bb9dcc7175532f0bd06ae50f92ccbb0786

SHA512
bd66f292b7cc83c88338ec8661a573d8f58f886067f6a21b50130e77c62945cea04109accf08b0b3451039461dd073aa0505903dd41964725812b53b09eb2cca

Download Submit
C:\Users\Admin\Downloads\KEYo.exe

Filesize
778KB

MD5
171dc0de85d2dfaeeb724cf5dac00688

SHA1
7c25fea008a3eb2b669c698bdc73d07b86bdd8bf

SHA256
1ed531b440c66a25b3ac029a2ca01165034c6256a27375690b1d8d4153c848da

SHA512
7dd5137091312bd392fa79037144d8732ffa9e1fa65007c5f3a8bc9341f00cb1aaaa3e18ef613ee22dd0cdb441ea8811aca307991c5ae5ae9f78f401b8462c35

Download Submit
C:\Users\Admin\Downloads\KEYy.exe

Filesize
218KB

MD5
b3095b8a4feb0fab9bae7c79b2179b55

SHA1
3a67699f131989370ee8873aaa7ae130333afcd8

SHA256
5d9818c0b43c95001e69cf20c4231c6fe6a712a460ce2daa9742b61bcd866e43

SHA512
234bb8c20f8f1757f11314a8d8a880813fbc305068147218497090ddfe1eb37714782830c39eeeac3a6e3cecb9b196f5d182e51caa19af960839219f7cc7c18e

Download Submit
C:\Users\Admin\Downloads\KcAI.exe

Filesize
192KB

MD5
553743d96bd6fb878147b21c8d2ae3a9

SHA1
d12b65923ab94233dc3821a3b9db11bfa448d1b8

SHA256
008d5df5a066eaf11cd610e99da33bccf63091f0584a00a52b07af74abaf144b

SHA512
b413225f2bf73c0c0004fc1107accf9e1f8f0b160973b14f746f7f83a184afac1fb1c3b49beee0c69f4cbb16c8fc14568ac04be333e99bec6de6dff86b89795a

Download Submit
C:\Users\Admin\Downloads\KoMC.exe

Filesize
890KB

MD5
30cb75c68d7fdf6547f431a0726c6839

SHA1
5522b5d24eca71263f7ec637b6956ee6574665af

SHA256
9932461f328ed6a2b36c65fc7726d306f734a2e82401e278e08689263c5eb9ae

SHA512
9f45c8916207cd8d8fb4a99f78332a49ebe841879895eed1e688b6734eba1a7bc170abdfbec2e4af04d814d7ec05fb84b763c175c830466bdd7a150aeca1f675

Download Submit
C:\Users\Admin\Downloads\KosE.exe

Filesize
188KB

MD5
8f3328190307271bf0e4722d8f359238

SHA1
e8c1c3fdb5cedb15dcada110041126e55cb5bfa3

SHA256
61aa88e35f94e55ac597bd34460e051eb25f961d1d4adc2749e71b39c7712a5d

SHA512
cb29f5fd6ffd2692727605d2a4f8283343b8f414b58bb1e0e89f96d541e40c8c0536b3c002568b32edc6d46e0211ac1d88b74f7ae1b6439574305cf56a3cf1f1

Download Submit
C:\Users\Admin\Downloads\Lcwm.exe

Filesize
203KB

MD5
fa8c22a44dc54341932eb3bef35ff8b4

SHA1
a384d83ba3e76509339263ceced1fa6d0f02ef50

SHA256
04626cbe0cf8e9b4dcafbfa29a5c20c9af40e0c21219d21f372ac10ff64712df

SHA512
de8d2c4e7eee1b83acb9409ae6443f76bc6cb28d2ebb3784e076b7c52edac0c0a78812ab8d39afa03d07587795d1ce98da0813206ad1bbd5cbfff6869f712b6b

Download Submit
C:\Users\Admin\Downloads\Lsws.exe

Filesize
266KB

MD5
45d312b10f06f4232397e04a4d6c9499

SHA1
bcad4283fa3b547520ddc597d73b7794d9397949

SHA256
c353212f6fcbfc76534b7901a69c649705fe8943c56794729587b252a08394db

SHA512
e130833c26acfe35383d74413647b1f3fedaae666572389e8a81527cb7ad32def6b4cd23f81c748707714026565b61b519309714e1a83435a11b887b30a68c2a

Download Submit
C:\Users\Admin\Downloads\MYwA.exe

Filesize
192KB

MD5
2b120ec807eb883e870955e5bc18966c

SHA1
14f4d5eb9a30a134e07f2c0013a1ad7826e8b528

SHA256
74b945ffbb2b2ca3aa4a36d86329ac7abaf38375a147ddaeb99e179c70221f8d

SHA512
9426fa997fdb6afb14d1903e33b3c7520c88008f3f4277428aa9267bb05ec7f7f8bfd199d7b22dc7bc44aefe81c38520cd38f5a792718a3b6ead7e7924bcebfe

Download Submit
C:\Users\Admin\Downloads\PIow.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\Downloads\QUMu.exe

Filesize
185KB

MD5
1bfa32867a1c3db02bbed9cabfc7eebc

SHA1
5d9750e6f9e75a29cb2913780539eddeab5b0303

SHA256
785894344929f79f2fc391d20324626ad7b57afe542b4e360b7b7d050c0304ea

SHA512
750d2d717dfe0da19c00bd48429119b9278fbc822cd4198530f44c5525530dc8f593105fd5389350f22174d6567e1746269bdd84c061da81673f6f0986620a85

Download Submit
C:\Users\Admin\Downloads\QUQi.exe

Filesize
197KB

MD5
e9268fe8633493db84ffb812879bbcbd

SHA1
22232a499b77880bd2200f0b426d635ddd526751

SHA256
dd6a7b5239ae11857197f9f5b2a0364ec75a73e9478c799a9359b335652c0f2a

SHA512
0611d8c0f834cd3841ba4aca7f4d2bb31051221e724a008975ddc1623fb33794d85987797ff6f30bfced8bcc440ca8233c3a4b76a39bfb4a5da24d5a52cef5bb

Download Submit
C:\Users\Admin\Downloads\Qooa.exe

Filesize
198KB

MD5
07e3bf26092da7146bf7d8787890797e

SHA1
1832e63f1823f90c0c1d327e8aa048b1ddde70d2

SHA256
f0a64f1e086acee3e903e5fbaea677a179bb9a34546c66a786e811615ccd912a

SHA512
a1c1aea33aeeb781286339210a8110dcd63cdaad2ce35d0464e0b09648b56a8d087de91141a81c3bcf5ee3436787b7f54c5d30e1d3c56397d909ddde0471cbea

Download Submit
C:\Users\Admin\Downloads\RQAG.ico

Filesize
4KB

MD5
b2a9e20f351b70b21469e4a4ba1d3506

SHA1
675c9c3d241e8d392b6aba6b98a61489692f1541

SHA256
0f015363e17b4320aa73bb7db01a87773bb171120ef59cb9ebdc13c857df1692

SHA512
6a6d7911e2038a2f5179ecc64fc03c3dc6f34a5e5d726b65efb94ff1ef420ed68347147037e78f82aa68ced95dc5d6b530bacd805387edcea51dd5b04a9f16ca

Download Submit
C:\Users\Admin\Downloads\RoUY.exe

Filesize
227KB

MD5
f09a62cfe1d8208c64b0684c4702060e

SHA1
8241545daa0e8cb1f6470eb660c5a587b7d0d8df

SHA256
451abe21a84cfdc4146ac61f9b2e6f1363a6f9bf7816b6df24fcb09e6fd5dc60

SHA512
3719cc7cbc0a8413367d542b56ccb7f0af77be294af12ef81c03fa9c0d8229d3aaff90b0ab4e26e72c9e3073a737808f0cfc9f0f67fb5ae64399588798827439

Download Submit
C:\Users\Admin\Downloads\ScgK.exe

Filesize
206KB

MD5
8363947d2a5b8d97b6f6caa06dcdb80a

SHA1
d8ac22e0947b4b9c94533f0213342a4df0fae6e9

SHA256
511199a6ea05f89605642465ddd1ae63db8f5e7ff697c195a0af92557a7e7dd0

SHA512
c087424179ae9a5877e7e1141d1316d4973c248e317aa626a3b63efd98b6e4167109be02938286f25bcbcc6bcaa6bbba337ba90c1217e2f1fe6c75496355dbc2

Download Submit
C:\Users\Admin\Downloads\TEsQ.exe

Filesize
192KB

MD5
a14ff33157b1eb01dd2b800f99062826

SHA1
ab0118b20ead2e875d86954b68ba6893c4d3b7f9

SHA256
2a62e7b7cd31f186f153ca3a9d413adebe7cff0191b0f7b7d5e7bf556fd5bd2f

SHA512
0b0ea611b11a9519683b6f62f2b668d7c415502d7eeb460ecf43e756a5eda020ba82531d96f7b620eb52d29b852e1ff69b24a44c233c568a403e0d5380894c24

Download Submit
C:\Users\Admin\Downloads\TgMy.exe

Filesize
195KB

MD5
7b8918c6524594434ec848ae619e34fc

SHA1
a6073a3632ce1974622e388adeb34cfacac65ad5

SHA256
fa1a587ace3ad641546b773c4c41712b747487662b90a48ab0440f13d67d93d3

SHA512
819643de4bd8c0f06cd4b253737ec7cf1f7e77212f41016c97205d1e9d9cb5a7d3e1552bd9f335a51a6c9bf33b64a31fd4373fd82b597062c7996742e5a786da

Download Submit
C:\Users\Admin\Downloads\ToYi.exe

Filesize
198KB

MD5
ce02471c921d909255bf854c91374340

SHA1
23679c14a77c9dbd9be730279a3151d85ac195e0

SHA256
384d75bb771f982397112c257bab976beec1b978cf45abf5e6f98b885b850a03

SHA512
6e091ca665692320901fc38deded868daba34fff50145add26ee10d4acd714291ca5e961a9f4376842273a36ed773b033e7e26b8d55294a3b8349252beafa378

Download Submit
C:\Users\Admin\Downloads\UgcY.exe

Filesize
226KB

MD5
fe45a976f8c2cf2d5f1cdb250f27d0f9

SHA1
5ea5b94bbcb68f79872ff5fa0af1c59851fa1805

SHA256
87cceafe171b113aa2c14b809dc7406d7759498885fb19274ee2d181940a7964

SHA512
60ea90a52ecc065f3fb901919117e681962fd31957d66c9c9e2bf0618d53278aa3fd1dc63c507b6bc01074669479e71930524c98395c431cbd9484a6801740e5

Download Submit
C:\Users\Admin\Downloads\UswK.exe

Filesize
577KB

MD5
a6d55a260ec03666d626930748e55920

SHA1
87e2d4263afc0fc68e7e2003fdcdc2482c39c1e7

SHA256
18f57b0ad3d3e41f40efc6a1f50151fda490556f33fe9d0f61fbbd487c2f9a51

SHA512
1b03ab618abaa894171f347c6d2b60c4206daaf4f2814afda05dabe9db71e8e5fc6259733c2059f9e531454998df63d73d2d5a43b401f05db872a7f78daf2493

Download Submit
C:\Users\Admin\Downloads\VcYE.exe

Filesize
193KB

MD5
393c2d6939aa5b9d7badb74d3b971409

SHA1
143c215e39c4d3f2873f447d91a1d23fea076307

SHA256
9a7647d23e97cc2649534fb9bdb9232f11e6f62592a5466442c635d0c7436cd0

SHA512
79b32b7273872f5b8b8f60f7b72718d8af0ea3a2ec0c3cb70e6b185fe53cbb4c8af9a6a5860c377597198ca94527af83a2edff88b9e57a12ca10a92d56c2bd99

Download Submit
C:\Users\Admin\Downloads\Vggs.exe

Filesize
230KB

MD5
d5194e9e1845855c28e489d5e178c363

SHA1
eac613936bd9c2d500817b88043e210bd956189b

SHA256
fbf77294a78d58eca316a9ab1d90b663d765e0a6c3f79aa38103f2e26341227e

SHA512
5b87411b477fea02755749e18236a319888ac1e225ab77e4aa2579822ea31ce1795cc662d332c64a16c4e3f69ad304a027bbd7315f09cbb4906c1f725a72fc41

Download Submit
C:\Users\Admin\Downloads\ViraLock

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\Downloads\ViraLock.exe

Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\Downloads\VkIk.exe

Filesize
180KB

MD5
0540aa7d15429972df8bd22d287a097e

SHA1
7ac4b87cfc0e3b33bbb0c77da32dad085eb5d934

SHA256
7030bc457f6162796f55828a38f82187277da29d2650857b277206144f62a9f5

SHA512
b337c83ea11eb0d7c42d29973158ca5c59d321e47b8cd5f732644b0174392fe7953f822a2d13f1d28461bfe3a5a582477969906ba2644b8d23031606583df295

Download Submit
C:\Users\Admin\Downloads\WUoO.exe

Filesize
206KB

MD5
86f15ff6e7c3caf3f515bdbe901a48f9

SHA1
9255e5fdaeaf40a2bf16bffe9058c224a8e61119

SHA256
973ab8b17dfe4939406529e7be40b2724123d4f95f2b5928849961daaaa73e10

SHA512
3d2f8d8178ffe00e13353374a7b34dc06be8bfea05531fa9f53e3a6de4e69f6e745a927e1d99c32c574bcce8c14ece9d92c48758fd22c379ada6dfca58707d3f

Download Submit
C:\Users\Admin\Downloads\XQsI.exe

Filesize
205KB

MD5
a28df40f63c424bd69b8df228d106a04

SHA1
e62835ac9d85441de142cc03506532ba10978d06

SHA256
6843f82662ccdd920cb01f18a1cc195319ced7b4defd13ab7478609ddaa52f98

SHA512
d43efc67e41ebbcc7a66297756248bc45c6c82ecf19b5899ad90086f8d7d0d7c7e04a959abd51f2c84b0f3665cd8157220dddbbda93bed9d0e87ed4a6d93b821

Download Submit
C:\Users\Admin\Downloads\XoYy.exe

Filesize
210KB

MD5
e2e1c1c97f378dade1204e2676da6582

SHA1
c7930a49773b5c3cbf840d206f567802d31e6adf

SHA256
7a275f1a4c58a292e7103f866af003a66836959009812d9c81597640af79658a

SHA512
a1e20c7478c70036211aab6a916f2411aa7080d7f06fe966c3e95601c0548dca4d56fdeb21454a0a5a459b958bbcda3eac8718ce02f88d928a5a88d3a8fc8e23

Download Submit
C:\Users\Admin\Downloads\XwQY.exe

Filesize
191KB

MD5
315d846a76ee555c3e1647f8e998f74f

SHA1
89a7475d9a524e7819b2941dbc033b32c756e994

SHA256
9ac1fc4a9d0b527bba05b37b84de338d4e9666599cae0e0f7003232646d211ca

SHA512
cba8df1c03add8249287f1f81a78d1e211ed567c2533654f562b7824a08207252f99b504b1d6421e50ef1b1a679cc67ab6cb92195702a22e2de7b8f0a8020c1b

Download Submit
C:\Users\Admin\Downloads\YcQU.exe

Filesize
331KB

MD5
175455a9f77074cdd5f00d80399b08c8

SHA1
e0372c538dc518875d07b41fb0402db08ab35251

SHA256
051a1831faa564176e4c958b2eb4b1218b2be1ea59ab786d332bc3556833df9c

SHA512
2974745d4285649ef40e1749cb24a2baca780c611a0125be466b7113ded2e6d75dd980f8526d0d9eeba7e6f319ac0b5d97badeba129e4b4834c28cbd0636eb3b

Download Submit
C:\Users\Admin\Downloads\YgQO.exe

Filesize
206KB

MD5
bcd701e6a5292ef9efb86904496a4178

SHA1
0fc9d87b57b377cbccd21e8623c888844354f1a5

SHA256
3eaf5cde883dafe5ff8d9a6cf02ede3e9e745bb3ad54564a483ab8f344b54395

SHA512
39f221b5f8db5500e0214d43c38cb1b49f5d7f99637d94204b1879cf8ae2171f6d3cdaed2cfb63ff12b3e1b01dbe76376523e0d3815b64111deb600d07c0f7e7

Download Submit
C:\Users\Admin\Downloads\aIMk.exe

Filesize
204KB

MD5
79f0c1d092a3fd613e942ca5addca3c9

SHA1
61d80c02ed81f9f826a19f98feca566d28b0d6e3

SHA256
001f90a871bc88bf540a63d57f6cb5e90a5d5659724ab9cae086247ef74c1953

SHA512
0bd5c686e244a1325b9505a28578625480589eb618733d7dfa32fc7bd1f6d55c68dae8b2d53f47b56f4a6ea86ffcf4500a4e246f110127a80504c5af3b778fe1

Download Submit
C:\Users\Admin\Downloads\boMm.exe

Filesize
631KB

MD5
8641631e4bee8599f3f39192980acc70

SHA1
7ae2478c5fb13c9be1510bb54388d7249a34d9a1

SHA256
3138e614007df04ad6667e24910b4023b3b99b699eb4270df78ad2db8a26c1d9

SHA512
037991390405282640864a2bf568d4ebb545e7b5c89b6527a5dab6f230fdcda8853ea014269fd7b7af75395982e39143102838de3897d320c8a203830c0c3a2c

Download Submit
C:\Users\Admin\Downloads\bsIY.exe

Filesize
199KB

MD5
feae1922e243012995c90cbbc41b31a3

SHA1
12911b469499a6be242b87604b980ed3adf73e54

SHA256
31f561a47277bce0a6c62dc3ce04dfe0da910e3ec134dc610d524ed2fa283978

SHA512
2f51537b9f8a34132e3136b6e57585184bf3fa5dc4e845b3c078c7aee05a9099c26dcdf5c3a4953f28ca05ca87d3b0cc48f05ee2ea959f01cb7a9a6403b560d7

Download Submit
C:\Users\Admin\Downloads\cQws.exe

Filesize
189KB

MD5
2ebbeded840e72dc7ae4d952e6a7b294

SHA1
622eb4bcb5c956cd7d08ebd899ef95f4d920232f

SHA256
2efb785746bcdd51d23fdd736ceba01c1dd9b9c318e6599711a492123744dab5

SHA512
0db337278155054e417235c375e5186b57db06667edece7f07c7be89bfeaa18133e163b33baf6fd54a5d0d357e1e49660c82e31a74e02a97276411066f4cb296

Download Submit
C:\Users\Admin\Downloads\cUwi.exe

Filesize
787KB

MD5
b410d1e605f5782b5f6655e1be08b8d5

SHA1
5448153f4ffb2be48062e6398abfcdb8de98fc2f

SHA256
0c17b6c0be1991b07870bf62e62e2d76f590fa3671b658339794534f653dddcb

SHA512
ee3cff9982bbd24810e36d8032da5fffa84ce9b8ae76ed07f6496f66ba37e69b80f8c6dfe41db8325104b288c5017db81041b847da119351379813af955b78d2

Download Submit
C:\Users\Admin\Downloads\dMkK.exe

Filesize
187KB

MD5
8883a85dd37aa866afb372598c9547e7

SHA1
96084982a1d7bbc35951c1c40eda167eb6c882f1

SHA256
6f65d0200736b36f0d615d47079f330c03303f7e8a07edddaf89c240fcccb801

SHA512
40f5aa942df81a40f214d873ef7a801776a4b927918e11267112ebe5422f32aa92e3413467ad49e45e22c0b2be2d8f93058fb340dedfb0153904aa7c20f85e4f

Download Submit
C:\Users\Admin\Downloads\dcca.exe

Filesize
182KB

MD5
b0c945179bef42e9f61d7bda9e49e13f

SHA1
43bbca54499abc75c3af4875b3f72b42674ee8ba

SHA256
18ac07f6ffaa5bc6dc1f305b4c380a5fe43c0b984c746b89dfed72558e0be520

SHA512
a8c6235e577939f287902537acdec8fbaa1808f2220f6643529670a980d76a11bdf3fa872ed9c85cffbef4a5499e3d4c6852c75aeccd7c320bbc035a48826bc1

Download Submit
C:\Users\Admin\Downloads\dgcg.exe

Filesize
212KB

MD5
1ff57283a0d6982f49a7f09ededb7fe0

SHA1
4cd2a331d7769ae2f8770df142efd687113ee90a

SHA256
455ece4fbf56b0abddf16581a038cebe279f7ce66e9f58c9c2130d2099199c6f

SHA512
628fadfed3836d88b9eb840b4c31aca46bfcf2bee7bc56b1e85f278f712b89f44e5f8c0dbad4559bc99c357fa72b396671bda47e36a13fbd5e9d93a44e54b5ad

Download Submit
C:\Users\Admin\Downloads\dwwK.exe

Filesize
219KB

MD5
de078d145896d280b8ac309fa8c0720d

SHA1
e4c3317938c55f60264b6b82b297ba652f221534

SHA256
6713be53e3739d2d5bce35a1005a58f294746db212b81c4e6de7d35f557f2085

SHA512
4377d408e1ee28b814e9fab615284760d2842f15572204362de60e864300835a33fbf058ff255457af70e55f34d551901bc9a84a65dd690b96a36869b51dc80d

Download Submit
C:\Users\Admin\Downloads\eEkw.exe

Filesize
198KB

MD5
f715d0eb4a6cc2e017b1f3fa5a9c5ae7

SHA1
e494bbce6af20d393f392e8b23772f4444e13568

SHA256
9f569548641afb8ce002f8e6bbbccec1d45b2458af0b0c560d697f994e456e51

SHA512
97b921f7e9ffcb4cf9ab281c3709d5f2c86db4983483b06be00f2b6355960d0d08f95d6e0bf98560e33b520429ad23aca92de733efa914f47a9968e0834f10ed

Download Submit
C:\Users\Admin\Downloads\eEoO.exe

Filesize
594KB

MD5
ac6c0f14da393a9ba2da064a4704d039

SHA1
3c5d7074b4073e0e9d72b9659335655339a3ea97

SHA256
0a8e1ffa754df7d6a96e0c22bc860717744992238367920e2208504fc2698376

SHA512
2d49cb65fb70224449916d6fe510b126f14ca2d5cc17b24c05956489aad4645a7124d8b2519e6fa9debf9bd078e6fd23974090574f3adb1804ed36d8fe96f528

Download Submit
C:\Users\Admin\Downloads\eIMm.exe

Filesize
186KB

MD5
a51d3f6afc7833d70654230d72ac58ca

SHA1
fc764d8d3d006931970b74f531bc6babfafa99b6

SHA256
8eb5d3bfb25036d41d7c2aaf7d51b002cb67e9e34e8b125de05d651f7bff8f31

SHA512
dce3501453390299e0419412746da1e6e790b73257cb11e30dfc1df6fee4cc57c3e14cd53257de7b12ecbceaefc7fc3705ffebf927e3378994f22dfdde6cb149

Download Submit
C:\Users\Admin\Downloads\fMsI.exe

Filesize
627KB

MD5
af3eb2134e2153704538f3636152ff00

SHA1
faa0a06fec93dbdebd2bd6644e3ee44705544629

SHA256
1b89c1a168fd64c16b5d3b091def494ba729f3a4f1d7e35db23ee42e84289c09

SHA512
b1706fa323165377adc3aae85e59c6d537250cd7597f464cb0289c275e4c93a9d9202a664cb1de6113028064be2f0207eb0515232d5546e5605cef66c18a42dc

Download Submit
C:\Users\Admin\Downloads\fYYK.exe

Filesize
811KB

MD5
dc840dac4d231b17f83ec2e1ef21528c

SHA1
272237848cb33dd9d2ce0a8a6b0a6cee443a0aa6

SHA256
1ce99020e878b3c088fc0919247300bf9f001a3680f1b2a1feaf2e24a71532a3

SHA512
09e338c05384355c555d277f706eeb409864c71b45ad0a7351fdaf3425f32436d55b618d5a36dc6baefa40cf893f2897339dd6ef8c8e705b3efc9a6ddb26ff26

Download Submit
C:\Users\Admin\Downloads\fkMq.exe

Filesize
197KB

MD5
064a81396f4e8c9ec386970b6bd504a0

SHA1
0149b15bd3b1225e0229d273c84ed62c369ec744

SHA256
0194ba74f34f505d1b6d004ffea451984e0e33909b7ecff0d1aff9dbe4943ed7

SHA512
bbf1b880b67e3dfa0fbf3463bca2aef12ecd9745b9d716b4eedac2dc59344a692a3691b5d03f2aa2041d205c56666631e1d16ed44de531350cf57413dd99c37c

Download Submit
C:\Users\Admin\Downloads\gEUw.exe

Filesize
731KB

MD5
0abf7e697906f8ce00663a578576eeda

SHA1
fd896640f9f3037ab733da4bb4c10c13f061e25e

SHA256
b784c73023994cefcc6b9e2871532b3615203b91d89cb7fd7cfa87bce8cf7d98

SHA512
f5f6fb2165dd890792b9bb15873f8711e7e7eaa8b598cb3c7076ce111c15a938f97f6862b89a940a1125f43c504ec271ae57822777f52e8fe323374b3aeb3675

Download Submit
C:\Users\Admin\Downloads\gMAQ.exe

Filesize
783KB

MD5
c039c260ec14276e96257fb141de5b29

SHA1
db7f4385e7ac3b78f912a44fee78791c88ee083a

SHA256
aab8fc8ca74e3e0f96db38c1acbc13a56e5eede85328839925afab257a6967b2

SHA512
422af4180e08e5082e660aa1d32f060d96b3137cb41035c769d128d9a5fa6e146dc1a70a1d30af690eddff9df8742824b09c717bfd0780526c42d076fc3b73e8

Download Submit
C:\Users\Admin\Downloads\gYYm.exe

Filesize
808KB

MD5
16d19816a5577deb9f3b6bb2b75cdc51

SHA1
442e820f8ed2c9578395ca4bc2961697751c4109

SHA256
75c5b7d743b028a393f3772bb32e6b9139b124dd4d3d2a933075aadd2643e331

SHA512
958b256dd1627c48169a5e3269a4ee07973bbbe04491d1d7d87072c81f0aa26ee015ed97f0ae2755c5162446364b551dafeb0c473c0e0ff8be66ba48c2db9a1a

Download Submit
C:\Users\Admin\Downloads\hYcs.exe

Filesize
198KB

MD5
4a185fb08dee8a15918060ac96f51643

SHA1
c1185dd98a65ff4c82d706ee25cfbe54c928c444

SHA256
a0592b4e7dd969cc140a7d81fb51112c866a9df982a5813c94642c0f2129983b

SHA512
4347bbcbf09e4b3be039cae75af55febd6f6ad50f5cc4c2119f48c69d0ad8fb364a90e747a3ad635638ba9f5cf352509f8137b8a492a6a807d88721a9bd24a6a

Download Submit
C:\Users\Admin\Downloads\iIUS.exe

Filesize
6.1MB

MD5
7f78593e5deb7fc5c01665eeb4924814

SHA1
a442d45c72fe6eb273a801af8d5c9b5fd7ec76bb

SHA256
9205b778ad0a2e6e39b8d8e2b594a5f1fbc9c128dbf8d9bbd714402a41a1b354

SHA512
3a660d4fa360c4b04986756aa85035968c740a91733bb4185e5030778a3f9ca90ecd21bd3b93108828ebf232bd3750e64c87242c318bd8d09e8e25f2ac44d72c

Download Submit
C:\Users\Admin\Downloads\iIcI.exe

Filesize
463KB

MD5
f9b3a4101ca7ab0375784b294fc3d009

SHA1
c113f83b456c2959406fccec3063f46cc85506d1

SHA256
4ac0ab3d328e5b8a546fc267d32b6d22a4fa93a8405a280583e3f3b1970d40be

SHA512
36cf02cd6c3aa7182f39d839daaa26ab4ec10fd5c2eeb3e26211c89e6ba8c722c223374a6e1ad46f454d70b8c23c4ee7b51f6ad4755ff0abc8b54ae0fadf65ab

Download Submit
C:\Users\Admin\Downloads\iMQU.exe

Filesize
639KB

MD5
e060962e3ea9c9dcde0573c1a5c8d327

SHA1
7db0ddfffea5235564d39d8a82ee633c46986921

SHA256
5890489d0dfd533bf446fd7f2cca161cbdc1df4f0c9b32cd4b63747554511cc3

SHA512
5f647b8d858e9aa462126f5032a4d358db934d4c6a0de7f971d452ab7ae4f8ddc635ad7d7ddcfeb8f00ec00e45ff9fdeb6a9cc5e0765556b2a223de255328291

Download Submit
C:\Users\Admin\Downloads\iwcs.exe

Filesize
194KB

MD5
8d72e9774f4a5a68bf15c4d3c8d057c7

SHA1
4044cb28c06521655c6a0d1a61c1c1c08f440de8

SHA256
f069dcfb9d3d838d780d314215a1a1a3c229af04f4dd1f9e079996249aed7ae2

SHA512
6dec9c1e91d1eef2790d93f7c51863515ebd1539e0d5b37e703db5f0fb829e9039a7f9fb4172f2369931df216e0bebee941140f1e99bcd9115b66cdeed253d1f

Download Submit
C:\Users\Admin\Downloads\jAEw.exe

Filesize
6.1MB

MD5
8d36c1dd3fe18f921ebfaf7eab813c53

SHA1
3240945ecf42eee64c2fd5ef338f0eff6fce0d6a

SHA256
c0aa246c386548642fca2da1da469290b6a28f53541366c91bbcc063c07d5c1c

SHA512
20709155a56ab5824bd0e6669fa042d80bca0a4daec053e669cc79e6dcd86d7f7752efbf19287528e7532911ffb21aac325bfbc50490c26345296c7e17191ed7

Download Submit
C:\Users\Admin\Downloads\kIgG.exe

Filesize
196KB

MD5
ada0b17a055718889f1cb907d3b7c59f

SHA1
989c39ffc866b2cc85d79f29e8bf9172e64d8005

SHA256
d33d116f8cff770471cb8cc79924f10c370178f1520d6a47f3742346f32421ae

SHA512
db14d0ecb670ba6fe1daae1439bd0a18345017a123e7acebe4e57d67efe79b0b1b176dd0c2e1e26edfe16e1d0d4826e2341d8ee5a93ce82975a4f9698da7ca41

Download Submit
C:\Users\Admin\Downloads\lUEy.exe

Filesize
208KB

MD5
c19748c1b55c2a3db16e863b00c1562a

SHA1
05e42928fb88d5805309beca7e4e3e438e40457c

SHA256
352d44957ece01f207ad94b38706c7412bfffb510792f2781aca91eb68a3a305

SHA512
900858c586e0b875eefcf612ca4fa40e66de047439093b2f19b699cc19fc588ad5cbd0946580375f146f554f348f6dc6525be7dbbc225838d95169f3eb30a704

Download Submit
C:\Users\Admin\Downloads\lssW.exe

Filesize
432KB

MD5
cb8f76dcc43ab153f00ce967cb998802

SHA1
510d01e2556c635d7666a1120d7b7bcda6f7daff

SHA256
67dee0cf1af36f3fbe4bb76891f21d9e8c4c5adbfa177254384b57ce7e0e2c2c

SHA512
c0b672ffd93c40dd23ca8fff2f5621e22328c7afff37ce2295a220e0380590ea3b56624430d29af39a8b5db33b2dfb2194d89cd9e1a203c243b7f3c63ad9bdd2

Download Submit
C:\Users\Admin\Downloads\mAUq.exe

Filesize
639KB

MD5
b18043d91b4cee674da6ea5ec99fb924

SHA1
4549d5d377b8a9b794a33989deaf4352e3c7251c

SHA256
f9563b3d5db44eecdb033e1a0cc066104276aded4d0ec3f94794b669ea4374fa

SHA512
6a95693d8445d3d6fa45dab75d258f728a6d4418d5d4edd369d91362af5723bb272562604234f01492ad045133addb5462162de18caed34559d0468eddae1d62

Download Submit
C:\Users\Admin\Downloads\oAcg.exe

Filesize
198KB

MD5
02e769aac5ce4b9883066b93c3cf4337

SHA1
9522fbced95ada93d4230f172da0032827e6c429

SHA256
4672fcd793f871359df4b47f73efd750b6b4d92a98918e08c21402d143dc6d73

SHA512
77918607043ad5d5ccb82b875b0dc250f8b92414435e32e16f04a87b8eabad60682ae4f0db40b04747059dbef21f3cb8c8bb12299f3abd970235a10affd06c43

Download Submit
C:\Users\Admin\Downloads\oMgY.exe

Filesize
197KB

MD5
5196c041e30e13a3da50a59de73869b7

SHA1
72faa2f45735484fdac108e6c81fac0794b311ad

SHA256
1ab7761913de5eab1c3ab390b84b2f53295419f3caabc0b59a2ee4b51fd93f37

SHA512
b38bafe7101054006e378e589d1caf26a854884df621ee2a2bff8aa181ffceafa888aba6bd005094a441980bae85e2751ed848917590a0e0071eeaaf5e492a56

Download Submit
C:\Users\Admin\Downloads\ocEw.exe

Filesize
308KB

MD5
437b5a37867bd66a50a0ca079d6671f6

SHA1
2e266e25553996f0ec2f7e4a54518f5ac64f212f

SHA256
75623d87edfdbd2df748b991b1d2be070b9b4f4b38c3c104b65b25f51a1f3bc7

SHA512
49e70303e5b31c0603814afa4eb43cb70ef4e246b0753674298b67000c050bfad8e4e249030b950d493d34886ead2d0d17168158f30bde0d3a137c7906bac4f2

Download Submit
C:\Users\Admin\Downloads\ocMu.exe

Filesize
2.1MB

MD5
3b785cd4f2ca491d9ca28da3575970b9

SHA1
c688439f3bf73dc5e58742afd7a2f47b40530475

SHA256
1a869fe179331fa5d705679321ab6fb38c0d2309e83d0111cb1ded3a222baf76

SHA512
d8ca5dbb0e66c845280ce18cc99075efc5bd0078752d64e33ff2d943828f3f92522f7c76efb38a8d7c4f268201b098076003a7b18f16d6828cb4ac58e2792491

Download Submit
C:\Users\Admin\Downloads\ocgk.exe

Filesize
1.0MB

MD5
509467b427bb3594aa45a1d6dbaaf0e1

SHA1
a24a5473b7a52530563f9b459233cc5b209c52ac

SHA256
499f24a5537cef5f6542abffd0dcf1784dff0932e17d0136730d5b4842ea976e

SHA512
14f2c7977054ca9046fae991f5c96c12c891f53c16f743c419acd265ec9b4d571679f97fd9f6d2d77039a27e4d951c253959466c5d86094b8036684944600cce

Download Submit
C:\Users\Admin\Downloads\ogEM.exe

Filesize
197KB

MD5
4a05e8f09a8e814b88d3e2f6a2d39acb

SHA1
a03b1856745f5aa3a63e1622b99ff75c8c020f4d

SHA256
8e333f8399a8a732dc3c566b51a415ea58b14251c3719cdc5ea65c2ece5e5f9b

SHA512
e02ab756b79b0c1c4b3f694e790bfb74284242c84d2aa9c53d71bf19ece499af98c77c3425a2f83b1d5136d5ff72b77f19265990a0e5873523e40f640fff7e2b

Download Submit
C:\Users\Admin\Downloads\qkQm.exe

Filesize
209KB

MD5
2240608a315094dd89fafe431219826a

SHA1
2d7605ac98186c2821a2fede2026b2219a2e8680

SHA256
029408b20be9a6a184246cf3ca257c9052ba829d0c2038bbc84f5a1df2c8ecbf

SHA512
c3d06b365799f2803b0e0a4e2dc2da82c75afea9bb3ff09dcd1168fe22584843935b6594fc64f0d14432d7d08f0e27370836245dc9a05589b51afefd0a4c9e1b

Download Submit
C:\Users\Admin\Downloads\qoAU.exe

Filesize
184KB

MD5
8956578531f4a0588092ca4ec916f342

SHA1
e8b403031ec6bfeb6772a45191f294f512d956e2

SHA256
606f1b94538352d7a7d97295507da86e362a817b0c8755f82862bdbbfa43a1d5

SHA512
2b0ca0c06515bf736cf60c729b286262fb3868984a5135dab025133b11d7c7d117a3faf2e414da6f4c1e0fcbabddd36cc6b3a98573771adb3a82f0951bc4c104

Download Submit
C:\Users\Admin\Downloads\qoIE.exe

Filesize
220KB

MD5
9735c484ecab9dd6726631fd74d8ad95

SHA1
0aa9dc250f1616e56604dbbdda0b7a7548d38a61

SHA256
fb4829e729d23a83dfb363f1cecbf113c4a91b1b891d104f2af391ee7d9e85e5

SHA512
67e1c6138eb331e3f6852e650a15390af1d0527b807ee19bf8f7c943565d18cf08f9268b6dc2708e31e35dc15666c632d5754bf555e9f94cd859eddef11b0b1d

Download Submit
C:\Users\Admin\Downloads\rocW.exe

Filesize
816KB

MD5
6b7bb00c85211193d09080d5c828c2d8

SHA1
d1b42ea8ee51505b0c51869eae7070236f0f1df0

SHA256
619da2ceb4e18ebd1fd06b7b096c50da689b23b7a5a7d4fae5838b2b9d0dd0de

SHA512
d6f0e998b640a60ef035827dde354987d4b88a9eb6537d6b817f5e992b409bba82251eb91794374e91230777d6dc8459da515b3212e7011894f33867b48db54a

Download Submit
C:\Users\Admin\Downloads\roko.exe

Filesize
205KB

MD5
9a992775d02df61aac58e8a49010680f

SHA1
870efbcd084267067ccf8cc89fa1009b0c97fd0b

SHA256
13d7fe5e98c321dc2a272b8d96478885c8956d169f9d89479dc459b571dc4623

SHA512
597f02cb71ddeabc9df54ed3bb0751151509a46be48b3d389ee537a6890d1a14eb3c1c995a9415340099c7c2c6cb80fdfe62859745ffe3810dea4551763d9c43

Download Submit
C:\Users\Admin\Downloads\rsQw.exe

Filesize
803KB

MD5
3f15b7a68b55ff099d05171382992179

SHA1
ba6a3c204c6aacd5b03c30c63b153bbf790c91f8

SHA256
8294a9d36c6faaf75c1e0e7c7f6daeb84c10fa622427fb4b70607d0deae085e1

SHA512
1312235997ea3c224663892c1d095e0f4f4b37c33be66b62e4319d40eefb5bad646a035246c852c1c603d89673e229c18c6fa3f4b86a1495207f39dd7dc18f2a

Download Submit
C:\Users\Admin\Downloads\rwUG.exe

Filesize
1.5MB

MD5
ef094c6f705e42ed6c771a32da0cfba9

SHA1
f363aea75b14d30510b70f9268e42f524793877f

SHA256
146dc88c5a17320cb47a699569c4d12b869d3ecbf680d3c4d48dc11b17c07574

SHA512
2d6491abc39da84e2f4c7f81b6bf44d18e055c2afb8e2506c81b7443f8992e01d2220a9c5e0718641105a4f21d47794c254998fcba15c569d0011ed9723d343d

Download Submit
C:\Users\Admin\Downloads\tkAM.exe

Filesize
204KB

MD5
8a1e38753f94b230198c7ef9081b4367

SHA1
6bd22e008fba311911e40e7c267a1f38aed0877d

SHA256
917d636e95491d6aab61e371de3020ce85b6fae01839daae0ab534523eefa0cd

SHA512
4423d1c4d82b7b51242193ba82a39750ddb29861f3f553ead1c6452ddab079785da7162ab16ee1cd114de6d715ddd476720c80dbdbab549ecae4bf1d5b610b47

Download Submit
C:\Users\Admin\Downloads\tkIC.exe

Filesize
328KB

MD5
1c5ecf66a5d3beec84ad082e1c8f2d53

SHA1
e1baca19bba2e9dd2e8ba1553d75be874cc1001d

SHA256
fe3bb00d356e44c66ba3c562be939b184c2fe112db8954f82610891fde45ca32

SHA512
5059d65f927320177aca5a4ae82f880b678006cfe765317b3fc0e8beaf84e20da8311e4461d6caf13069d12681a8cd12d9f4266d3c29e973f946b9014b73206a

Download Submit
C:\Users\Admin\Downloads\vIgy.exe

Filesize
201KB

MD5
15f34307960e64eb57dc7db177f8ee4a

SHA1
ac3de45414dca3f20ef826a4cfb64fdffb6e22ea

SHA256
39645bd2d167253fedc13c4fd927d840e5e48ea51a3e330d6ed0cd46d0e46f18

SHA512
303e172662fd16a766d9db0df31c482e97a38a23ca25486f03b4184cd60ef3a43407e375279914b1c25d7340ebbb7fdd834428df07e4dc0b8cf2205ded290798

Download Submit
C:\Users\Admin\Downloads\vQEM.exe

Filesize
197KB

MD5
59b43266059bea19aab6664a98b3d21c

SHA1
446d4f0f24977a64a3a955c40cb3b481a0b477e8

SHA256
7f0ff05c95ed4b7993ece25c4b7c493b60af18b0df80ac18a78b1672d4b5aaf0

SHA512
1a30fd2e37fded1e75a8d93ea115b8b83c6820a11e6c3d89f27d9c7b477aac098f4ee2508a98485de4ad908f24ac8f4aa2100d54e0241e8dfaaead8389ffd7f3

Download Submit
C:\Users\Admin\Downloads\vQkq.exe

Filesize
207KB

MD5
8b9ab09a73c2724e128007a740d5bfbc

SHA1
e7730c027c29516a52b4241c9785768d7ace15d0

SHA256
5623188e4827081bb3d208657bc880e20ba23a3e4b98f10528c832643e56f80b

SHA512
fa2ae3b34efe05f165a0fcb46af925d7ca66615fa892d48e3855a4a79feb624d195825c27745a524ea7b3e5f377eba72475507f3c8af1c1b179a174c317fe10a

Download Submit
C:\Users\Admin\Downloads\vkww.exe

Filesize
191KB

MD5
b322e754c32051637bf1fb211383e05c

SHA1
6b6f088edfe098dd5aeb51f5fe6185c5cc76ec03

SHA256
10be25a6495b922ab8ceb2a9036d4bf21fc36caccd2ab2c1e44fd7f97a767b27

SHA512
e9f258a1aa19509e427f2c6af71413a105e8a98a5adac7604733d34a10e301fb4bcbef633a2e2dfeb3680f904ed3f69a207a3592a53ea79694fd16f190934956

Download Submit
C:\Users\Admin\Downloads\xEYO.exe

Filesize
204KB

MD5
2e658f50562ab965488ef3c4771caa24

SHA1
d31888eddd20c9d86ca54778628f3460d93beada

SHA256
343fb516970c7360696a38960f81160ff00c5de6baaafed7c6a4843683af601e

SHA512
6a5f61f381c955f777dc7336eb1bdb02968b698afe06ef0834666cd3a0392064f81e61f88e7642674d84869ffea238bd59335f7e37412223b6bab0a3f873e626

Download Submit
C:\Users\Admin\Downloads\yIsI.exe

Filesize
204KB

MD5
184fd834b8ff3cccd48d7a2575281b10

SHA1
0b5d732a276f70683099623e0709cc1585981921

SHA256
70b9bb37bebcce363fa5d9967c98ca2298c49b6642f7ff33ca5ef673010c3ac6

SHA512
e8aa5a9055318fb0fa12eb5b0cc4dac3ceb68afe37104e472b679701f4c9284af0c8d2ed18b44b871a510defce737210895b309d96537c14a2c85c7d80e4161d

Download Submit
C:\Users\Admin\Downloads\zkEQ.exe

Filesize
1.7MB

MD5
1160f2342ca0f415aeadea111c2926be

SHA1
92e2a276b3f933f0e2047139f8aa4a1962c9db59

SHA256
75761211d4c4e27f388a5bcd51e5f0a8dbb912958b02e04d09b6343cf3dc3bc3

SHA512
32e526c99fff765d9820ae24065e961c638cce4e8899ad03d37c6d9c9aef91fdbf8066466aeef607a4b496e3151b22442efcbb84deac9e8c911d3b780713b815

Download Submit
C:\Users\Admin\liscsQQY\sKIIoMYo.exe

Filesize
200KB

MD5
3c9e9eeac5a44fa7d05f416cdfe3cd5f

SHA1
ba5d523c5ab67094a28a799ee43c71e4f9a95ffb

SHA256
3817196ade63e9e638bca18ef4bd704ac9a5f772a48d7f5e0c3559084b09808c

SHA512
e7141cb0911fbf890b75b539cb7a22896ba4cecd2cf5ef59dc04c6f08cf353a14c33a2ab90af353873fecacb92255455ec1597e3c32743a437b9d23e7fa66a71

Download Submit
memory/804-326-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/904-227-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/904-263-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1388-461-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1536-739-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1560-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-2646-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-663-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1776-647-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1808-550-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1808-560-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2008-758-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2080-286-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2120-610-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2312-749-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2324-426-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2380-443-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2580-569-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2580-556-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2600-542-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2600-532-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2648-408-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2672-342-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2912-514-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2944-346-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2944-365-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2948-288-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2948-303-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3244-487-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3264-469-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3344-435-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3384-274-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3528-527-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3540-583-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3540-571-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3552-314-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3552-302-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3640-477-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3976-377-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3976-361-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3992-231-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3992-209-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4008-417-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4012-551-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4424-591-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4592-496-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4592-504-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4592-680-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4592-662-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4632-2649-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4632-225-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4660-772-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4660-762-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4824-390-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4956-495-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5032-453-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5664-844-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5664-830-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download