3b04220c50cfe4222c6195265144848afba0e3c154a223bfe66b071231373d90

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2023, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
Size

182KB
MD5

984600cb124442b3a6cccfa3fd7dad4a
SHA1

99efe726c8595e6a14fdf18af61de1cd6962d6d0
SHA256

3b04220c50cfe4222c6195265144848afba0e3c154a223bfe66b071231373d90
SHA512

5a651d8f1f3db8d154a38b35a1f36cab0d691e55bd1077d3ad0b4c09a165f63a35457aef6fb76a3495c8a5c2a5aade73657c180f9e22d519ed21b6206640276e
SSDEEP

3072:T0vAD4D4LpDYrAlHbcmksN0HSNppTQFmQ48iOXVabAOU4:TI2u4x/lHIWN0GTQ+0VasOU

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 50 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 48 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
1724	WwUYocgY.exe
4792	dGgokMcE.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WwUYocgY.exe = "C:\\Users\\Admin\\cUIYckYs\\WwUYocgY.exe"	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dGgokMcE.exe = "C:\\ProgramData\\qoYEkEQE\\dGgokMcE.exe"	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WwUYocgY.exe = "C:\\Users\\Admin\\cUIYckYs\\WwUYocgY.exe"	WwUYocgY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dGgokMcE.exe = "C:\\ProgramData\\qoYEkEQE\\dGgokMcE.exe"	dGgokMcE.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	WwUYocgY.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	WwUYocgY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2728	reg.exe
3340	reg.exe
384	reg.exe
3644	reg.exe
4944	reg.exe
5012	reg.exe
5044	reg.exe
3748	reg.exe
2492	reg.exe
5096	reg.exe
3380	reg.exe
3588	reg.exe
4944	reg.exe
3884	reg.exe
1976	reg.exe
4868	reg.exe
796	reg.exe
1728	reg.exe
5004	reg.exe
4476	reg.exe
1668	reg.exe
1204	reg.exe
312	reg.exe
3044	reg.exe
3576	reg.exe
2888	reg.exe
3720	reg.exe
3440	reg.exe
3464	reg.exe
3628	reg.exe
4964	reg.exe
2756	reg.exe
4264	reg.exe
4820	reg.exe
2496	reg.exe
4312	reg.exe
1148	reg.exe
552	reg.exe
4264	reg.exe
4652	reg.exe
2296	reg.exe
4736	reg.exe
1992	reg.exe
4100	reg.exe
2808	reg.exe
400	reg.exe
2440	reg.exe
3024	reg.exe
1392	reg.exe
372	reg.exe
1516	reg.exe
4148	reg.exe
2416	reg.exe
2840	reg.exe
1960	reg.exe
3624	reg.exe
4220	reg.exe
4896	reg.exe
2916	reg.exe
1800	reg.exe
2008	reg.exe
3864	reg.exe
1116	reg.exe
3880	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4760	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4760	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4760	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4760	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4800	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4800	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4800	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4800	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4848	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4848	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4848	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4848	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
1360	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
1360	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
1360	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
1360	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
2392	Conhost.exe
2392	Conhost.exe
2392	Conhost.exe
2392	Conhost.exe
2652	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
2652	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
2652	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
2652	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
2108	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
2108	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
2108	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
2108	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
2036	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
2036	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
2036	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
2036	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
1436	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
1436	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
1436	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
1436	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
460	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
460	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
460	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
460	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
1672	reg.exe
1672	reg.exe
1672	reg.exe
1672	reg.exe
4328	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4328	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4328	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4328	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4460	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4460	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4460	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4460	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4624	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4624	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4624	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
4624	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
2672	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
2672	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
2672	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
2672	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1724	WwUYocgY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe
1724	WwUYocgY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 1724	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	83
PID 3588 wrote to memory of 1724	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	83
PID 3588 wrote to memory of 1724	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	83
PID 3588 wrote to memory of 4792	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	86
PID 3588 wrote to memory of 4792	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	86
PID 3588 wrote to memory of 4792	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	86
PID 3588 wrote to memory of 4952	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	85
PID 3588 wrote to memory of 4952	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	85
PID 3588 wrote to memory of 4952	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	85
PID 4952 wrote to memory of 4760	4952	cmd.exe	87
PID 4952 wrote to memory of 4760	4952	cmd.exe	87
PID 4952 wrote to memory of 4760	4952	cmd.exe	87
PID 3588 wrote to memory of 4364	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	88
PID 3588 wrote to memory of 4364	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	88
PID 3588 wrote to memory of 4364	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	88
PID 3588 wrote to memory of 4652	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	92
PID 3588 wrote to memory of 4652	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	92
PID 3588 wrote to memory of 4652	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	92
PID 3588 wrote to memory of 4188	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	91
PID 3588 wrote to memory of 4188	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	91
PID 3588 wrote to memory of 4188	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	91
PID 3588 wrote to memory of 4788	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	89
PID 3588 wrote to memory of 4788	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	89
PID 3588 wrote to memory of 4788	3588	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	89
PID 4788 wrote to memory of 1520	4788	cmd.exe	96
PID 4788 wrote to memory of 1520	4788	cmd.exe	96
PID 4788 wrote to memory of 1520	4788	cmd.exe	96
PID 4760 wrote to memory of 4476	4760	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	97
PID 4760 wrote to memory of 4476	4760	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	97
PID 4760 wrote to memory of 4476	4760	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	97
PID 4760 wrote to memory of 4944	4760	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	99
PID 4760 wrote to memory of 4944	4760	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	99
PID 4760 wrote to memory of 4944	4760	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	99
PID 4760 wrote to memory of 1960	4760	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	100
PID 4760 wrote to memory of 1960	4760	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	100
PID 4760 wrote to memory of 1960	4760	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	100
PID 4760 wrote to memory of 2492	4760	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	101
PID 4760 wrote to memory of 2492	4760	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	101
PID 4760 wrote to memory of 2492	4760	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	101
PID 4760 wrote to memory of 3452	4760	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	102
PID 4760 wrote to memory of 3452	4760	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	102
PID 4760 wrote to memory of 3452	4760	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	102
PID 4476 wrote to memory of 4800	4476	cmd.exe	107
PID 4476 wrote to memory of 4800	4476	cmd.exe	107
PID 4476 wrote to memory of 4800	4476	cmd.exe	107
PID 3452 wrote to memory of 2480	3452	cmd.exe	108
PID 3452 wrote to memory of 2480	3452	cmd.exe	108
PID 3452 wrote to memory of 2480	3452	cmd.exe	108
PID 4800 wrote to memory of 4372	4800	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	109
PID 4800 wrote to memory of 4372	4800	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	109
PID 4800 wrote to memory of 4372	4800	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	109
PID 4800 wrote to memory of 1248	4800	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	111
PID 4800 wrote to memory of 1248	4800	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	111
PID 4800 wrote to memory of 1248	4800	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	111
PID 4800 wrote to memory of 3024	4800	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	112
PID 4800 wrote to memory of 3024	4800	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	112
PID 4800 wrote to memory of 3024	4800	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	112
PID 4800 wrote to memory of 2172	4800	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	113
PID 4800 wrote to memory of 2172	4800	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	113
PID 4800 wrote to memory of 2172	4800	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	113
PID 4800 wrote to memory of 4220	4800	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	114
PID 4800 wrote to memory of 4220	4800	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	114
PID 4800 wrote to memory of 4220	4800	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe	114
PID 4372 wrote to memory of 4848	4372	cmd.exe	119

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
"C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Users\Admin\cUIYckYs\WwUYocgY.exe
  "C:\Users\Admin\cUIYckYs\WwUYocgY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
    C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4800
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        8⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        10⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        11⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        12⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        14⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        16⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        18⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        20⤵
        UAC bypass
        System policy modification
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        22⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        23⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        24⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        26⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        28⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        30⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        33⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        34⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        35⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        36⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        37⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        38⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        39⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        40⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        41⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        42⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        43⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        44⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        45⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        46⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        47⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        48⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        49⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        50⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        51⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        52⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        53⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        54⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        55⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        57⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        58⤵
        
        PID:4644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        UAC bypass
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        59⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        60⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        61⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        62⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        63⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        64⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        65⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        66⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        67⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        68⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        69⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        70⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        71⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        72⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        73⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        74⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        75⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        76⤵
        UAC bypass
        System policy modification
        
        PID:2452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        77⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        78⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        79⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        80⤵
        
        PID:2832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        81⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        82⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        83⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        84⤵
        
        PID:1628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        85⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        86⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        87⤵
        UAC bypass
        System policy modification
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        89⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        90⤵
        
        PID:2512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        91⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        92⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        93⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        94⤵
        
        PID:876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        95⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        96⤵
        
        PID:4880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        97⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        98⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        99⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        100⤵
        
        PID:4004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC
        101⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC"
        102⤵
        
        PID:1808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        UAC bypass
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiYEEIgM.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        102⤵
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCQUgMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        100⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEkoYYIY.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        98⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiEMMgkM.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        96⤵
        
        PID:1596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:1516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYwQooAM.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        94⤵
        
        PID:3084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSoUMkEk.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        92⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:1208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        UAC bypass
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uocgksEM.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        90⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dugwAUkE.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        88⤵
        
        PID:5064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies registry key
        
        PID:3576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcAcwEAY.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        86⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        Modifies visibility of file extensions in Explorer
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TioQoAIY.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        84⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwcMIIYM.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        82⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUcwUAkY.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        80⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmMQskss.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        78⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgEYwMgI.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        76⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uasEUYQk.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        74⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies registry key
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:1116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEwsMUoM.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        72⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies registry key
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMEooQEE.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        70⤵
        UAC bypass
        System policy modification
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUkMIgUM.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        68⤵
        UAC bypass
        System policy modification
        
        PID:468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYwYIooU.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        66⤵
        
        PID:3448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:2452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOggkgQE.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        64⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOEYAwEo.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        62⤵
        
        PID:3440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Modifies registry key
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCIAAQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        60⤵
        
        PID:1768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuAswsUM.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        58⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        UAC bypass
        
        PID:2188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyMEgYEI.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        56⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUIkssgg.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        54⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        Modifies registry key
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amwsMQsU.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        52⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqUEUEMU.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        50⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies registry key
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMEcIQck.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        48⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGQgUQUY.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        46⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKcQYook.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        44⤵
        
        PID:2664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aWgAUsIU.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        42⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euoYYUIo.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        40⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        UAC bypass
        System policy modification
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:3884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAgsgcoQ.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        38⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UacooQcw.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        36⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGEoIkUk.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        34⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwckkMgY.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        32⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOoYsIcg.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        30⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies registry key
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        Modifies registry key
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyQAUQQE.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        28⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zwgckIoc.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        26⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCEAkwUg.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        24⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGIocgMc.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        22⤵
        
        PID:4256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwgUYgoM.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        20⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jycskUsk.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        18⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCMYQAoQ.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        16⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AScIUcEI.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        14⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOAgAMgk.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        12⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUkgsQYI.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        10⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyEwYkIM.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        8⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1108
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1248
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:3024
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwEQkAIE.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
        6⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2308
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4944
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1960
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKMQsQEY.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3452
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2480
- C:\ProgramData\qoYEkEQE\dGgokMcE.exe
  "C:\ProgramData\qoYEkEQE\dGgokMcE.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4792
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQAIYQQs.bat" "C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1520
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4188
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

Filesize
396KB

MD5
3cb4a27b478779ce1b234619ae8b3982

SHA1
0f35f3e31026f7c5edeeeac74dea80a0388bc977

SHA256
d2e821e8915fabefccbe41cb39afe95a119a931157ad691c8a0fae458eef2624

SHA512
66bef335ea00b1e7b996ade044226f7427916a10a4407964530a630ebc72798c61791ea67971ded19bb06807c7078a0ace482f37f7f1a751715aec8145d3cfd7

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
226KB

MD5
c76250d0c63ad26eafa71f99d3d32cfd

SHA1
4ad6da5f27f74ba0f7201e8fe2828dbf0587d583

SHA256
caec4e2250d83ae0962053f33cfa5114d601ed87e0c9b9b788f8d13affe5f3ca

SHA512
e57647c4e2037344fb9f5bf3cb7092ed771570a937b135bead1c3a7427b4ca2c526b9d208e8665b9513ae435fed0b465325648a7bc0e8fe2bb4a9cd4d3d7d98a

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
212KB

MD5
f3e6e20114375812d72dcdc6b7a719c8

SHA1
0b0a0cceda86e1138777faf6792738a7dff47756

SHA256
6e99c25ede796e0fbf0daf40423e171cc538caa2744588c39a075e8df3562b78

SHA512
c112e3abed79a23873ce541baa4f1d3db9ebb01242436eb495faa44f9efe6fa428e502e907e4d1756509d59ede09376f8b251f14d65a50b5265d3a0af74e07d7

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
229KB

MD5
419d42859d08cf135d7d1d6253a6cee7

SHA1
c06a26abca5cff8f39dee4a81b6eaac5f32b15e9

SHA256
f5dd31f53bac44d732636e31a40ce9e3cbbc8ee166d8ba6c0fba3a8893801537

SHA512
749b93340fcdeaf4e6a583bad6268da56094edef697d134d2c593b05e931c894381c9ea9de7dafb2f296cb2671fafcc24628c7f59c420f811e615db0c6eb5661

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
217KB

MD5
d0497c24e76fe525db691b807e2cf07d

SHA1
44e9f177b6fd2476e628007c64f4f0f1e12ca68b

SHA256
2061ecb8957911c341c9828d2af74201019e6f964829f62d93d88dc51a1dfb07

SHA512
2971250cc87e59138718fd53dcf7d670f8ac3ad03098559ef7d836883a498b56fb494001eaf4e3d347268681cc112fd2e016fdc4ee1e08fd254a17c97ee16faf

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
317KB

MD5
832eee7c513c4c92152ec6e866cd43c3

SHA1
122ca632b1ddcc0dd02d591283878154bfb21951

SHA256
2c6d55e31254da81f22be0ee6802e0b67ee10ada19328d979bddc5a62fc84839

SHA512
f9bd5ef0ef11b859cb59e401a63703c25a8ffac6eeb82af56a90e939b4a6d499e35a2435a0834de202be48d1e5adc303493b610d8a80a664b6f23d6ed2bb4df2

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
214KB

MD5
0687d17e8184d4f83e4eb5dcc66b1409

SHA1
04f87f059b5c4c31eb3bd34583a4c40741d303a7

SHA256
d6e7ec64a364e42c8a6da4db23b03ba4ceebba28b02361741b5b9bc1853d2854

SHA512
d06a5ccc6fccceee4b15b768d03e9e74e355ca98d74ba18794c764fd9214d19e309483a6fdbb5fad37aa53355c77999073645955dd2d89d69d9cf50fe2ac5f7c

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
823KB

MD5
f21ca9483c33a37aec96235d51d6d79c

SHA1
6635d5062c0b86c9a8a5e5a9edfd0dcf04a1b862

SHA256
e597363e6a4df87f5c0793ff86899249229fd41859a342521f6f96bb752bba1b

SHA512
63dd62277bcb420241ad0b1fe9495d5927d6ae36db936e51f316347b381110662aa5a9ef79824a0d110db97f3bb0f7befd5de6f2550de998fd617355e05b2b3a

Download Submit
C:\ProgramData\qoYEkEQE\dGgokMcE.exe

Filesize
180KB

MD5
319aa110df7436e58c513674d3451489

SHA1
a858069c5d97d7d20eaf3310733dfea01a88a291

SHA256
bb12c19125940da340d3240bf0422cb6b4cfaf6cf3eb0ba0a62ebe01561c9003

SHA512
0e2cd0fbdac306e9346b6b8d76af3ee7c4d0a688046e95f4fb3eb0da52dc7f7cb39fc0aa667dab35e08177e20b55e7b244178d1871a9e58bbbf984a58e6fbed7

Download Submit
C:\ProgramData\qoYEkEQE\dGgokMcE.exe

Filesize
180KB

MD5
319aa110df7436e58c513674d3451489

SHA1
a858069c5d97d7d20eaf3310733dfea01a88a291

SHA256
bb12c19125940da340d3240bf0422cb6b4cfaf6cf3eb0ba0a62ebe01561c9003

SHA512
0e2cd0fbdac306e9346b6b8d76af3ee7c4d0a688046e95f4fb3eb0da52dc7f7cb39fc0aa667dab35e08177e20b55e7b244178d1871a9e58bbbf984a58e6fbed7

Download Submit
C:\ProgramData\qoYEkEQE\dGgokMcE.inf

Filesize
4B

MD5
e3cf52728580e7c0cd3cf789bf352f72

SHA1
d521a64735bd1cb926e9a22782b2fa79c5fa3709

SHA256
35df2e2fc390fbe4c3461271b3a96c1488f397edf1f5e65d62b399d7325d5fbb

SHA512
d15bc1af27ddd358e68c09fc20797e4235f2907104b7d32359c8efd96a437be9d5932153ca2325d51e111e647e77af7fb0d208eea189d0400de7f82f8cee2179

Download Submit
C:\ProgramData\qoYEkEQE\dGgokMcE.inf

Filesize
4B

MD5
87d581ec956d515ca3baf4a6bd6ae333

SHA1
c2aa39b73e415e0f8092ed6a2d05e409e78324ff

SHA256
c2ee2383ee653b2cba1c9b11f25c9e2007c4cfe3f06fd360eb3ba84176edfdea

SHA512
4d88eebc1b9d8bbaa56e33d6d29886ae9c25d0493ab9cd9959c6ca0dd7a1c1fbaa62d9c667b1e693df210f95ddfc9166a7c18c86eefa37f3580fd578dcf6e408

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe

Filesize
202KB

MD5
58d3b97761e4e28d0edabf46d59e0281

SHA1
727433dbb2fad393ec29b539de639d18a8067a55

SHA256
7186d701fa7d5cc8eccfb6f6ff01a000f977da1b6aa494b5b87105cb31d9b2ed

SHA512
845a60c910d7ba406006fbde56ea5cacb479481d42a74bf33939f23774340496257983b9497188e96ebbfe5908018aea52edc2ffd23165fbfef51ec39a8e8b16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

Filesize
200KB

MD5
7869adb7736b8736f31b0ce52a3780e1

SHA1
d19456f309ff9b9c479bd043ccd5b0efe18a0c4d

SHA256
8608f6d5c7f7592d162c0068a7d13a6ac1a586a30975c6b88f8dfbb4f050fe63

SHA512
cdeead1fde15ec9baadff9814ba8f84dd3e42a2c717bce88295ca06b6ea10518097247401df7aa4e5b543d9f0e33f1f82ae1ad55c365e780bb97298909e6a896

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

Filesize
193KB

MD5
00b893650f41fbe7fd2c1fb14988f5cd

SHA1
f502f2cf83e001e83ef84b5d3e6b9212d000badc

SHA256
b7ef5da896f65e86028a4a7789fcb9eca259cde1789b14565de11ff96086f951

SHA512
430190fb40ab9dc652e013b37315da3fefa76c25eb79c0a6253c1912ee70e8839fe21b1088677a74bf0aa81d6316e91a899f624e96ca443bdd82d822b5494a5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

Filesize
186KB

MD5
caf9f8bdafbfb68b975ac7d7a912e6d8

SHA1
7754c7a47ede3c887f088bd5f4eecc58afb46508

SHA256
bfa23fe4cdeb3d07258b2bd50743e16b7dda0033e40050aeaf7b6ac354a91bfe

SHA512
65ef6ae97265b4e985f04b4f6de5008ee894fa1085b04a74b1f87ee6883966ae5619a7774c00e53cdc3100f6a99bc23add6606a59af2a5e0a56f8d330fbcc32d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

Filesize
186KB

MD5
61ac747845cef264d9d42be77b6cab7d

SHA1
a65daf1dd02325afb90bd216a0a8e09ebdb0899d

SHA256
3f82dce55be027717ea4597abd6ef29267f7a22674fb4cb645322c4353720aa0

SHA512
fcc9e6056721051c70ede152d5ba65df1952978ee752ba68f64fd34ea75a96078d90757eab1e935d846185e2187b0c1171434e693bbb928eeb27c0cec563b183

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

Filesize
199KB

MD5
47989fb6cdfa1ac9c9f4e3168a229265

SHA1
16dcfbbc7ba2f1b606322a9af6743f23d8f1ff06

SHA256
26f34683eb7760eb692c3203271419385709682f65015f65e966ac1f604e5481

SHA512
df28605e8a39c0235d4cab214a88ad3dfa693b2627fe87fdd7862665f447e5ef9078a276f91374edd0a72fa455d574561539ce68ef275bf3cb258e718f341f0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

Filesize
204KB

MD5
c50af181fdcc32d21174afe3790e5207

SHA1
811039b622ba121c7f2f9e3761a8efd30998da1e

SHA256
4d2cf023856a37acb1ad2bb4708e5aa68600b33c53a6b687787dba7ce917a03a

SHA512
ff7fd19ede55b5f76637b5b0e08a474f78cf2c5897ff20b92b72bdcf1659d102429ce7e22fba709b931240df8ab640480ded891332e8d96446bf1af897e50e82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

Filesize
193KB

MD5
5d401040f27267020f41afdcd9a37484

SHA1
c98658c428994a618f2be552f4fd928d1354cd0c

SHA256
6d9d88aac4d8edebc71e86b0f783e653ad2c55e664ed4c878d0467c84ace86d7

SHA512
e05dc001e94c27ed523cdd0e257a0a337d3de0301322045cd1535b07080ca08080a5aaa2e78f70a1357dda852aab90627fe872c9e4d9834a6d31a9e1107bc511

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

Filesize
205KB

MD5
f9eadb481bd0d7afba50d6c3318ac632

SHA1
3215fa41ec907717241bd3e028ec652909547400

SHA256
4d79ee089e8aaf93af7e4cdec87c2b5b0c7da64b11c7ab418324a1d425f9befe

SHA512
40a93efee70ec30f8b27f03c4540ff1470c648188bcff0ed8a105df9ef8f19c3d5ae5360318bf75c8819b7f44a67a3c8f9d1fbb5e95af4af4f079491472461ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

Filesize
193KB

MD5
5b9d129b0812b797ebcfd0bf4df36078

SHA1
6d0ca06894d4d316052ce002e03b51059f726b2c

SHA256
afaa6ded3660b2ea6b2602b8f0806fef3a910f98733dcf20a505f2feaf621cc9

SHA512
d487ddc0177910b26e7902e5589cdbea8168e00efdfd14aeb9d813d3d5145275389baed9ede2deb499815c00f56a367f2ce4aa975fedbf1c7473691b0e2eb165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

Filesize
417KB

MD5
a68acd22db9624b88ef9f51cc41f48d3

SHA1
7de96f8141d53b0f6c37018e00e9592048fda8ee

SHA256
5cae2455a362d7ac97c9d28eba1aa66006ddf00bdbeeee494df7175d94620f6e

SHA512
74d25393020ad8fc0c240c280d1ff6dd6f9ded9d362d46d899a0c7132e3255d31df338ecf7128d94f3523ba3a6ec7c9cd6dabd8ca9bf9d85673f46678b232bfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
195KB

MD5
b9f0ce9f4ca2e17c69e61e81cc0153a6

SHA1
1f7178911893c02a3d8c101615ba61974d54903a

SHA256
4243e7f6ba0c5a8ab56d2e11e3c8c533d01de80d27fccee80e3e4b13924f14ec

SHA512
e4e479e766f73f809d47810efd61d1e81311b17eec97e63d8678f8bf393359e50e23accc8da297fa0b0690fabd4724fc0919c169b99d64d4e7adebe881769fc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

Filesize
188KB

MD5
9cb6de206410d56951e07f8ea7d2788f

SHA1
3d5d69d183ff286fb025ca3d4234eb0cb571dd7b

SHA256
8bfde09eea7cb65bc23623e48ea63a28f35b8bbafa79437a8a7db717235f4abd

SHA512
232f57a38a266112de5b270759337eeb553b6bba5b7f04c95f4405f7c9269859eb1f3279aa6854800a5fb35e46eb0fd83df1c60ae1dae1f8f0fab1b1f0018900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

Filesize
191KB

MD5
4d625d17cbc37de55de25f0a9fd08731

SHA1
92998b0a7cff8ae38e09a279efa1d32f135e2d29

SHA256
804db80bcd5d3965313da862effd2651ed78fd8ff67cf939aff20e3f25b6c300

SHA512
a7ca94cb82932d5e36eb2e5fe9d1c1270485d1c47048137dfc3c728619d896268c91b4fe841a698716237748abac9d1e87c716ee2774d83f654e75401d65523c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

Filesize
201KB

MD5
d36c8df57cba5944277f3df9c2a73d68

SHA1
922e12d4309932136bc51c0368487be29f608fcd

SHA256
0f255a98505b91d5677190b615e9d1599ef9df9969c15aba5c6242f9479d0a1d

SHA512
35c17be4cb92070800d0a478aea64e6ab535766b4a26e67a54202a12fea32dabf1a37632802e11ed6721be21d7ca0be37a357fd8e6dcaf4277dad9a9171e828d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
1.8MB

MD5
c327a4c3531f4a24a6f7ca7d52b4036e

SHA1
d7d8eaca4b1cddd55dc6aeafa438818bc663ce68

SHA256
0999bae150161d27bd7de17299ec9cde81a50606b63cba20a000c8b9c5d61b00

SHA512
060a993f287fc1a12f90a57efaaa04743fcfaa1bf9b9d9588b3752fa987489b32e46c46bb3b886007f23df7e6b422e0a8b0317791dc28b31d1e779945e047583

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

Filesize
191KB

MD5
309743e1ee5f9878f599a5e1b93e8cca

SHA1
0d2aad3554aba66085b913f59ef1d20299069b55

SHA256
e2270e63f51284116119a44e557db88ee4a286e2e55216a107df5e771e75f9c1

SHA512
a2983cec34c2f902fc8f32a4c6608e5e5f60dce2c0b6f9742639fd60da20649181a734370176585944fd06e640641eacced099678b10e667be330bd192b8d878

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\984600cb124442b3a6cccfa3fd7dad4a_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\AScIUcEI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwsY.exe

Filesize
389KB

MD5
6b2c6aca55c94be1a2c39aa49568f66f

SHA1
9542b0466dc6605f93de90d46c2e70cad73c44a5

SHA256
3d3408d852b9a11f42606bda6b632da91afa11cc8302dd432b11980732a16223

SHA512
f6ee8297e5a7c858af6a98f096b6e457719fbfb4d649fbddbeccd900fa4e3f23dbe35c791c7456fd9f5453f280caa9ef21f64dcb196bd9af5642d1e4fcc1acf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcwK.exe

Filesize
191KB

MD5
edc1106d79f2df5dd11563e9f3a13e61

SHA1
98f7da0110a3680fa2a36b83a7076a6472f0334c

SHA256
fb8292e7b907fed85736e73659e27546783d6f309ad9f8e4eceb8acc33a429d7

SHA512
c09dfbedb31fcebd0d6bfeea321b3eb9ddcaed815eba45b00613e25768ae1f4deaf8352372be808e40d023f2e174d57c7150a8b423a8e3f08ffdf4500bb4e066

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgQO.exe

Filesize
185KB

MD5
072402ddd5152692d011b5f68cb9c09c

SHA1
be4caa526f5057cbd086a45366420c4d06fec0fd

SHA256
0b888b0d4024e7e0e42dd6da7bb1cd7007cab1ad00c41dedb00d5f3a57b15113

SHA512
8a67c9a600ff1334f7497d6d0f9daec5c3cd41bf29179f813adb7835cf5146921d9ab6b34c35a5fe935206d3472d71d5a4f544f9d4235deb3bf14f32447d70cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwIK.exe

Filesize
789KB

MD5
daf35098474dbdea92e92ab7fe860b71

SHA1
017deca0b7324f52945299c57af6c8c654639641

SHA256
8ba4755d340712bacda69bb645e17cbc8f1f8bbaedbfbb6218d6b3f877ceba33

SHA512
c03c7fae8a9dcc16faea677645360dd66af4ed292abd586e915e6634bb8b5e329c5fa2dc7e499943eddc2f4319eab207e8b20d0dcbb7c5eb449e280ee355dabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUQs.exe

Filesize
453KB

MD5
d9965867c2edbdf8de94081b51872a9a

SHA1
91878df9b523fef461ab5142b345e559761c9f95

SHA256
bc5c52b1ac70b5b8e021022054f2334932f3f303fd0192e542e2cf4e24bd377e

SHA512
6080dbd05eec67fc923844be4aecf274558bdb218a4d6cb8a772c8f427b024562e9f7e4b45b37d8a05c63dc68c8b0a702527e72c9e5f26f5e44601c3fd71d183

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYcc.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\Docm.exe

Filesize
639KB

MD5
1c326e46bab8c7f247839ebcb461d746

SHA1
add709ee95ce8a7a64ac93a27c68e33ce6e3746a

SHA256
2ec64eff4a85581e49ad2d0279bee908b640c127acbebecdc83398e6c217a363

SHA512
878221b215073267c6b2bef4100fad89f02e951b8e50579ddf7a92a8adc188d10cc73c0a161351ed51e0792e6b650bc7df4c9f1c3692bc400bf2126445a0162b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DsIw.exe

Filesize
183KB

MD5
91224ff6f4d7a5a34fa6a4b2c69b6924

SHA1
9c813d3daa1447d54c474419acab22873d642800

SHA256
c3efef9f498e76b8c90d5c6645c95047ccb4925421966f3cf67c125949bccaf5

SHA512
89c767f6df160ff7d00a86b5d43da0f05dbae88329b1a205464789d34646ad0fbf3773f3329c2760f0558e6e976cb3b987337e0c2c258e7ecb361fca5bb8d314

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQUU.exe

Filesize
204KB

MD5
e834d71db25f0cc83468915f04926120

SHA1
e744c9b2bbf422dd8da7e8c2a96d761c29d4e17e

SHA256
7889d039148ed84ead6b8198f652dbdf13e83b46979b8274cacb2c766c05f019

SHA512
8a535671e0283d5760e29d05c27153546595c71a059a2fa1f217773f585cce2ac84a862e234135757b257ebe7f886568c4b982c73d31c4a60a1f6b9c397684d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eosy.exe

Filesize
193KB

MD5
785d167ea0b2564ab0d7727133d6683c

SHA1
c87b6214c88fb7fcb4b5450be1aaf0cf9ef8dd39

SHA256
47928e9f792f650f0bab92fdcf76e3246b539acc35d406e71241ec9d74be13c1

SHA512
d1ff47e9f39446114ce1cd1d79a5166367dcebad55784a0e1b8079861136b911415148ceea8a4eac286c7f7a77bca5111a10919842c1c7528f72858ced3c73fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwEQkAIE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwEQkAIE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EyEwYkIM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FkAI.exe

Filesize
824KB

MD5
98d7bcc67b4f6eb214b4b5091be8e599

SHA1
071e91f86a27ac2ebe6c5d306abd7e44344bb699

SHA256
bee81047cffce3e82d3238b054f58b8d59a7c08342db4319c9918f28411c4999

SHA512
b745e89b5d36b9da7a159129f311e02fdb9187778f2c4924c0cbb334d3a71c93e0d86e182dfd811996963ac30815a7c495976223a9860728210ddd9c243e03d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEIg.exe

Filesize
409KB

MD5
1dc514c98ac4da8cefbf310f46a4b827

SHA1
001716cf6dbbeca4d37f2dfa23de851cb2df8416

SHA256
2d9421fa63c69820225a45da50d8e11a1b158a2dc59c4ab7a57f6c0be4ff6299

SHA512
d3d4460da905c1ebd99e270f613e42b8ddd52bce8a9577c628ede9d115dcb8c7703a3124e9ba0bd469b37dbc3febd7890b69ec02ee13ca42f677ca45d3308b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQwq.exe

Filesize
1.5MB

MD5
dbc0fba8fc1be88c8588c0bc6b3dad6e

SHA1
b19bc211506271604a9e5ba99e9adb5b00e4e58c

SHA256
0e106bd3c1a0f6efba3e75db0ef7341da1f6011c4d67cfcda356e5be08cd8e46

SHA512
a31086eb635b651de7eb3ee01bb90253d71986d26b213fc65dce01172516f519e7fdcad23744f8f86d7503b93ff9b55e579a0766b5831aecd55d2d2ec52ef96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkYE.exe

Filesize
636KB

MD5
bd4abb9b55a00d4816db86b2b79fa9f2

SHA1
7948fb0ac68c29871d97e1a58fabea170c2f02d0

SHA256
e247659e554e32e79f0fbec8ed5a73dd525539c778f00446f995e513a1c59013

SHA512
e2f9d27328acc89ae53a18f08da897de4d7b4fc7c82046a5e65520fec7019aff9a7310b22a88fd4af8281027a36106344be610616fd07dab9c7a8493da7a1461

Download Submit
C:\Users\Admin\AppData\Local\Temp\GyQAUQQE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgAI.exe

Filesize
187KB

MD5
b5f60c8b48f1738088f54b7d328caf89

SHA1
630c91953a1f53d7665143ed71b7d4520cabd76f

SHA256
a9d8188ac1635400560abfdf74bfe9353995d3bf93056d6eabf32d79da1eb3f7

SHA512
14b8a42c30673946054d5e71c462f5c2c5b2c89e5401f898a8af9c8e7706062c02bc2294c9c6dbcbe54dc7f55ad65ec72dbe558c35768f26bb2226758daf954e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMMe.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\JcMs.exe

Filesize
195KB

MD5
e9e7963848563dedf9732afb4d41e152

SHA1
837b6cf871c3b9a9512a01e2ae655a955a15d2d3

SHA256
8df8a927ff97ade2b6fa0fb0bed5bd36a27ce5eae08582bfd217eac7f5f14cea

SHA512
df0ef2a689b02f14cfead64a826e7bc294379826708d248f5024bf6b37a20c60081ee9d66e28537adf0ab2b7c4803afafbd0ec8bd787a9b55a45aecfce573226

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMsS.exe

Filesize
195KB

MD5
8e18ba84e1d3cdf8b0f2d8097ee7baba

SHA1
c6b59bd58ebebc259823d08a139aeb889b6d7217

SHA256
244fb4a1715a45c39f366ef488f5ea1ff2e9802adfe8ee521e9edd23cbed74a1

SHA512
6a97dd00c6ed3dea91bfacef259c95bb9c234eed9a5f42bbd5004361582858bfeb4a26ba4e7e98e01f535f61e69185960e92430f180f9d841e06e4f3d26f331a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQAIYQQs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcYa.exe

Filesize
402KB

MD5
f85caf39f519edd9178f6b476de02d7d

SHA1
b0be08cad89829d80c015679d207d38f70539289

SHA256
a5f3cd5db6205d6c4e8a7ed84c429cff8ec1af12a0cb4cd741ad069facc129c9

SHA512
fd5a8985de1497d91c0c974472cf4634349ba5b380a5d238f9fbed1c83dcb6eccc712c9de37f002db62f29369cc17795d2597fea846262bac7097c2acf473b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\MCEAkwUg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIMw.exe

Filesize
656KB

MD5
ab61ec3593ecf6c5f522a9fb39144f40

SHA1
06715740bfa6e44b3f846b316b76596ebba54e6b

SHA256
149667a8b4213e5d4cea0667f819be84d2e5745d999f4007fd09164710e4a239

SHA512
314517fadeb1214aa4d52f1f031bb2b6a87118835be13fbdb7a23507e3c5d463bccd1a4515d84667813287fcc66486c5f6fc61730aa3ddf4fc8458103beaeed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMYw.exe

Filesize
200KB

MD5
3af68c73d15908927d75373770d115d4

SHA1
914d914dab3b0fd2f2c8a0ca142d70695fe52adf

SHA256
c187b9648c33661c24cff5f52f848d733efb76435fa7cc0619629b477a747c6b

SHA512
ee0273bf8911b91ddc907321fcf3f77b0e70605733c8c46a1dfc34e3ba0ebd92cbdbce16fd431949745021f558cdc0d9ec5533e5a9b89da663a8856eaa3feacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoUY.exe

Filesize
604KB

MD5
be34b83caa0f26efc993aa2a51bf9de6

SHA1
5f028dd443823c8c350f3f55cc27687f770a1384

SHA256
e98758dcdef0aecd1d595de3c25100588749c977dad02035bf62471e89c29142

SHA512
76fe67a85c937c526dd2d4e5ba4413d1aaa0244256627746b8bc503f05e96bb07d586c4ab148ba1ca814fc78c6a1fb60d895196d34eb8b95ab54d1192baa95fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoUc.exe

Filesize
1.4MB

MD5
243a6cbcc80bea06cd0a2f8c42dcbb46

SHA1
9f5c1ea8b9b12ca36846d986067e17133d17005c

SHA256
28ff3638c0d2c2fc241571d5799eb05e6d59dff406ce10446e92ff52b7f35efd

SHA512
7423211cd53d24210ab1140215235f9efb5eb75af245dda58c388ba5ee15fe8cd47e693fdbbb76f755659971cd9d7b27ddebab820fc32a549d6a97736aafda6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIIO.exe

Filesize
217KB

MD5
caead38facc84c35c36e0b5324e24d29

SHA1
46b71e224c1c8bdcb2d07e3fc240588f01342198

SHA256
faa666984ff62d04e2bce993dcb30a4ad6d69a4492f35c993915f1f4d045969c

SHA512
2ff7a1bc0ee4c3ce0668156f3c004f1474f1653e266c318e005205c8343a1de784e191634be4015c00607357e62798cf09f4a37bd0f667576f66241355d8a626

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIgK.exe

Filesize
199KB

MD5
f6c6c422674f96f4717ef5fc2a5d648e

SHA1
c3e8aa6fd07ada7568883e8b9c63716fb4704c13

SHA256
3dfaab6701a24a17561977ae2d67282ab5aefbf0ae75b4f5e4c5eb458cbe9022

SHA512
5c52cb1208a141d45bca5e7501e5cbededec7b6ee810eaa4b01cecfbcc2b81d36c02388ac3b04de4ce1c0b645b6182d1be6d77917a15945c214f3efb3c946da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NcEq.exe

Filesize
582KB

MD5
b0f52f2eddbdc8fb157e9df4e32b3ed6

SHA1
5641e5a56f007492f53b55f25f5974c5e019ed2c

SHA256
28cd90ce0dfc77ccdd4836c05dec54d0a173253c9d5796d679eac5220eb5e3f9

SHA512
b1868a43f445ab46feef35759aa6a4a59078f7a9dbcebac0924c717322d31ae196b04c509afc01df7685aa53729b6f2b3bb2d0a96f78c9897dbbfcc22248f909

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgAk.exe

Filesize
269KB

MD5
074af5b36e1474822008c1b855392214

SHA1
d73026fa9419562f800df547edbbc683cc505f09

SHA256
4cfbdb9e161c55eab76c275f8d2bc1f034e5415236c6728c2bb414776d1d8d45

SHA512
facf32c61ef27a8bc9471063b27ed19833adb2b455fadc73283f55fda7ee09969ed366ab31125bd0cf82699195b8e777f6919e18299a832f592773bfd117e4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkMg.exe

Filesize
206KB

MD5
406b70c52ac8ef84d7e8685c5d0629be

SHA1
b3f453be3d80aa4e9707f0d51e161910c51510ac

SHA256
b5a4e79a4ea4d7828916712cb317faf6bacadacae0373bbf9df1d939f2c01e28

SHA512
efea9c90bb0cef7670a212e20730bc007e31de6dbfbffe1f9d5c7eb6e9bb035287a32a894530691095b5d1b6be14513e9e098b2135a8c54571dc1b1f5449821e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYge.exe

Filesize
203KB

MD5
5187c3aa4cfc33bb8987dd834f2bb8ed

SHA1
df656793f4b20209e0bb746f801e622db72e8f2e

SHA256
75f7a228b2a6702c6807f47ec39a3ea6be9edac313f3c4549d59cd395077cc7a

SHA512
c94e0856074925cc47a922561b5bf6eedadde2f6c2679d73b9a32efbdd24e4d119b827f8c049d4507b5b1f46ca41f076763da27bb4131d430fe78c26ef41ea38

Download Submit
C:\Users\Admin\AppData\Local\Temp\PQMg.exe

Filesize
205KB

MD5
172f9b90ee9dd1b2cb0924400a1b343c

SHA1
4ee762e5924f1c4e28c3d55711064b24f9228423

SHA256
4327cd9d0f43ad65dd549c38c0ce3c472ecac2b09c33e7ee9cc30e0587ed03c3

SHA512
c2d79b7bd8a8b8de71c4a004e33942cbd7058adcee2fe09000f625d76c174de6891e142fa3b5ab180da340044e952a182645e80f59374e7a0463a76534e7e24e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYsq.exe

Filesize
206KB

MD5
291b3d2da9a18a5e6e81fa5be9caeafe

SHA1
7646f4dc8ec372a506511a4de9ca250530a15d7e

SHA256
36226579c6fbc77117b35d08f1d7447b12aacc08e999881d64bd9e3e869b1349

SHA512
6d17803b108010da35755bc44d7decb631b354773870dd67a57ee58c20f0ab774641056af4981f37c811109cfd5975a2e1236f8cfeec6bef694ecd5e1a0ef06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIsG.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcMg.exe

Filesize
208KB

MD5
72d463f8ed83374589d7e68f7a050e38

SHA1
27cdb1d227b31eee8502ae55f64df78cc893f957

SHA256
2ddf73c519ed0b763828ffa6aa96fe4f5fc1ffe6420d35cd929c3c1aced094be

SHA512
1e556046a47545e362ec7923cc095c70e7ccb771108b4da0b233b3ee850e5aa19b284754d169396100e586e0892c64e38df873a4de5428240799b508c40d3292

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGEoIkUk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoYc.exe

Filesize
203KB

MD5
d4ce27dba8edf4a08869ede1740fe252

SHA1
29543ed973e8f77ce4990d105d66177d8600def8

SHA256
786b5fd3aeb9b0c82c3dfc2fe8fe0f58720ba4907d4a51f819fca5f49eeeceee

SHA512
15dacd077faafc98105235e41d78286815519f52156272095d8f0daafa67ad19dd6ba821a23a4702c099991f9d5037500982afde50f7f30b02673b8b2284f005

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUEk.exe

Filesize
191KB

MD5
766a3b4a0f7572c78482e9fd5b25e1e0

SHA1
0482aecaa4ee8cbdc896f5700218b0ced814bd40

SHA256
1485ee00548e47abe93cec9d1208cd71f87d9efa4a2b96bc370f587d987e0545

SHA512
1926e5df0128c701d1bb8e0e8dc041d210c4d2f054300803bad4901fa9f9b6751efb736bbff0247669e96795529ee2196cf6fba67bb1e7dbdc07ab53711af9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUsk.exe

Filesize
193KB

MD5
62874d20d50c20ba30bd0b3f4e695a21

SHA1
4186ff74f326f9a6e58d136e412fed0311bd799b

SHA256
55d8ed752fa83c635d85d8de7b2a3b3f16b6ddf5d9bd1f43e5de122ee12975d7

SHA512
c017c1dbb1c65c8264a9701ca89efb43ae6564cee8f1cfdd25d22eab85dfe8f9a3ee3f4ba854fb10c58e88d6a8c07ad24d03ced6b1f73dabcf6118804b6fcbdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUwq.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYYM.exe

Filesize
197KB

MD5
39ad17de460bee5e7c4f5a91d3fde4a9

SHA1
77a3bc75695af5065c3f30e9cb76dde134d4f3bd

SHA256
b7260216068fc3462c53914b05dd36c315ea03fcab7f5823772e7b2d4455e66e

SHA512
2a55a0ee4de98321900dd6e8af95f6ce2e8ef785298b408c36271b497cbd55c1c879ed16b1f2f5eec1f13c211e68eb734e369f01c8c4090f63e88787a58e653a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Soca.exe

Filesize
189KB

MD5
b9b8ad2eb46a972b5fa3e75e62d8d3f8

SHA1
f89f23e5236b045eb19c0900ed2aab99327227de

SHA256
b7ee9c89923356ff5a01d621b1fe23c61eca8e994c1b2136c86c61bd64a3d357

SHA512
669b39d7fcc9e31203c2e4262bc35b14ee51df74c3a03f22110ed25c563c86896ff6908f624fdd08d79d69c4c240fa8132cfc259797560b130239a52818044f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMcc.exe

Filesize
185KB

MD5
a5355560b008392749167bba0ed54d05

SHA1
177ba3e10401c1a2bfb33cfec0ed46c8abc94e0a

SHA256
ad151d063eddcfe7f6c21f3156db43b075be172bee082d7533e5981f14e54025

SHA512
ecf5cf06fe406ba2933b1fc5ac4ee5cc6830fec93cd32d7818f97625fb73a229231b9c8d7febebe36e26ed97c8d86513ff33e0e4e115b8f513fc708159ebed54

Download Submit
C:\Users\Admin\AppData\Local\Temp\TQgQ.exe

Filesize
243KB

MD5
2376bd3e0eef3b4f72a8cb291ca6fdfc

SHA1
b9a3e346ad77c9626d74db07646fdf81e4f5b856

SHA256
34f3bbabfc2f51d0adda16c68a9cc05e4d7b9236a380e854918a8f8f14519ddc

SHA512
0fd114c8d390ed36b89df38091d230ac485986af4fa64f2f20094341b91eb23727225fe0d53c6af5366abe15f08e115e3f49f610ff41080810c42830362da3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TkkU.exe

Filesize
195KB

MD5
70793a83552639d20ab97ae6fbfe0f16

SHA1
b3836da95afdfc78fe4f2c24c7a391149db01a46

SHA256
641642253d6f9b1ac45f8697bd8069103baaad188f32c3ba7b42b31cc39d17d1

SHA512
80e41558d2a1abdf38dcb2c4d3a6a085098e3684dabff758ad7bda7dd4845ce6eddf6d996136c6df1a913577be3b6860b3e2121b131a1c23aef14c3af166f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\TsIC.exe

Filesize
204KB

MD5
e520d5d9d6500c3d555353e212ecbf8c

SHA1
9e907b2304fd8f46c8f23536f536b8daeb10e416

SHA256
87df77a1d2a40f225d19e26de496342d38bf9c6b0954faf03f219e55a7c606b2

SHA512
9574a87deccfeb3d733d803bb1233c7eb159ed74fc83eb9b15ab22438c839ea7edf7924569a8e0ef70ccab412737fff003c142b15487913da8817f6d20f8e6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TwckkMgY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TwgUYgoM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOoYsIcg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UacooQcw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uogq.exe

Filesize
194KB

MD5
bab5e8a7f1eaf641e9acd98ed24c918a

SHA1
aa0982d4dc58aadff4082680dfd585fcd94f2808

SHA256
5109db42a4eca4e869bd647ec292500ea0c7c0dba7b67606a18e65e678ac1d5e

SHA512
b39f3b0209fc12b67d2593cefc8d34c2fda4744f746162624300d7c3060192169919c80e0846c468986909428cd03769b76204218b53e7f9f9003004efae2538

Download Submit
C:\Users\Admin\AppData\Local\Temp\VwQA.exe

Filesize
204KB

MD5
80afec613c36164cf580523eb9e3db9c

SHA1
6cdd0dac3be59bf179a3658259700f3e7ac00c56

SHA256
b968c7a1bf28c9b930a08eb5984a83bb8f3ce552c57a2417100a6d59c1ae1940

SHA512
616547ea6717f8ba440b0dc4d5a7d3fa984f0707c3fa5014f5bc655a44b33ca96c5ff8b2b9bd0a07b087d84936bab31618b0ab7db169d1496bb26b0b8b05d3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAEW.exe

Filesize
1.1MB

MD5
5f8d3be97b14f07653547acab952abdd

SHA1
9549a8a84ebde04644ceb30e1ee5d986b3fc1a42

SHA256
4a06ea78d6e31d7161c8f5af36523d6d1df055110f6d6b7d5e092661d7490102

SHA512
c1c27fde0c8aa20c9e26a30df2dfb0eedc8ccdcfb90ec23d360577266edb1773fc93b9627d657a925c5af0ea4f6ca8b14fd0e1f363c23ce8b373917fef87f167

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCMYQAoQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoIs.exe

Filesize
1.1MB

MD5
7cff2ab737c90580da442221c0427425

SHA1
bfe8f59a45bf4670fcdf1f453bd9f92d03e89b65

SHA256
416b3cf5155d53cb994858d8f0a9692a4e5a84f7fd8acb31368d97130dd98122

SHA512
4daf57e43bb318c9a658752fbd84ff5f7b98eae72b9ddab89fbb8d2822589e833f64475417e9b9e46e550404ca59abcf1c053b4f06879d9d1978fb7f45072021

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkgQ.exe

Filesize
819KB

MD5
2e1fcce29e52a075718362a4a53fbab6

SHA1
9a80e14c89dc97da2d3459948afc4e0621e6dd18

SHA256
a9126e0aacf760890b3edec951bdf6895d5a077250030dc67c36bdcf74daf954

SHA512
8c4b6e6fbfe1da08d4896ea42fc7a5980dcacd81f2b963f1acf91c6ec29e2a27f69aa7b5d24abe960f02d76a843d301f906058e1e61ad03ed867df790ba45c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAMA.exe

Filesize
207KB

MD5
a6113b151df0a9dacf6be375c72d2ffc

SHA1
019744bc518a9f6683030dea2c9c8fdc2ba73fc2

SHA256
3592f178f8a57a74e41cf8a68ea8739163a11b98f0cd3772167c521439b3a912

SHA512
c4f7dee64d0925a519a481ab438b04ec2683e569b63d8ad9c820e4bacb38388d3d2092a44206b9e84a8b4e8aed767651b1ccb5be683331acccabdad681f5a2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIgk.exe

Filesize
200KB

MD5
7895b74c20209f98ece2462ecd218284

SHA1
661f010ead1d7eb6c7f4aa943627ec252f6576cd

SHA256
e26b98100d86b6d506a0c6021867b71da0cc00697e69bcf4e02f35980d86dc78

SHA512
fe1cf8d37857fc3105619a39fa011b80a33bc11c4e3cf50be5e362d58c4ce31eff235937417fec685b50038e9a1c9d28e6861fc53d1bca18e15d83b141d4a3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZYEC.exe

Filesize
637KB

MD5
c78270921b318798068e3cd72ec208e5

SHA1
de979eb123a8b2b9dbd20229331453a579a1434c

SHA256
104e0fdefcf769f4d265f2279245a6abb38be658772398ae1b686e781d98d1c5

SHA512
363361856e6b0f8e288298de3472e2941957df62a6ae98f8b46f9037b172c3b99098b5b3912bbdd32786cc89fe445d228072f28dd23ee3a1c36945a90d0bf2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZkAm.exe

Filesize
209KB

MD5
f5aef1b54a0b0eb56e74ee648e944e6d

SHA1
473fe754667910325428c6df31d41598acae3057

SHA256
7ce533358b6ba3ccd5e82b513a25a865d09067f2d2240a1d746efeda87b338b9

SHA512
2fd62b46ad979566ddf8e497df36c5b8136cd81a07680aab9e9f8d8cd41ae09e80f23f385d84138fb992279e106a247325e97c692a0ea6aa20cd49ccee19f1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEIW.exe

Filesize
193KB

MD5
0236f41e617c841336a1493011e0dd5e

SHA1
bdc54f52c283812fd8c4c10bb5b44f356e0179b1

SHA256
832010db0811976aeb59d122d9d977ef561a27f80331f9851a1a12cbe81986c7

SHA512
51aee431f11efef158c696d61c0ba1cc0f313bf9f5f940205616fd7a9d6df0a080ebda2b72824f30b1ea5a5a7965b3b9c17208dd59cfd090ca843b2171c92043

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEsW.exe

Filesize
220KB

MD5
1b453d12a0fdf57f0a36c89168b059e6

SHA1
45573075f84f4c34a1dfecf2ff66df309489d4b9

SHA256
e64a3a1748058e64381aafd1a62ce5fe1c8575ec1620fadf8b7917e3b59488f8

SHA512
2886c048f0ff5da1f97891a9dcfd47dc4facdb1bfba038023a4eff9dcd7e93aa48be193d4679314d95df8c5e0c77cf3d0999e4a693067f831a7e1543a6526b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\bUMo.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cGIocgMc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccgo.exe

Filesize
200KB

MD5
f6edced05b3775787ab7efc6270ec747

SHA1
49ab019f7a8905d28fb779af44a5e44f201a78b0

SHA256
0ee747b8a54873400cb5c6b5e0540df82d2dc5ec29d0b1965af3c063d37ce24f

SHA512
7c5496dd90093e33611263f8306ad7d4e97bcc4b2d8b4e59fb968efd7a07db46887853f70fdf37410e71de12431076b415b30bc14ba015b3f6b96b2cd449a7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgQA.exe

Filesize
208KB

MD5
5086a792c5ea3ac2e329302b8f43f150

SHA1
eeab90d592c5e2e46a8c6a02c83587733d36e730

SHA256
60e82b10b8746871ef01d34005e42428f04b05544f95e63450037cf2475a0394

SHA512
be8eeb4a920761934309beb57a85fdaf8bbe855692d3ec39c0e09cb16f82a67a30fd8873ed167fd644cf1b581fb25107f2559d0c79aad3478623da4acf123804

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckIa.exe

Filesize
523KB

MD5
273f0c4620af08551fc3446356c2137f

SHA1
9fe6655e555f4aab6dceed26f382ecc0914a4ba9

SHA256
f8ac7732db368c15aef6f50580bc3b2a2fde77019ae8218ac775aefbd32acab9

SHA512
20e72dea8dd6f8724e2f5d832d6b2223fa2517f45ad2a1774b6498048a0d91e1abc5f0f14254a1a64bd38afdd1aa6227eb6380eb8d3c202511b18188ec3cc046

Download Submit
C:\Users\Admin\AppData\Local\Temp\dswk.exe

Filesize
188KB

MD5
0693991f24a372c65ebec49016f01c1b

SHA1
8adfb28ecccb0b4ff549dbdfd1ed7c41acf14095

SHA256
74bdddabec300c2a53d090ce61aaf1f086615385337a09c265df48b5d107400c

SHA512
91545967b501444ceadde55b6a9fae4e44a10c0b451f1fc3479a41ed2485df63cc5f207cb6517adc204c11bfe3a2a779263c96f1abea6dc6c5f7ac4331436c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQQc.ico

Filesize
4KB

MD5
7c132d99dba688b1140f4fc32383b6f4

SHA1
10e032edd1fdaf75133584bd874ab94f9e3708f4

SHA256
991cf545088a00dd8a9710a6825444a4b045f3c1bf75822aeff058f2f37d9191

SHA512
4d00fa636f0e8218a3b590180d33d71587b4683b0b26cd98600dcb39261e87946e2d7bdcfbcd5d2a5f4c50a4c05cd8cf8ac90071ecd80e5e0f3230674320d71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUkgsQYI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMQa.exe

Filesize
211KB

MD5
6a8d068c4f90a7d9ae3b9fadc1a6f08a

SHA1
0772b9d5e89e126afe24387b14bba9df4b401b47

SHA256
7f1488d3aab88482fc85b8421db2dd25aa423718d47e9a30adb3078b5134600e

SHA512
cc70e8cb8bcc1631821d0797325f1b6a045ca99e84f24ab74df313fde98f22e9284cf19f54cc18518b11d9f8a149a3323ac32685faf48661cd618fbc4883a3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwgE.exe

Filesize
367KB

MD5
3e750141e4339789bd2dadbafca82f71

SHA1
df379e7c402f31c70999257b60c3791e17068ca1

SHA256
2645668b09633f2c57f40b46195934837f5448feb19c3792550fb2d4f26f9aba

SHA512
68292ef21e9c26d3572e189edd05ed11ebf0b80baf31dde69947994a405f232587d622f14e0afe79c3e4801a0a8cc7ef3c739dc355b57231e9a150c79ddc1be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIEa.exe

Filesize
199KB

MD5
b570d3f4822095e36f5298bbd2763718

SHA1
c66d9bbcd9632369be1c27818a6e3ebf3d05aa20

SHA256
4b0b1a87b650b0a8d1f79c860d286dd8b2cfc29d190e7cdbe6d3c623f3e1189e

SHA512
acedf8755efd4ddcda3f632f39e2694e3cfbf391daf7ecc7d83a6be30157302a40d66f0944e264cb48e295aa4be49361f849718414f2b06947d2f0788e778aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\igsK.exe

Filesize
789KB

MD5
f1119e1c77ccffbb1f23a13e9efb2179

SHA1
242b700f0d284728cbe0123f9feee76933e83ee5

SHA256
1d961d3030034027734e4de56386876e3c9c8b563130cfdea6cb8ac098ce564d

SHA512
057e8284158ce3109eb67271790d4749fd7bb326f0966a12c33274a429cab51ee8d54f7b9f7013a2979ce17659752ce7e09293f4fca882d2fe4f970d0da50f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAgsgcoQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\jMcC.exe

Filesize
206KB

MD5
10f481afaa3f15e44b80bee37d31c59b

SHA1
8e1713559a91bb0c50003b7b8aa27fec9083e973

SHA256
67347fe985d7d52420ffd6d5e1f802b1d016bc442af1e115ae0beccb79b87b4f

SHA512
53cc57e5abd08f2be775b0f3efa3e9d3329db1c39640dc4e776a72583dc45888302d40b1833ea37101c3d2bdc375e8c614db1eb608cc9c95b97d29a68ad8c3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jMgA.exe

Filesize
309KB

MD5
468e8ea2310f5a4e15d92051c240d5fc

SHA1
961ff6226c773f7cb9e6d799ef4a0d07237c8b61

SHA256
72bb551b8247ebc1a2fe589bdd1721d9c71f704a7d51b8cc2d3333659c2a63ef

SHA512
b6e02ee460c49b68b4d897e41552cc5d3bbcd408ff52dd5ac6918ea88d14caf1f30416cedb6ec71a9dc8d0aa7b963e0e02dcc3a094ad4ece84e447160328e454

Download Submit
C:\Users\Admin\AppData\Local\Temp\jycskUsk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAAo.exe

Filesize
190KB

MD5
e2045e8e1df207961c39f536f6220062

SHA1
a776caff316714f81ad756595ee26442d29d63cc

SHA256
4b93d5e4bbae3f9d6fd752cd5bd5d56b9134080537382be70799d322413b246b

SHA512
8f938ae93eed2226ce6f92ea666f7d08262def3284289f925b205c4868581de60eb4df4363648965cb69c40d6c8f4f52b346590166ee5ae9d3d453aa5c9d0d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIIs.exe

Filesize
5.2MB

MD5
1c5c4a54cd2d500107c17e7b85d06843

SHA1
ab71f5cc18c332bb7f6dbb7649731ea48fddf95e

SHA256
3a9a73990d312e286d3d883ef84b18a271cc67e65d38d38728d789a861af7895

SHA512
a032d8aab407a2d6ec2b010bb0b506f81e343cc14847699feb0e78140d6888ccfb43a6aaff4e9f793669edf06a6e7a41ea7defaff294543a5a98fa7fd8d2a74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kKMQsQEY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUgK.exe

Filesize
319KB

MD5
d659834ebc18e8b8a69ebc78ded66d6b

SHA1
5dfdab198c752ca14e0f30cddc74aa41fc6b8fcb

SHA256
4f4b5b952b2f5b2e6c07e7a839382c85842d6a5e7296eaa3c949b907e101a209

SHA512
eec9c88b8fe7805b5d4ed17cdbce269a4572fa15fb2196a89840d2d25f3646114ca9867b76d1d64575c80c80fcd4b61bb69df42e36102a947ac4c5a953046a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAEi.exe

Filesize
184KB

MD5
eb1d8c6540d5246f6e48741fdc7e26c4

SHA1
87451c7f8ac4159b5cacac7993949d75ccd94f03

SHA256
685da320d8d70e860df65ba565f64b4f68f5281e003d2c5c814dccfea428b358

SHA512
e1fd8dc53a145d94fd9940beb70c5f6b60d99067c6be0fb2f725b059e9941681e8ac83d060c5151cba219fb932f366cfdac6b6e3970d6425169b6bf170335113

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUMq.exe

Filesize
771KB

MD5
ee03314846332059d25b82cf4fd63789

SHA1
3cd3539fd1d28c563471d2c53b213d70d5878b85

SHA256
e2fdadc10eff236ea3c3747eeb93633054fc9b83044d734816b4975ab877328f

SHA512
09ad577e38454501d3f0c2452b9de338d9630c581f7e6c96e12fdd672111b2fe69de5421e2c7044efb31bf2403c747f131eb0cb591b3296b21ada5e41aa8dc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwMI.exe

Filesize
194KB

MD5
2d9bceb1171616b9a7c566a2eaeda052

SHA1
8e544a9c4707e09116c48e80fa1fbc53e2fd0c78

SHA256
ee59ce12925c8a92a599ecfb35eee6c10efdb760e17300c7715a2fb31e9dd7df

SHA512
961cdfb1b5eeb05cf8b02f25b64c394e337e956749803ef75d16be40f33310589a8e47dba39cee012897fd1293253682ff21c5e9c81dbfaa17e3b76339f7dda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEMk.exe

Filesize
207KB

MD5
b248f73f456a47793e35782fcb271841

SHA1
80f562bda35d3c460ad583928e2c22d4a78de045

SHA256
772127a6017c14d1d77d3e35ad474233a2932d36ce494bc4dfb844f20c68ad90

SHA512
439a065a9c45ce448ab383d6df3eddbe78a952bf9f612763c89882145fe3c53a1352b368575e843d938ed3980dd5fa154f9c6a1bb634523c7449d6627bb51ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\okki.exe

Filesize
201KB

MD5
5d24fcb11ce6bcb52dbb72972db1c4ad

SHA1
a986d399881a217eb8a8a451021856ce390145e0

SHA256
eea8843e826b100f8ff64c698155579d318ab043b6916c600da240924aafba89

SHA512
cbedd218c4a6d53f1c1891ceeab0460d93464f149b43700437c459e97145e85032a04820eb13731186b9baf8b2326adf0361da99b1ba53e4a7b51e53be363aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMYU.exe

Filesize
641KB

MD5
e47f60afdabea90056274531af7b26d6

SHA1
69697dbde028a9c284f8492ae5e2dced528ba3e9

SHA256
b8e12460c53e5009675001eab7732d69d67e7f0e2c2f7a85f904ab2e2c9d9d3f

SHA512
c35f72d24122308805fe879c1a3d62cf7f77558245638b29278f5f3d1dce3f6bbb9223dd9eb9509680d178d9862913deeb9bbcd875e36fbc4ee74f531e75be3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUoE.exe

Filesize
231KB

MD5
63779856af2098ef1614a35029f49efc

SHA1
12ad9364d1270c594a8e5e50e4e4a622b5e8afb9

SHA256
e920429d91e419bbc0818fa75ca5768b6827fdb891aef11301c6c4f8849c195e

SHA512
1aaea0d84d2d018d23b77c070683d92b7bbe83ce34b350b425fb8a979a5aac13b463533aab2c1cf20a0e16b08194e5b1cf5525f3f65a3cafaf19ec967bf6faad

Download Submit
C:\Users\Admin\AppData\Local\Temp\rOAgAMgk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQgQ.exe

Filesize
5.9MB

MD5
18e6381eb1d6b7af6fe39b68cc4ebf58

SHA1
7092783138b048f76e58c6c1304cc951cd9a4fb4

SHA256
730c57cd2e51e67b27a7254bf26a445e9d9bb12f01ae8aa26d148bf0592c988c

SHA512
c3b6ecdcdd6ad36bc3d60e563915176d93026223ebcf72a23304eab385e29b22271a61619d4bbec12ee7ab44a88ce63e5b44342c79f2fc2ff8dd9ba909f608d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tQYs.exe

Filesize
185KB

MD5
060c105ba2a0ee3fcccf3a37205546a6

SHA1
c826b3eaab7831400e94bd73c82616ca18022828

SHA256
6a7a052de1830d98a90b07c0d0b50e9c541978d93d8e8405307ae0bfffb5f77d

SHA512
7c97ecd28bd1b22894178597b30681c3710d78c50a0cee38956704e45cb2632792c6fcca036bf273ae9c2da17c27ee786ba55f07f8e1b5f65c8c8041239abf3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkgW.exe

Filesize
321KB

MD5
ea763c90bb9c3d35d7d259ae54216cf5

SHA1
a5f2be2a9c225156fc6af61e199d6dfb741a7812

SHA256
e43a3823bb74c87156c7c6a35d57839efc1bfd33fbdaafb95913452559c49244

SHA512
c5d6fe3d282f0137b066518896cfe244df06e5ef71bd529e99a2736e901d47f70cdd1d221214abfe67736280aab72e97a82470ca02522a3caa0e1c672a2eccac

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUMa.exe

Filesize
187KB

MD5
80aafc91a0dca392003c7c24930acb3e

SHA1
1079d7b213d4b9688e59af2a23e5f8d4486684c1

SHA256
b7764be6ff50118c4c5b348b43f7b0e4c1c03ee85cd3071bb09e9ccd49156971

SHA512
f6abc7ad7d18b50131e649a150667308c3f3f4b9fb81f8576cbd6ac243be33bcebc7dae45eb81c1069c533532165b2ef2367b53eb363d12b3a25501610eb851f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEIQ.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\vMww.exe

Filesize
194KB

MD5
c459316d9eb8bf633c84a37b6bafecd6

SHA1
34e50903c0a138b88371a7cefc7792f657dbf684

SHA256
93135addbc9a2ebba44f8ff448fc62a159a931294c2dc5d63b2648f74f832ec8

SHA512
2b90f602472b6b96f9dd0374183495be6495e50b35387833429cb93fde19e7d4f6b6a0ff6b91f3c848a0ff01d573de61f4a78b840ecde4d103174606e6f10074

Download Submit
C:\Users\Admin\AppData\Local\Temp\xIAi.exe

Filesize
314KB

MD5
6272d57383b8c7565e1827a4231ea35e

SHA1
d66f49b1841cf32c329f92b772687ea1945c547c

SHA256
aa65dff7ff2bff8d2ab0fbbea38cb8a6245440aadf32a7fef6cc494785a494f0

SHA512
87d1aa2f82446fb0c30cd03422f68b39d0efb63b4208dacfc3876bb716d95f1b8be8ec21d33956e7b76075d02c330bba0531c4cf1ee6f2a23188c493c9124950

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUsU.exe

Filesize
194KB

MD5
19987970f66f7625b5a58081667f4e40

SHA1
5b8ae7ee34607755ec72c6765018610623c58ba3

SHA256
2b20bc24c65035a75555ca2688868c0aa869f690c7221d962c1ca3979129043c

SHA512
c365ba12abc71a52350d912fe1369b10c866ff4d30c018a8a8d637b198d7e03d3de8497de9f0e7bb154657d0fc073d50dae9a8f74607f1d4c418a0e7af977c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYQm.exe

Filesize
563KB

MD5
f81c8f34775dcb9871cfdc419d8260da

SHA1
87d18daebceb3c14cb3026839499200295b3df08

SHA256
65a7aa31c4546a54159e8de7e3f7bde688190629e383d816f5c030224845c017

SHA512
cfca3a71f1c9b4e34cf3f3cfbdf36eb901533e94249a53e27a268a356e532a87be0efde91bd65d54517a3c9d35a5d928f2aa5e2b2b495a44b44f163ec23a06d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yssO.exe

Filesize
538KB

MD5
d72421a22b4443271b6575fe278dc696

SHA1
64b3bb599491dc4e8f5b89fe0dd3d4522af0e4f7

SHA256
e319510976fb9c2cd398edad2edeca710f05d832564cb9b6ba70270514e48cc0

SHA512
4126e6a4bd810c135172e95ee582636f3f14d6bd6265757c30bbe811e1ece7fe14cadd5ede854b905479799efa9256e90e4999aa5c837bf92059921ded9ee2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwgckIoc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Roaming\DisconnectExport.mp3.exe

Filesize
475KB

MD5
e58b5d4c5fbc77867ae851002efd8879

SHA1
bb4e0d352050bd73de60613c6c2611b246196b1d

SHA256
08a93304d03a2c6d86e91164ace877f86470169043570294e691d32ac8701aa0

SHA512
ab1a58604e1e8ab9a19fb81f292edbe702387664d1e248ca549b4be4878d0b7613cf525db73eaed70790ac62fbb856e6f54c3507373448c8dce4a52cbd6822e7

Download Submit
C:\Users\Admin\AppData\Roaming\PublishNew.zip.exe

Filesize
767KB

MD5
526bffb8eeb3516a6b6a6e7aee0980fc

SHA1
43975791cebf599ac069dca9e56fa7218be77f83

SHA256
3fe9a41b9946d4db1b7c8b4bb398a595055caf5671657b65a85dbd23b0c9ef6a

SHA512
e99fcc8897275a927109f09021a3dc34128182f4d5b10d5e1171bf6424dc271420a55a85d42808843f5781ff799d3a2de3934c04bde779d706242baa15e1146a

Download Submit
C:\Users\Admin\Music\ExportInitialize.pdf.exe

Filesize
523KB

MD5
015567654393dadad876d0e42d9d3548

SHA1
b0d27ad2857e73b89893503d582f4d50fb989d5d

SHA256
c9971742028b3e7ad2de1e90eef338586568973a779a3b3f1067a316ef961b7e

SHA512
cc2fd99aa665db911b38f235e8af909a9c0dead46e2fa0401873ae97766a38166741398aa591b61b1637e363684016fc11297ffab4f8041188835015e0d9800c

Download Submit
C:\Users\Admin\Music\UndoUnregister.gif.exe

Filesize
434KB

MD5
76ac17a093daa47f152aa31af77b3bf6

SHA1
eda182b40b3a350c4d1fd2f8f889d39a687bcc20

SHA256
e9ef618f1a01c321c63e298d792b672e1bf557c00594a63feca5a01adc4d7444

SHA512
3159be2c580cc5e5c6753464318b45c2f42c57af7bbbd9c46ad1c1bfc16439900b4407895a9b1df0a6294d54bda43cf4606ee6b769d05d656bfc1be5e22ea7d8

Download Submit
C:\Users\Admin\Pictures\ReadStart.bmp.exe

Filesize
469KB

MD5
961b724c4a8d65a0de56cd7cf86e49d1

SHA1
38e2c216187caec89daf3c0e5906a511e8239631

SHA256
b1703fa3039bb99d50d0eeccb97049ae17924f1a7fdcb3c941215df45a96409e

SHA512
c50c8218941376b4c0df392834d80770badbabcc75ea2a43e28da5fdb1f43494a727553417366f64564c1b914d98c6f8bc2fc2aaf0ab6024b84290809619da41

Download Submit
C:\Users\Admin\Pictures\RevokeSplit.png.exe

Filesize
378KB

MD5
4cb96a192e4855a05347a78ee4b42ec4

SHA1
424b0bce14d97271f338534d0f699f77e2055c81

SHA256
80e953821f5b07e34051cfff12d57d44fa7f6064a22e90cd7a6bd633cc5bfb6d

SHA512
5a86ecd768931fbe46ef4f507cdd193799d1fbb415cb3a57936b720c1cecde71ed45fa62c7cd5fe2c80d0447082f6787bec4f38ceed744de4b8c8adeea89fc53

Download Submit
C:\Users\Admin\cUIYckYs\WwUYocgY.exe

Filesize
198KB

MD5
0ce7d78ef3ee4e10e562ed6384380ee4

SHA1
c3c5eabe91ebaa0b9ea6ef4420cb43c9f1d5a29a

SHA256
5b7f41d32e961091ebdbc40774c419c887cd9dd280f875b19735c945aba71b2d

SHA512
06a5f22bbcb0f7318ea3ce0c3c589212ea44f3f49c682034b98f71aaecfa9e727b28759a2278e283d13a7ef414b8bbd2519c0d0cc1134aec9ea76d7dffb4e57a

Download Submit
C:\Users\Admin\cUIYckYs\WwUYocgY.exe

Filesize
198KB

MD5
0ce7d78ef3ee4e10e562ed6384380ee4

SHA1
c3c5eabe91ebaa0b9ea6ef4420cb43c9f1d5a29a

SHA256
5b7f41d32e961091ebdbc40774c419c887cd9dd280f875b19735c945aba71b2d

SHA512
06a5f22bbcb0f7318ea3ce0c3c589212ea44f3f49c682034b98f71aaecfa9e727b28759a2278e283d13a7ef414b8bbd2519c0d0cc1134aec9ea76d7dffb4e57a

Download Submit
C:\Users\Admin\cUIYckYs\WwUYocgY.inf

Filesize
4B

MD5
87d581ec956d515ca3baf4a6bd6ae333

SHA1
c2aa39b73e415e0f8092ed6a2d05e409e78324ff

SHA256
c2ee2383ee653b2cba1c9b11f25c9e2007c4cfe3f06fd360eb3ba84176edfdea

SHA512
4d88eebc1b9d8bbaa56e33d6d29886ae9c25d0493ab9cd9959c6ca0dd7a1c1fbaa62d9c667b1e693df210f95ddfc9166a7c18c86eefa37f3580fd578dcf6e408

Download Submit
C:\Users\Admin\cUIYckYs\WwUYocgY.inf

Filesize
4B

MD5
e112840401bf58e21855eb0997690aae

SHA1
3b623145f6cbaf6c4303d91cc15a8f555aa45e74

SHA256
7b592266781c964a2db51431bd3e731b4173fd1c03dccbda0abad9f51a45620b

SHA512
3088bc8cc5d06b2b06885e80e9855687193d7c378aafc12e417ecf5c179b6ac0b694a82e2e6bc864980eaf0fede74102803043fe2939261fc894d1631f54fc77

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.9MB

MD5
6921d7033c2588e60bbd147b6714e938

SHA1
1941cf4779b47613d2b7bd7357f35d163b4a8e35

SHA256
bf302d7713227b9d728ec1b0b7d654b25c009a594be2ba13c22837d3e94d60fa

SHA512
fb233cb5fcb6780637caa7739858d7655057ddf360d4c6e703a8cef184e6ad217d7bb8394be566c2e7267fa8bdf35c5688af2a743de0260853a979ac83afca41

Download Submit
memory/336-432-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/460-267-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/460-275-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/640-376-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/640-386-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1240-549-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1300-424-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1360-202-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1436-247-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1436-261-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1672-287-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1676-452-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1676-460-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1724-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-568-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1792-480-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1792-488-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1972-595-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2036-250-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2108-238-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2132-550-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2132-560-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2176-479-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2252-522-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2392-214-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2652-227-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2652-216-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2672-322-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2672-338-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2744-587-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2744-578-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2756-506-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2812-414-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2812-407-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3012-579-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3196-349-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3320-361-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3588-133-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3588-153-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3708-440-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3708-433-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3748-533-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3748-541-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3996-375-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4328-289-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4328-300-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4328-498-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4460-311-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4484-532-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4560-451-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4560-443-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4624-327-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4760-165-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4760-150-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4792-147-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4800-178-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4800-167-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4816-469-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4816-461-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4848-191-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4928-394-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4988-395-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4988-405-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5064-514-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download