c5d2be86cdcbf3e15a34ac88787f7f063b3bc5fc98543ad6480f43772a709f58

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Size

162KB
MD5

cc9b986fcb501461346edd3131020554
SHA1

0dbbc3671e51ca8bd57470243952d7b3868236a8
SHA256

c5d2be86cdcbf3e15a34ac88787f7f063b3bc5fc98543ad6480f43772a709f58
SHA512

0703c33ea2e9e1c211559329981882a9a474f3726cc8276e6c016419dd243c61cebd03838eaf42af1c918e1e9c350d25947f4df344ff22e2e67579495ee9f12f
SSDEEP

3072:KmTSmWIDZc7v9MPV8Z5qQerImx5Ybc2xknD0E1xnFQQWKmaWDh467AlJs:KmuY8v28ZqSTaGhz7ae

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 61 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 63 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International\Geo\Nation	KiIQYYQE.exe

Executes dropped EXE 2 IoCs

pid	Process
2904	KiIQYYQE.exe
3028	BEIwsksk.exe

Loads dropped DLL 20 IoCs

pid	Process
2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\KiIQYYQE.exe = "C:\\Users\\Admin\\EsgAwwgI\\KiIQYYQE.exe"	KiIQYYQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BEIwsksk.exe = "C:\\ProgramData\\vaEgQsQM\\BEIwsksk.exe"	BEIwsksk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\KiIQYYQE.exe = "C:\\Users\\Admin\\EsgAwwgI\\KiIQYYQE.exe"	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BEIwsksk.exe = "C:\\ProgramData\\vaEgQsQM\\BEIwsksk.exe"	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	KiIQYYQE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2496	reg.exe
1572	reg.exe
2768	reg.exe
920	reg.exe
1176	reg.exe
1192	reg.exe
1784	reg.exe
3008	reg.exe
1952	reg.exe
2460	reg.exe
2608	reg.exe
3000	reg.exe
276	reg.exe
2812	reg.exe
968	reg.exe
2996	reg.exe
776	reg.exe
2312	reg.exe
1840	reg.exe
1836	reg.exe
2216	reg.exe
1800	reg.exe
1664	reg.exe
1828	reg.exe
2748	reg.exe
2088	reg.exe
2700	reg.exe
2012	reg.exe
2776	reg.exe
2716	reg.exe
884	reg.exe
2764	reg.exe
1960	reg.exe
684	reg.exe
2836	reg.exe
2956	reg.exe
2016	reg.exe
1892	reg.exe
1260	reg.exe
2716	reg.exe
2740	reg.exe
1316	reg.exe
796	reg.exe
2144	reg.exe
1912	reg.exe
2092	reg.exe
680	reg.exe
2780	reg.exe
1972	reg.exe
916	reg.exe
3008	reg.exe
2144	reg.exe
1132	reg.exe
1836	reg.exe
2328	reg.exe
1604	reg.exe
2004	reg.exe
648	reg.exe
2808	reg.exe
2308	reg.exe
1692	reg.exe
2732	reg.exe
1960	reg.exe
2872	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
2888	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
2888	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
1764	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
1764	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
536	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
536	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
2368	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
2368	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
2372	conhost.exe
2372	conhost.exe
2764	reg.exe
2764	reg.exe
2816	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
2816	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
2888	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
2888	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
1068	reg.exe
1068	reg.exe
604	reg.exe
604	reg.exe
1520	cmd.exe
1520	cmd.exe
2204	cscript.exe
2204	cscript.exe
2088	conhost.exe
2088	conhost.exe
2976	conhost.exe
2976	conhost.exe
2624	reg.exe
2624	reg.exe
468	reg.exe
468	reg.exe
1124	cscript.exe
1124	cscript.exe
2368	conhost.exe
2368	conhost.exe
2524	reg.exe
2524	reg.exe
852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
2544	reg.exe
2544	reg.exe
1668	conhost.exe
1668	conhost.exe
684	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
684	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
2156	conhost.exe
2156	conhost.exe
1988	reg.exe
1988	reg.exe
2428	conhost.exe
2428	conhost.exe
2664	conhost.exe
2664	conhost.exe
1476	cmd.exe
1476	cmd.exe
2924	cmd.exe
2924	cmd.exe
2384	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
2384	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2904	KiIQYYQE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe
2904	KiIQYYQE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2904	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	28
PID 2852 wrote to memory of 2904	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	28
PID 2852 wrote to memory of 2904	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	28
PID 2852 wrote to memory of 2904	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	28
PID 2852 wrote to memory of 3028	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	29
PID 2852 wrote to memory of 3028	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	29
PID 2852 wrote to memory of 3028	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	29
PID 2852 wrote to memory of 3028	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	29
PID 2852 wrote to memory of 2588	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	245
PID 2852 wrote to memory of 2588	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	245
PID 2852 wrote to memory of 2588	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	245
PID 2852 wrote to memory of 2588	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	245
PID 2588 wrote to memory of 2708	2588	cmd.exe	31
PID 2588 wrote to memory of 2708	2588	cmd.exe	31
PID 2588 wrote to memory of 2708	2588	cmd.exe	31
PID 2588 wrote to memory of 2708	2588	cmd.exe	31
PID 2852 wrote to memory of 2808	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	188
PID 2852 wrote to memory of 2808	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	188
PID 2852 wrote to memory of 2808	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	188
PID 2852 wrote to memory of 2808	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	188
PID 2852 wrote to memory of 2608	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	32
PID 2852 wrote to memory of 2608	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	32
PID 2852 wrote to memory of 2608	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	32
PID 2852 wrote to memory of 2608	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	32
PID 2852 wrote to memory of 2696	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	35
PID 2852 wrote to memory of 2696	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	35
PID 2852 wrote to memory of 2696	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	35
PID 2852 wrote to memory of 2696	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	35
PID 2852 wrote to memory of 2488	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	243
PID 2852 wrote to memory of 2488	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	243
PID 2852 wrote to memory of 2488	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	243
PID 2852 wrote to memory of 2488	2852	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	243
PID 2488 wrote to memory of 2640	2488	cmd.exe	36
PID 2488 wrote to memory of 2640	2488	cmd.exe	36
PID 2488 wrote to memory of 2640	2488	cmd.exe	36
PID 2488 wrote to memory of 2640	2488	cmd.exe	36
PID 2708 wrote to memory of 2996	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	240
PID 2708 wrote to memory of 2996	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	240
PID 2708 wrote to memory of 2996	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	240
PID 2708 wrote to memory of 2996	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	240
PID 2996 wrote to memory of 2888	2996	cmd.exe	238
PID 2996 wrote to memory of 2888	2996	cmd.exe	238
PID 2996 wrote to memory of 2888	2996	cmd.exe	238
PID 2996 wrote to memory of 2888	2996	cmd.exe	238
PID 2708 wrote to memory of 1836	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	237
PID 2708 wrote to memory of 1836	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	237
PID 2708 wrote to memory of 1836	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	237
PID 2708 wrote to memory of 1836	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	237
PID 2708 wrote to memory of 2772	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	236
PID 2708 wrote to memory of 2772	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	236
PID 2708 wrote to memory of 2772	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	236
PID 2708 wrote to memory of 2772	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	236
PID 2708 wrote to memory of 776	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	234
PID 2708 wrote to memory of 776	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	234
PID 2708 wrote to memory of 776	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	234
PID 2708 wrote to memory of 776	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	234
PID 2708 wrote to memory of 1856	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	233
PID 2708 wrote to memory of 1856	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	233
PID 2708 wrote to memory of 1856	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	233
PID 2708 wrote to memory of 1856	2708	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe	233
PID 1856 wrote to memory of 1516	1856	cmd.exe	230
PID 1856 wrote to memory of 1516	1856	cmd.exe	230
PID 1856 wrote to memory of 1516	1856	cmd.exe	230
PID 1856 wrote to memory of 1516	1856	cmd.exe	230

System policy modification 1 TTPs 20 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\EsgAwwgI\KiIQYYQE.exe
  "C:\Users\Admin\EsgAwwgI\KiIQYYQE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2904
- C:\ProgramData\vaEgQsQM\BEIwsksk.exe
  "C:\ProgramData\vaEgQsQM\BEIwsksk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3028
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2608
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2808
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\uKIsMcQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
    3⤵
    PID:2776
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:2956
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWwYscUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
      4⤵
      PID:2460
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:308
    - - C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
        5⤵
        
        PID:1160
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
        6⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
        7⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2936
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:680
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\dOsgcYcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1856
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:776
- - C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
    3⤵
    PID:1784
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\rgogMwIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2968
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
      4⤵
      PID:2256
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2772
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Suspicious use of WriteProcessMemory
  PID:2996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1192
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:880

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:2368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUYIMwog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:2612
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1844
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1260
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2680

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
1⤵
PID:2628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:2888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\aYsgsUcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:2548
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:968
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:648
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  PID:468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\huQccQwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:2304
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:920
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2232
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  PID:2788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\xCYowcQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:2468
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2488
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2808
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  PID:2664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3020
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1124

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:2204
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\TccwUsUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:1572
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:776
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  PID:1348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\WSIwIwQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:1152
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2004
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:680
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  PID:796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  PID:1960
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\uSwcYwcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:2644
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2240
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3016
- C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
  2⤵
  PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
1⤵
PID:860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CIIEwcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
1⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:1124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2368
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
      4⤵
      UAC bypass
      Checks whether UAC is enabled
      System policy modification
      PID:1844
    - - C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
        5⤵
        
        PID:2524
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
        6⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
        8⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
        9⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies registry key
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BaMkYcAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
        10⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:2088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
        10⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pSsMQYcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
        8⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2672
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2312
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZwYsocMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
        6⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2436
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
        7⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgMAkUsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
        8⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
        8⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2488
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:2092
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2128
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2668
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\yMIMwwQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
      4⤵
      PID:1632
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2256
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3008
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2700
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\wQEkUMMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\juosUcUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
1⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1800

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
1⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:2088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "348612475-151544580208672725412587525632110596457-1304823091257877871-1435283117"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XIoIUQgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
1⤵
PID:2432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\GcAIQwYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:2352
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2940
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:484
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
      4⤵
      PID:2464
    - - C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
        5⤵
        
        PID:1868
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
        7⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
        8⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
        10⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
        11⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        UAC bypass
        Suspicious behavior: EnumeratesProcesses
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SiAkIwwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
        10⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WUYcAows.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
        8⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2304
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SuIcAscQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2504
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1856
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        UAC bypass
        
        PID:1932
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1084
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\wUEMkggQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
      4⤵
      PID:2336
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2620
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2372
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1208
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  PID:2272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-786387435434608982-859952062-185145251163993059-17454103715159877141184837460"
1⤵
- UAC bypass
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
1⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IiQEYkUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
1⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2132
- C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "453967626-187616787-17916233041604677106-1916320251759907785-686232142-168300416"
1⤵
- UAC bypass
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1692
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1892
- C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
  2⤵
  PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
    3⤵
    PID:1148
  - - C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
      C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:680
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
        5⤵
        
        PID:1188
      - C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
        6⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
        7⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
        8⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
        9⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
        10⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
        11⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
        13⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bSEwwgkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
        13⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        UAC bypass
        
        PID:972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nwYYAUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
        11⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NCooogII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
        9⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iOIUMwAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
        7⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:916
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2740
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:1604
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:2804
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QAQQUMAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
        5⤵
        
        PID:1860
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:2780
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\iqMUgcMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
    3⤵
    PID:952
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2180
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2708

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:604

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
1⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uGQIMEcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
1⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2996
- C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
1⤵
PID:1696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yesokswQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
1⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "118179849567956187-1486020986-1853250617-17932015811627199235-8155710711644184007"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2716

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XIIIggIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
1⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1960
- C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
  2⤵
  PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
    3⤵
    PID:596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1688
- C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\OKscwQIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:916
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1212

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
1⤵
PID:376

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DQYosckw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
1⤵
PID:620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2072
- C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
  2⤵
  PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\VSAQoYoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
    3⤵
    PID:1232

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
1⤵
PID:836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jYwAIEgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
1⤵
PID:576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:680

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
1⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12438385461904591559-11117052601003305936202159955-14440736601735513642-1417712698"
1⤵
- UAC bypass
PID:2836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - System policy modification
    PID:684
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\TSssAsQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2700
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2780
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      UAC bypass
      Modifies registry key
      PID:1960
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      Checks whether UAC is enabled
      System policy modification
      PID:2592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:2156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
    3⤵
    PID:1988
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1650023016-1046000983111023120814492629271248692677-975089063-543206494-1623219144"
1⤵
PID:1260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2276
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:960

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\iWwIsIcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:2688
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1192
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2500
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:320
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  PID:1960
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1366764681303645906419911799-1654340955-1532158292-2061935646-1441936078-1825349263"
1⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\bGksgEUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:2948
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1828
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1548
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2144
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2548

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:2924
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZCccQIUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:1192
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2252
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  PID:2400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4983074798491893519707276071926281365207752401688530287144825509159294057"
1⤵
PID:1628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-625915762-1005053598-1353174109688361163621232474-167560533988048296-550795048"
1⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
    3⤵
    PID:1160
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
      4⤵
      PID:888
    - - C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
        5⤵
        
        PID:1272
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
        6⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2660
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SOMUEQEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
        6⤵
        
        PID:1692
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1704
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zkscgIMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
        8⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
        8⤵
        
        PID:1924
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:2732
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tiwoMwYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
      4⤵
      PID:3064
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:2716
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:604
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hwokYgkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
    3⤵
    PID:1636
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2940
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2460
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2012

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
    3⤵
    PID:2432
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "54530501015081970511091707273-16418495032035911759-1918226767-2124305304960002799"
1⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ikogcEEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:3064
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2052
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  - Suspicious behavior: EnumeratesProcesses
  PID:2764
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1860
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  PID:484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\JEYskYIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:2796
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:928
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2892
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\rqwEkQcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:2976
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:596
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1952
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1000
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tUIwsscc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:2012
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  PID:1692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1678124679-1966183791-1638344007-8091222161188078027189833554420689817311842121804"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\qwAEUgks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:2100
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2820
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\qgskkMog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:2956
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2592
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1176
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "641405327-790780658-282249589-1144553758665628485894133802-1773696194-1470204327"
1⤵
- UAC bypass
PID:1952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "816501156-9535619481420639893840939971524635074236065191-27331912927519685"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-143273701-1207891552-1575228798-11560839341289324281-386456833-2015510437-731299529"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1316

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rIgYEkwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
1⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "510345769-144556219-1512802007794742469913063161001465298-600041913-306489265"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2372

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
1⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1819939683-2136955305-1768154447-174515176-9434259532895984891647619423-1775595965"
1⤵
PID:2092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12449578291822497102928219853558891934-13996146441144152395-8504938931813113079"
1⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SqQscEcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
1⤵
PID:896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- UAC bypass
- Modifies registry key
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
1⤵
PID:2604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1159833364-437721973-623331110617505466999674522-1236168013-15714441481795501675"
1⤵
- UAC bypass
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aOkEIsAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
1⤵
PID:968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1580183073-136505068245418522-188938025-1475647722-938716389-1496451832-1818986625"
1⤵
PID:2972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1548
- C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
  2⤵
  PID:108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3998803261651662686165664685620471175941652239781-7003175661431653715937518004"
1⤵
PID:1100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-21462456376923233921492861038-907922117623251476-43231254220756536-1028747596"
1⤵
PID:796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1699001762-6153767212112688715-680057281-1509388676-1480828364-305563525455100498"
1⤵
PID:908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16047406741797771973-17190027672135097607-913211575-85008671518628559-1404384228"
1⤵
PID:1664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8697394251909303783-1716654768-128534699-1293202005564113762-2120466593-11199003"
1⤵
PID:648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1531135771944022473201642150516222788731005515805-13643514-345017301345508242"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1875151986-1380903702-702020531097835086194195378364142826-761696599-1025994593"
1⤵
PID:1152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-587976204-8353631191915723223581010245250616613895565249-10955245701469118711"
1⤵
- Modifies visibility of file extensions in Explorer
PID:3008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-805495114-11434591851463287001-736043351228197044-585389906-1382507120-1109536388"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1279669230-1122498001-933116809-377260163144596749479028518314138225791711267552"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1334931461-1564438562-3716504516628228112017225561-1968211486-17887442041912371774"
1⤵
- UAC bypass
PID:920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-56756853911074611321402406679-11578529144639904472063981720-180079647-2008186817"
1⤵
- UAC bypass
PID:588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1061725692-13555298531290979579-1483471919-21433877841597893921-995338988-1092196705"
1⤵
- UAC bypass
PID:2132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1505960548-132033474116016692517713639022092824632-9574130685250073942025827507"
1⤵
- Modifies visibility of file extensions in Explorer
PID:964

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eQQQMUEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1974189311-1342583024-167353861819854733051627461484828559482832492641043350086"
1⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14271002161195370736-739187325-1318592474356767948-1002931425-1639570477-1458633681"
1⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
1⤵
PID:308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:2640
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\cMwggUos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:992
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1892
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1656
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2107229284-13947321181856401060-654099263-23767781413552133261125319278-171076260"
1⤵
PID:2104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKsMcQQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:2568
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:960
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2976
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2624
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  PID:1548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13668963251983675733326402439-179440768135206421-132777411-1674081602428995015"
1⤵
- UAC bypass
PID:1972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-416540574592237316771173682-1417448433-966109487-16081127901364095452-523413432"
1⤵
- UAC bypass
PID:968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1148773807650363712-688500628-888943046-807708095-1629734377-5677085141680522193"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2428

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
1⤵
PID:776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:1836

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HCksQEks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2924
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4070284551221275484-1813895651-835752325253646038578466237-368683796-1605668951"
1⤵
- UAC bypass
PID:1828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10085829331265738026-1440342089-1923824700-8400250411962644543-1347364969-276617570"
1⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
    3⤵
    PID:620
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
      4⤵
      PID:1232
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1800
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:276
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\rwQMYAYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      PID:2092
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:2940
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Modifies registry key
  PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZAMEwEAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:2088
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2144

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-184779174421164500371721508701460656184112916593957349222811140620641739951184"
1⤵
- UAC bypass
PID:2668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "166931261117977356382052444957-1783589521647917909-49043319511676246711567666586"
1⤵
PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ImcoQIAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:2908
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Suspicious behavior: EnumeratesProcesses
  PID:1988
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1912
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1511519893482487-86597673020424862561435040374-6793201111484250573-1067658727"
1⤵
PID:2776
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1486453087211724536-15353226601149074064-248189830-675509646-1364842631-2043583249"
1⤵
PID:1604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18595904071197102325440245957-5973073891665206066-1612128712-1460809522-1578347273"
1⤵
- UAC bypass
PID:1716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-818661489-504568265634578749-8946456361867785848-17550009392051909473-194800714"
1⤵
PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SEcsMkww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe""
  2⤵
  PID:1788
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:680
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock"
  2⤵
  PID:2556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13029810081980453902-430177371-300864025100013359074566276-1990792762-574191506"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9943631752101874556364979499-433070136-1547663624-82705175-1831163775-825260422"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1260

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1486395551-155036276113365441920941825531220460954251322870-853643942411562756"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2156

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "70046207-1456501102-180170269-1083506538466992392-38590907615224006301197414362"
1⤵
PID:2220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "482451249-182065730-113577751-1622933707-243333149-417510963254555683-1966103730"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1736451832-250678599-1419832553-1848040855-3071311251557287837-1878010258-1560645665"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1600839306-185964773514889190242086385482-16978818291623145103-180005009-453878107"
1⤵
- UAC bypass
PID:916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1439432389306795958-16890690841419618966-9766518741098244182-222191278-1870622177"
1⤵
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1605796460-1152303941-1913673230-4828169891175974669-787198450-1725564851-604610311"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2009536807-1383477130-91473836-1467518226-904849955-784504493-1841719411814363627"
1⤵
PID:1680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "163222163084302746876978556010099211281466691622-5950919491057635061583698357"
1⤵
PID:2176

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-834921780-1403448193-1279940580-1236510872-630754170-1120199131-8579911651988052092"
1⤵
PID:896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-82965460292267044-12394572941683595456-1729253223420125965414162872-1894441853"
1⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
PID:2976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1305154568-20715560-1904625455640403660-345543047-467263901638440968-236624130"
1⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock
1⤵
PID:2876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1139043428-29607907210501856751303833309495262642463888977940013492975169773"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "931655262-452988006-40963905-180191290516859981051808651918-471848356-1964069256"
1⤵
PID:1632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "28212424743491261-86925679900408463-1669669585-212850101177022590994004616"
1⤵
- UAC bypass
PID:2644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7824989181499951654-12100394641618042771-1830600933-293111252778609173-1552242513"
1⤵
PID:1776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8415040611782866803-1052610426-15293294451630425059121804540310471714-1647415999"
1⤵
PID:320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11949871381342230066-1282660539375663827-948048958622101132069738118-1794787649"
1⤵
PID:2948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7565167521094138044-123747235812510951031352257059679668079546777318-1734177979"
1⤵
PID:1636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "434858826-1973087379-1167482089475141182-1497990857774731847-1221624040-934653019"
1⤵
- UAC bypass
PID:776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1361979102-2682907605680839181884225461-17649011582135072289-2124136083210396377"
1⤵
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "94715741911526715181844530196387292277-11295152041757826713-324286208-2068307648"
1⤵
- UAC bypass
PID:2716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
138KB

MD5
f55f1668fc6aa68048bd11ce59552f5b

SHA1
4473952caf177c7db647c7ec1798791700ec19c2

SHA256
9d03f5fbebd1a12705c3e696048eff273eca0f67c6a9ea385f2f8097075b4eb0

SHA512
6b560dca4922cc0fda71c4ba00f2d631e9504e836deb342fc996622d4ff7546a7eb24c1f17a2a8e11ba47863e7aa708d03b9ed6a6551da31908b5b8687fee01f

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
147KB

MD5
f6ce257923ccb5ef9cfc72eeb858c76a

SHA1
a10f8ea0de76f15a0314c1d3bd3656cb60b82bbf

SHA256
f9ef59ae2f6f49454c1503d688885a921cae5b21b91d93f4750c4f86ba61463f

SHA512
a4407e259d282777f32335b7d4450d7413641288c6397c0bcffa2641da2c74988a1cb4a644f1e006bff630175f379dadfe6c91e2eca267a4966d6373ba08fa40

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
237KB

MD5
208fd09abbeb98dcca1cd4e8b81aa532

SHA1
378d2f3f80ce2575a90703207f4acbc249f6deb0

SHA256
876ef91188410fb6be14719610a2fd56af497a8deef04c6dac101b72f6bf9ec2

SHA512
86ab5f36b965b4adf95e3832d6266ea3ad64f1fc70167089b4d15a0ce589d9394a0c6ed925138c02ac4a02afcb16333de868182ac5da72a4175cf07353352015

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
139KB

MD5
c68aa563e692d9102ddc986fbeff97de

SHA1
c542e80809d1863e8412ba2b5b5b808557cdd649

SHA256
ee2b5e61fee369de7128d3fa045b81b469cceca2662350d5fd2cd13f858baf28

SHA512
3205a86ec5c143a68ef46c2d0191a98711120aee75e627b6dc99532a3b17e8808e8e28a877bad4c09be9130868f88f8237f5787f872af6f0e4a93631ba82bb87

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

Filesize
159KB

MD5
868a74b1226f6775f3bcd6e572e5708d

SHA1
1ee5a1dbd0b25107eca80157f822099e6b34f116

SHA256
0bca4b29179adecd53ab2360327d0bb8ae3296f8c5e91463ee5cfe40b1b9056b

SHA512
2622f09a9a6cee75811c2717e49bc4f4edddce643cd3c7c27729a5396bccafff95957c27500969842fb5cffa5567dc87fd0a05155afefa060e76a58888c6eb72

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

Filesize
158KB

MD5
caaa610e5f51387e9636a586f0eba349

SHA1
ab068570a43d04c6f8ac6d6b22b861eb62028978

SHA256
8ec0aa8dd98e3b78a5940d6cc53e230130d957ef389fa00cdc536e9ac8ed00bf

SHA512
ca085d0b027be76ddb75f972560653027fd7346086a777384788230b5a2d7e1990b460ed3f7a1f623129f77d919853ea0a8ce3e834e82eaeaecdaf3f1d4f6541

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

Filesize
162KB

MD5
0d76dd57f4e025c8846d2e00bb56078f

SHA1
6abb3b045a9eaec304f416e37a17e9e5c6bd0c85

SHA256
58ac5d722dd36f48f2dfa1a6fc5d1defe0b363cd5a2ab57c0c4d085d9b732a52

SHA512
2447197dd1ed34d350040702c88fe7aca8c112d406f89bdfb857e28746ce33d84a03356a43392423819b4c2f8d44d710771b3aa8351760a5b8334f8eb7ad33ec

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

Filesize
158KB

MD5
2d836688db8be7bd85dd16ff1af1d608

SHA1
f35ae9d324e1dd88aec234696b027f64d93469bc

SHA256
95f6470240ac7eee7f255ff930ff6b25f9c8edbf484dd4bf229e825c67ff02dd

SHA512
222558506a20377522c43d915ebb9d9ca69f3c050e5fa94829d1c730d237caa27f7f6f8e3e66189c93dbe89a1562d2975cc48f1e16c53981e77860114298a112

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

Filesize
159KB

MD5
f3659610ebf932b8d93331aee2167abd

SHA1
3a434c6d6599b3a4531469f5ef03e4d328164ba1

SHA256
d155afe6e14caa0b2daf5648f15488b828041fcd091ea5cbbd5d820855d248bb

SHA512
cb7553e89660c0b6a28dfa852f7f6d06a9d62ef9922d5da07496d7a8d3d1f77074ae18a14b14461120b08966a7a8f929801a7029db0b24730b1b361fc654d730

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

Filesize
163KB

MD5
37c0786d1ca20acfd1d3a5f4bd74a32f

SHA1
4cbe079ecb8f50646cbd398358819a99c6f457f7

SHA256
bcabdf420c710dec061d847e837f317563d6aaf977317bf8d3e2941565053c9f

SHA512
8e6ae4fdcb699e1283fb0290188aeb3ebca580c74400de36bf580f71ee78a429cd499bdc55bdac622ac3af152a762deb7c071a8112f9602bd630cbf953ddd505

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

Filesize
158KB

MD5
1b78ac2898350d0558e27cccf4b4f567

SHA1
5eafd6a33df3bbb67aa41c16d877bedbbdc497c2

SHA256
ddbca8e84f6c2b27fc509f05cbde180e463fba849a5b0cc9e20f9b4b2f56a189

SHA512
2cd8f61b0e8fa105bf6f237ef3f2ae73f7d4697474856ef65be99057b641e4ade20c906c5db0fde72f961505411a08d8f6fe0372ccd46a80f72f274a24eb367c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

Filesize
157KB

MD5
78a175c68b4c90ad4cfbd130baa1985e

SHA1
8c64e8b0cdc2081a8359de41514b52ec570beecd

SHA256
0c5f4e1eb41f3f225e88c4af9dbaf83fe71ca279984b515899cef932a3b897ec

SHA512
aa74b7c891943a8720dc1a42d914deeac4d9d2d610b24aa149e05a88aca3fb552526ff8f9a5f2f4a8711118e87c16ba78b559d2401a292077cc6f52ea4cac564

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

Filesize
158KB

MD5
6429fa225334fc45a42f67f8004d4894

SHA1
e3d5b378c697974b7b70b91c211440cc3da3f7b2

SHA256
5d08b6cb75a554f8b7fd641d658476c7368218bca425f2ea8fcfab7652d773fc

SHA512
fb22a1943e7447f6942a89d46a3937c5f6a0a39fa5e838a5c2a5ed282b1c0f07586d943384e552789765378a912f1610cf8b99b411c768e6989a79fbebe7fa59

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

Filesize
159KB

MD5
ea39b1b911565fd349dadb4c9f37c70e

SHA1
21dbb1456657236790a663d82fe5648416e77869

SHA256
ca463503717da6fd181612990dad2c7fa6bd6ea0a4b2a101dbd310158cc3c0b1

SHA512
766c6e44dd362ac52871469c8e45dc233773c142d6e3dd1d546dbca551a2d17e74fb1ac0f494efc7e6fdd6ecd0e7a6f93c8a4beb3eff3a0b98be53c8dc6e66dd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

Filesize
158KB

MD5
399b8227a98273cd564709989a861172

SHA1
fde9843b7dd6b3a02678e1d8e1b7f4e0d1730139

SHA256
7b7434d3d80326dff4a3a5f4231f91415f4c2b76ba7c265a8504029ea8b57d36

SHA512
3422c2cec1d7d74316d788d9d51813926167309b8421cf8b7cd7bec95a818c2935c3487af08255cb6b216ad54a32601b5b9dbb2af53855d48e6fe97e3bb0301c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

Filesize
160KB

MD5
c11cda66c8cf92c24a3403e793e5cb67

SHA1
c80513343abadbb24d94610de6e72d81ff4c5388

SHA256
0fa6e346b1e6f05fae5992e5d8aa1a2c5b2a0a5630071e2a5f31960060164776

SHA512
a85b9fc8944a97472f3ffb14a9a03474dfef7dd02c234a67734ef7d0b8219103af34fc6adb31c75a8049f0f6eaa6acb3ac305a6d334b0556c39bae261b68232b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
157KB

MD5
f7a6cab0ed3717ad8db7f2c4c4042faa

SHA1
b371133157599cf0b9a63f22cf64f17e31669b8e

SHA256
62bdc4124a73bbc5aec260d17b80c3d3e574853b0f333796f6fb1bc794f016e3

SHA512
b0cc5a60267b1537ae9a86db342f1cc0e72bd6bc17542a20133bc20465b25461ea7c6b14c19973829ad6f594d4bf9a50ce64392d42335f5ee3fd150b43400c83

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
159KB

MD5
b3bf5f41eafdbf6ce759f53a4d8d5537

SHA1
1bffa49d3bc64671054999288edbe40ccb30df6d

SHA256
4cc6743cf61fee85eb61f36956dcf382b12c1764128010fff201becee23babb0

SHA512
fc9a4cb330df107d2928b2b6436b8e7aea167d0217c9145c7ed3f8c9071dd4709d6175b47614c2150b55d0253f7ec2665bd8c9c1d0b75f57bd80fbf09e0875a4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

Filesize
159KB

MD5
a91e52ea9803baaa9ce736d756d6ab67

SHA1
b2df64bd6d1c4552451d39a9e246964ceca8df36

SHA256
997c30df27fd0cd3318151071c82ae29bd3b7b5713c0a2d2642adce9611c9c45

SHA512
2632218ef4b65243bee903bdfb88962a7750898f37e4223b584c2fe4edd611ebff7ceb76737fb88e6b5f1bddea622d9785188413beb4194e9f022c388edc8fb1

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

Filesize
160KB

MD5
30f6826efb27b27826d8f5b1a05fcb77

SHA1
9795113af0fda207fe56ff46f679b6037e31b0fa

SHA256
d0ab740f03c12f62bd87291c3ec83c7aa6dd6d806ca355f7dc3f1ce458643c36

SHA512
fec438b31d74a64cbfd946bac0ffacf135040b6b7f548758e353eb8a760484a639041074b5542879b1807e2205e5b5ae948b7bb73a6cd93ad721411b6dddbd94

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

Filesize
157KB

MD5
7f8790d00aa2aa1c6dab45d7fda4f32b

SHA1
f933798b1833cc74a32c11111f1c0e1bfc1bd35b

SHA256
27d37f483cb3c22bfed14e091d91557c2fd9082218a1f2221d99a83438ef86e2

SHA512
e76a38b005bf1f41f62e8439906cbb1bdb8dcd7f527c86df7373f1e201fdfa010d8cfd686f55c924b9c35f2eba1f3b68ffb50dd9313e719ea5f26e0fc45d835f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

Filesize
158KB

MD5
5d960bbd44dd218e121607cb1d1a9366

SHA1
6e4816e30246b604285c6940fd179731e4465b68

SHA256
dc44a986dfc57be73d86357324d6b1926b866c781aa85011cab8f33091b3f65b

SHA512
f3a5dca600cfad576b78325f0174ceaadbb42de3cdf39216e48443c8b106029ec780e1f8f27bd849d6e0d60e0dc712babc1ec2a6955e76e835a2ff984723f2bd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

Filesize
157KB

MD5
d899360a98d46d8168492bc4e1e1c8d4

SHA1
9739de4f6c671ac75c97fa7657f91b0f31dcfc86

SHA256
0b6180e8f10686f0b551815748547f23efb1e2cfa50c02f0a0ae2249f240f206

SHA512
e844164c5860c4116c06af833f123591e9d7a0229075d59e2a0c35a387557e300d55cb3542a737d87a13ce80126e5033b48fdbb8a68e79dcd7fe1187db84e913

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

Filesize
159KB

MD5
c28b1f5a2b9fe5ad8800a50ee361c8d0

SHA1
56079cdd5e3377c12237cde9ef0763dc41c7684a

SHA256
6bc453b9c9c621205cfcebbb4cad6128ef8ec74b9f1d215070e090090e9375f3

SHA512
a9a88215d55d1fe7e565b0f2728d92405f8210b8e4cff71c6e75f9e6e58b2bebb19ace092018038a50b24ea3522e55a4c00879b95c7cc04629d7fe86970b94b4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

Filesize
159KB

MD5
67982ba75617109d51ca9acf5be44eb0

SHA1
8a653d17a421a7b477c1d5560f2339e903617c1c

SHA256
4dd26822cff39fcf68a00de8c2f970ae8f9314f0fe669f9e5db2e5c810cc385a

SHA512
152dd0681d94c6c51af2c8fe5e213b8a13a8221cc0f0d8588d2f49a64d370e7f998abeee9e0c6e4fcd33845979f73e71af17809cbbbf85b6847c2e398a75aae9

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

Filesize
156KB

MD5
f2a3bf07871c42cf9eda0d0f1e77d101

SHA1
10362bfda6c9e2127607d658c82e0aadb0193f71

SHA256
995c182c091eac256bc451a6ea850577e4861c067bac09c3d74ea02c9ecd32ed

SHA512
b5ff9998f99048003fcb1ad006558626f6d3d34b013ce0048450dc958cfa4b75f2deb3ff1db96398833af1edc759d431ab72f56260725946cf0813980bdd5e1e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

Filesize
158KB

MD5
20ce163f269abd33a10a6f03c7465bb8

SHA1
5564aeffe6f82fc6e982e9ff967555e114b3139b

SHA256
54cfba49f3d2e8086c28a3d804bb547298b4e02d77cbd63d6916edef601374ee

SHA512
850491c11283786f128ad465c4ecba37e1e4ca6cbe992f8e971fb1aa4d20fb2bb323a48e5a4e75acf9b52df371059056b88a72ccfdfa795b40cb7b961436c037

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
559KB

MD5
a146454946f1ffd3e4d83b996ce8cca1

SHA1
25b09906919ef88425e9ca6a7fb4b3a3396c3db4

SHA256
ccaa24ffd571745e21affe7c91e9a634ebd20262828e00b822014e9a7aad842a

SHA512
aaadf0c1a1d0899aad85f352f0bb6319056f89a3357de74a03a609443d0ea736900134d66ecec80b754c3e93e5345e32eb6551a79c39495d87af3e5d7d35af43

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
569KB

MD5
c1fab96c7dae8ba2b5deb51231d96247

SHA1
ccd5d9a0344a8ea00ddcb319013dcf6d72ee4a8c

SHA256
3d1eeeb921545e09c353d681a89f81bbf7fccd025520b087333fdd132fa9115f

SHA512
66a2899d50ff7e22b4ef4515dbafeacb3bce502048fa535497b5c209ba1d74296f149fb31a3bf404c6c0423fff8dea7da10aabc7b6ac6b7542efd0db223d7be7

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
313KB

MD5
aceb731f4a8b62a94b57901cf6a8a56c

SHA1
4a3335a04dcbf8737d063e55bbadf5c3205e65c1

SHA256
1aa0b3c533945d664bf7a33c76009d3147b8d9e126cfdac9d53add8f82194d78

SHA512
99824c5def91bef1bc2b1424e3310a72ecd5bd9a1b1d34a22c84a5784a22091ca494b6af1faad35c2df3c64c673058b001dfff0c60b3018a85b525d0ccc7782e

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
301KB

MD5
39e9e7c912d163d710e6b0fcaa129c8a

SHA1
f0b22016ee6c45c4b601e695f1b2ac050cb0a759

SHA256
5ce49beb4ea8b06542fa7679efbaeef6033c13f7f51b48686c902e5efcafeb80

SHA512
7141bffcbaad25e6f24d8c3dc1755de5714f0239e43b7bf61bca0046d2ce3af000724357a5d0627838e061e9e13ea1b566bfcf85053e7938c69e3ae9e5acfa40

Download Submit
C:\ProgramData\vaEgQsQM\BEIwsksk.exe

Filesize
110KB

MD5
a259a8fce44f9643f96ac5afe43f8264

SHA1
878e6bcac8834011226ce72427cb514621a48fc2

SHA256
630f78ab8f4728a7cd869d1fdca1cf41910ae1e8cf6248f719d8c3c0a1bb9a64

SHA512
19b3824437111a24ee93a3f568511202298287b7d5f27868afd8999c3df4a75c82b677fb57d74f14ef02fdb7c1bfc15b150e18a6f48f3381d3eb14c8a58c3ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-01-24_cc9b986fcb501461346edd3131020554_virlock

Filesize
48KB

MD5
4e5c3e1452d39fb8742ce676a5033456

SHA1
fe6df7a297d5697cbce86a110d53f604da85db94

SHA256
bad04b1a9e50673c4f79fef48d129e474be08b367291ad738f0988ac58631a7a

SHA512
3263f77fa90239f2a7f17afb1a9b88fe6df1e33ee247e95b5f6ba4a962eaf780b148dc0d911f1c7a8eb71dcf540405c494636a084ec8be794b86bb70c4bdcec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AGsIEssg.bat

Filesize
4B

MD5
a8e256ea9546d1e873dbd464468e5b09

SHA1
cfcad685b20e7577819472d5d7b8ac3694772de9

SHA256
8815f25b1eb07b230866098ad1c869f9a9e8815675ae4cc523d0c713b4af2ffb

SHA512
454f4e9833df61e518da9c5b922432802b9384b1c5e90a43a73ca613a32c39035eca9d26858274c184cfc636bb3f27774761404fd3cc48f77deaeec0c788324a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASAYwEEA.bat

Filesize
4B

MD5
39989a6a1106e7e077e050d5d2e6b837

SHA1
01c0f160f3d93945b31d855da6ff3f4243ef81de

SHA256
1aeefcd90e873e73c77fa15ead2a2b3a731bdea81d05acf773e4b1cb4dcad751

SHA512
cf0bfeafd5b9b4ae64ac06385cea9bb8777c240213ea1c45011af49e04efa924dafbdcd6c9b751e455063c9bb3a96c536fb063669a5699751d933b3efe6a1611

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUIy.exe

Filesize
233KB

MD5
289227de1e11eee6faa05b73f29b455b

SHA1
60b68d3652255b38e6b221e781b846fe1108b3c1

SHA256
83bc8f2513615168d51f551eac0fa9477922d9ccca920ccf9473fe5ea86ca2c7

SHA512
872ec9084029caff2d21bbe12d8bd0359e11e40ca1d0c492dd4c3ae3db9282e61bb6439e4313b3f58af1528ec8a99b56377926ad7925dbb56d4df478eb4a56d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUga.exe

Filesize
158KB

MD5
d4874707dc62c580dd2a4b040c5ddb60

SHA1
236e9990a627632d37adac2f352db269b85e206e

SHA256
130a1dfd01ca9fa8992b64e1e396437db3c260270659d08e65db67b58d15d8c5

SHA512
33dae04a056fe5d860da38f240c039c3b8896bbd2b06cb357ac58930278f485eaa6741be95243104f13d4e9e719bcbc84ee7d47d4e992a1c73ff4a97eb051c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYUg.exe

Filesize
871KB

MD5
8f9445e8727e504a79cd1890a09af3fe

SHA1
ec5f15ceaa6d3db3032bb0e0aa69f2cf43937ecb

SHA256
8dcda86738dab4c2c9aea5a90487630e62987fc26c513d86419dbe8bb4c20bb0

SHA512
31fe3e5c1444da99233a2110e2037e552d7155ccc63edcccae019e77c645aaec0724cff99b2ffef48caf7059bdb7be78c2a51bd0b23ca0bcca126de02e748b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYsm.exe

Filesize
134KB

MD5
448e78c51daaef4a6d3285e929847652

SHA1
0eb2a4a2e510596f936244622001e5c6820566ce

SHA256
8ed0adb81d1e2f88387c7413a24e01856448fc5071291d29a3fe7e1b4f6927bb

SHA512
5de3ed2017383e812ad60d753713a5a96123af44f20fc1bde694ddd6fdf3546d1a5e3cdba52c5b97563e226da147a3970d7d243aeb3a718f71a73bc776f441b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AccM.exe

Filesize
149KB

MD5
0876ff046ad7996bcd1d991f068d86be

SHA1
30f96cdcfe8e04e4d6d38715e934fb4351f2bcdf

SHA256
77a1a287f78de68f53fb90dfc3862b42263a18ee338267ff9fd76cfe8d53f3bb

SHA512
dfe0a476b08a1ca3f140ca3b524a15b1d38501a5f1f5cec9bba37608e14338bea0268545b49842d7344402993c34a3ca1d837327d4ee11a7030a2144ea2c4b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgAQ.exe

Filesize
158KB

MD5
2d31b7c1917f149b4b19ab8e6478e227

SHA1
3f7d75f2aecb533708ed8d48610a13f05caab28c

SHA256
fdd31d87496d5e30afa87e59ccb24c44bf37c3bc22ce0038189e016ed05575d3

SHA512
95c37837393a126c71c24191eb64e1bcba9f4f6fec0a355c64fa80b53f6867b07ba35098e619ae6c368e721b7fbb88a248a73f58995ca0134a4308398044c101

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQEggEcE.bat

Filesize
4B

MD5
00888314483ebd2ac7c95b51017c5eb0

SHA1
d58123622c5bbec7681701b8759318ed4fe104e9

SHA256
23f23ddc602a6eb50091e249ba7b565838361012ab6b0b19e66489d4b56b0f90

SHA512
d58c78ff35fcfa47add0d8fcb5b1c977f1ff0f6f4169c183f1bd063283675d39c16913f8222ac67501f89fef902f1d83b982bd92b76b34c3e04d329e265c5dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMIS.exe

Filesize
157KB

MD5
6ba6d2f4df5748ebb19aca3a234fb376

SHA1
b7de5c872cbbe13c1eb692972a71de0aba760d51

SHA256
702e5e367af6140ca338677eb06a8a5bc939271ac7323b423316632caf1fc693

SHA512
14e914463b647d1dc130da6a7d507eede73b89c8ebe87d382fc53d1e059c5965b2170d23056bdf25999654734ef49aea9c5cfd844a3a3cf482e57f345feb0c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUkG.exe

Filesize
331KB

MD5
9df2535c0e21b3c3617144836c631df0

SHA1
b7a9371d76c0bf8f7f813cd1828ae447964bbe0e

SHA256
1b009999d1373c3476c6dbc9c472201e81f605d3f997ed6fa3a6ae371aecb306

SHA512
ca73607cf6799305161b311188a1caa75e46a9dc818174643ca3eda61fed34b8bbe2133bc8440a9ba3d22ebaed6e98e4a1d260de648663f99bd12440b10da6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUkQwMEI.bat

Filesize
4B

MD5
6ebd04665d0e863de05780d03d8d6c1b

SHA1
a2db64f3c8f800c0979607d23e99b98ba59fcd47

SHA256
df2a54376ff0e3bc1f76ca8692921353bde5b887aefde33d5e5b40acde87147c

SHA512
2ccf865c20646bdd6202af56f14fad6c21dec528859b70c4cf4973adfe5d5ebb456e8652a3476eee398ea9df7c7f5e84c80c1ba73aebc7d845fa2d929738f772

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwQgsAEc.bat

Filesize
4B

MD5
5bf2861e258584b4f257ef73b84733a4

SHA1
6829c6a9ee120c7ba5554d521d36c8c24c095083

SHA256
edd2ab599e178fcbfb83ab5c030d24f371ac61a72b53b7f2f68a0fe63030b9a9

SHA512
63d411a6ca91d66c5355a81c88061c6785051a68491fce1c8b940cff18138a3405c9e78747d318085ff8370a2543e700de53bd08492d477a6e6ca139aefacd31

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwoM.exe

Filesize
157KB

MD5
ffc1676a020d09e1238b7bdbfcf1cd68

SHA1
b5fa26087122b45a3221fc73cc89a5443d67745c

SHA256
9f5a842ec8d3e6f0b8728b41e464d6865e20eeaebb8c0624fb130fcbc1da92a3

SHA512
62c16ab00440afcf877dc122e20ac872a7f33d32ea62284304b8f62b06e5068c467fef280a6f884c6acc537fb5316242e8b21331277a3c676044ff5a3638e7a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQYosckw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\DcUcsoEc.bat

Filesize
4B

MD5
36a10e28256a8b53f88b082bbfb8261c

SHA1
519412e46951693e9b47cc68bf946ce74fdbe4ec

SHA256
dc97004b0e906ec118c7a28287ae88ca0eee999ad065c6f6d56f064e3240d31c

SHA512
5d3cecd434b167f7e6694c37e96b984a6229734262640b658d8099c5cd966b994ef0d18ac091976feeaaaa9290c5cf088c03d7a6508d37e793b82017f6ab2c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIswcAQA.bat

Filesize
4B

MD5
bbaa8758c8b9eb2118883a8aef914678

SHA1
c524b60e7909bf4396bec4a72e37354177665956

SHA256
fe0ef47959dca85c94fa13bba30da51a7a3fdbb6edf84dfc77ae37fa1adc3762

SHA512
61123145f982a8f6a81f6e8e0d4e60108bfa211a6e1474918072731c570c31fed62d85f1a27a38f93e1a902ba9c18ecd6605806af88a03dde438eeedc1064f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMcM.exe

Filesize
870KB

MD5
d4a9fe756e76a7128e9d432dde0ca05b

SHA1
63d0750de020425d1b3d357300aa06ae55973119

SHA256
b6292e94dd7e481794b79bfd54130ba0b8112768f70be0deb0e919d62b013e26

SHA512
52755363a14dee9c4f17e9a6792d85763d8f00dbb3e15591efdfca4a40cac84bae508fc79a9ad24ba4cc54bfc105591897d468475f62e8587c76432d6d08cfc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESMAQsUU.bat

Filesize
4B

MD5
4302a5f4ed53b6dfeb679c20a52d3790

SHA1
cc015795884ad86a2b5809b5a8b24aed8dd060fc

SHA256
caaf4164fc35315500b570ff0938120e0f274bb958d2ebc6743d41c4654d59c9

SHA512
5bec4d366d9487364afb1cd06fcc040cdbc4494f0d8b927f846e9f2a8e9f726ddb051f56a1bd599e5d3626b7fa6901bb2622b23072353eb234163b05da6fef39

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcQAYIsM.bat

Filesize
4B

MD5
6829566287e173436ab4119566a1eed5

SHA1
e391f55ec6e515e7b5f68d9d083639a351b825b4

SHA256
e3d076e58d6a4ddab1752041670d1368ff3f3db3aa3cd6018a07a1342d26f6e1

SHA512
5c06d6d1570da0ff75e7b351511d38fe76f11361d639d032f4e752eeb7292818d2336fb7878d45cce2a8bac22b70ea440ba593ee7a9240c1b2296bdab900dda9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOEYoMIk.bat

Filesize
4B

MD5
9d92b82549bc8253b8f627adba1a766b

SHA1
bd0976501274885dd5f1f0f797f6ce4862291cda

SHA256
38712bda554af44b708e1f03bc82cf11bbe78c60196a04259179280ade32cef7

SHA512
64bda2174c743b65137ec8cb3b7f1048f5fc782b7221dbdfe06e655d6104a5f89b1a86c7cd0304a4029f32f5c21483807f0423770b52e49c2a55924e197e5fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gccu.exe

Filesize
160KB

MD5
5eb67f4db6503a5c90401430db8f7c0f

SHA1
a6ebcc3b57d0bf380d4276ff8a1cd6745d97c431

SHA256
f04a8400978a8154bb3cbc274248a7422994e5d28ab8c5b26a179202a46de411

SHA512
3638e80aeb3def3da9c418fe85a3c57e2d63643f39fa3b00a050fb41c106c718275e68dc2c07910e0209bcb0dbec6eaba152fd52596181904ad23be502800105

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkQa.exe

Filesize
158KB

MD5
b79590e82afc9307685577745e06b7b9

SHA1
925cb3a300842107183fce8ab41d2a9a0353180f

SHA256
3fd6f6737880948937b819b5e93250814e8f0df37dfaba7686cc9720728bd818

SHA512
610767fec88d8d9d9064b3e93673f6ef57f54cd6efa554a6c54d57feb99c61fff32828a61d8053164427f35f3621c59d48230e386ff1c3764e8347817cdc06a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HukwcEQc.bat

Filesize
4B

MD5
f691619694ecb8dfa327c0e8ade6f457

SHA1
acd57639a112b8eab0ad28d65c9766e36f3efdc5

SHA256
72960eab909bb1707b19efb7f8ce712dbc3694088b414330b8eedb441ccdbdd6

SHA512
067fe18b8f262ebfdf7f5ad5ba9fa302cf4b8431f677fbe07b3abc5972aeb489beafa6a3d1fe24523a1363ec84dc6dcda63f332c842f17ebe6c39ad1af867848

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAIQIcwA.bat

Filesize
4B

MD5
13412e84fd6e9fe98113717dcbd0cf35

SHA1
32dcca4f57c58a205d333f3f25bbce767ff8fb3b

SHA256
e6ba4e2966f47a13b729237bb701c256bc266e5f69e4b37a2f2aa9e7148a8049

SHA512
0b4c19d93da91d449a31f5c17a83f9d4624750506bfe0fd340fd466ee6c6ddfcb47340d6f629cb4135de3a05d90fc5015f27b8eef81f461b8dffcf139696b68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAwIwEEc.bat

Filesize
4B

MD5
c1f31502d6d3f4381c2b4e5b4cd3d0fd

SHA1
d5dc36220e73d71b83566b31f5af5c8df2e5d203

SHA256
fd1c93a093dba77d01f9d167f5d37e1297b764c235fa3df3819fd6ecda772155

SHA512
dcf6d63df0e0ab60346d3356c1c175b809c70690e69c4de5104fbebc1b0b6d237c175e5077705b3ea86341ce9d486511ec2e102b157d83e547c6646bf003ed8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMgq.exe

Filesize
159KB

MD5
4a96a1e08b1ee7b46525e8d160bc4809

SHA1
854d24a6aa7e4b9cdc99840c24c0ef669bd99420

SHA256
e222a75e726f5eaff4ffe447bbd4cec6256cef3b0e5f55ccfc8cdabdb4d1d9fa

SHA512
a5d161e3496eab2ee6bea4018dae1973e25eaa03b650cf6b942d8103c7f9ebb20ce7884efa6c18afce85fc722076507fd0d5a1e5400dc143f388fe7ec596f3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQkm.exe

Filesize
979KB

MD5
f3005a4dd2bf4dff02d1fff94deb865e

SHA1
dadb42cc086c8d73d4cbf3fd5fd57531180fea73

SHA256
fbcb36cb3a0e1a4308a0a9fcf9bf72c7a2926a42964a31e701c7a586e132a87b

SHA512
c7979c5edbc179222979992e2d0be922993fe85f0c584c451d44e299edc6f032509c1e3028d2995b7b5f616d22588861daa0fc8f7419eaf597fba4be7841143e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcoQ.exe

Filesize
485KB

MD5
c43c53c8d1e9bb0cbf8815116b76b7a7

SHA1
551d6daf8c5e6a6dd24384005d613242b7888957

SHA256
4acc8535e2cc37bc94954b57a47d5870526be1f5a143faae72504accf620a389

SHA512
43a2708b399cba0dc34a0ca098daf991fb919f45765a4e2b67afb4c5b7df274d303397e7ef5783704b06822231536661b80bc51326a67b8501bcc4240d1e908d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgkY.exe

Filesize
158KB

MD5
64ee1613ba37e75a7f649c3bdcb98624

SHA1
f1bab778eb02065b8c14b8ac58a4f5455f79a838

SHA256
5cacbe8054c28aa29442904bd081a48547b9974f41da5450e7bab5796d178c8f

SHA512
ae3a8a8de368410a1e31d99114e3ab53ca7b3f9c0d68722dbb7cde904d8b2d70fa61accbcea52b5ae0613beb84c1065c9628f26dd152b660b6fb0a20d666900f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IiYgUEsc.bat

Filesize
4B

MD5
0a16da3b16244043d5be96def1da4c92

SHA1
931659b58cfb43bc0cbfbc302565c21f749c7f8e

SHA256
723752d679f69f2fbac021ffd08954726d2e264fa289493b9658910ab7986d8b

SHA512
41606c9b66d83e5b33089bf373efde7dd7ab7a046e3de08cdf1ac790ea7465595206bb502bd215cd8c75a548f0307ce44cd45ca9da603154eaeb471250577288

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iock.exe

Filesize
137KB

MD5
a3bd5199e7f1382d547c899ccf2e3009

SHA1
2984ca3eb65d2862948e799fd093cc65453ac4c0

SHA256
d356403532ae32fa0a1d755837d6a117ea91a7c84b86094fa7666a37d05311b3

SHA512
b0e05f57ee63649895fec9f1aeacd16d1755f2de5496d4696764fd37ba28827509a7edd570b71f986bc198059c7387ea5fff9828d7675b59ace97f517d079ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwEq.exe

Filesize
238KB

MD5
27a8676ec4fe2ee2d54d59128db9b6bb

SHA1
fb7036388a6559e16a2fcfa9ffcd97b12d5ed696

SHA256
2af448835c967f27cf984616282d751ed7fcefbf0214b07ae58b3f889b5c912a

SHA512
4aee3d9ea126bd066ae8abd3e01a765d85756d05f5e9dcb5311b2cf43a04533510d9adb8bfc9d21421a37fd3d47cafedc74f20fdbea9e44110212fa550ed5d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\JKggAAws.bat

Filesize
4B

MD5
75e855557745ad439395e27618fb1729

SHA1
bd423966738f8d7cf1de6e530ebf433225cb47a5

SHA256
38df69485579be0b07ab63f80c6111de43663e51ebc816517b627a50421f643e

SHA512
57a373893b6f1d7d7abd684940f9ae8f3a3dcaed84e4ca38b5f853cb78532ec05fedfa861ecddb2639c2cfeac9d51e657d0500bd3530b50f82e328d2834b4bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\JqQMMAQo.bat

Filesize
4B

MD5
b902c46f2d19b225c6163218fbe1026a

SHA1
7032909c5bd158f04216fb938164db20ddd233b5

SHA256
630f2c12230ed9713c5736775f6ec01d9a514d8d5d44f9d7c6aa978c8d7c5114

SHA512
07c0d2291206450ac4a0bc9909efe7e98b60083e86aefd1967ec131ab8407e6b4386886f3c80d981b236ab7423a35c3b9e53e9f805a5db6d9b3be4172be94f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAME.exe

Filesize
158KB

MD5
5b2871c3e2ad95673e10e87e968d0c61

SHA1
ba810a55561797dd377d2a58689c4c8596ba72fb

SHA256
0b37cee2b4f1e6dd314d87b74570a0874836a93500557d1c03f58a2e4ef187b0

SHA512
337bb72cf3a782b4d6542a177e18cae6c4ee7bc77634c3b672c6e7a2e228740f6263f24036bc095d8beb1103c11993a93ced50b8746c90ab0ea1f66bb12357c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAwi.exe

Filesize
157KB

MD5
ea948415426e34d63fccd977c2f03cad

SHA1
91ab00af7ac111e2aa5eee79ad10496bcc45943b

SHA256
390d291cdc70c77873aa3f6dd6bbe76c57d0c79f399b182fa6de8b7430b7f2f0

SHA512
53b6228dffa6893f2a4a88615a4b72eafc1dcdbce3dde46ee8fd77a33d8e01f5c485058df2d06c82e010316ed66e3db41d4d88fa109154ac50c9841c15115554

Download Submit
C:\Users\Admin\AppData\Local\Temp\KCoooIUg.bat

Filesize
4B

MD5
bd7425fdc99d2d6ca575b27b6c4115f8

SHA1
68e0a9b837fc382b472ba03d0c03d5f530565f2a

SHA256
6b1279ed00c61a10316a139d741a87879fd216734525f981593ed6ea537e818a

SHA512
680a836e66572ee0c97578e14f6bd60003889af90f4756d901f2515a9cb59da678a10c194f67d4bbec288499c4cec8a76595c0a7860464833230398c867debaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEkoQIMM.bat

Filesize
4B

MD5
76add4bf251895fb55218fc819353c23

SHA1
35ce51111dd00dc1749f8b444e9e03232089a754

SHA256
4d6ed0074b7683a51096b93a25bec47332aa88f8aa4b0a79580a648ba6078864

SHA512
1dc504936f3d767d2d2b2b6e17770370ba7ec43f57cb5035d5e1c0f82138ed10c74319f6a79ee3a33c59f8287fde26dd74d2b7ce13f44bd551f476919d7de766

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGYcQIgk.bat

Filesize
4B

MD5
f9f554d9d6b5d9c43d4a4931e4e3c0f9

SHA1
8794d13cca6371d20193f2ad46f72f68f767281b

SHA256
b449931cf9a1e57ab537e8e356ee34d4c3c88d0907ebb111f3119efe42573c44

SHA512
67de4f4dcfd430c97d93953ac48b1b8b3614f3496730fa6ee03dad4a107c4a048a563ad92158fa1a386f736e599b494c060dc71240a5396bff4a85def54b738f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIwi.exe

Filesize
158KB

MD5
edac5fe4228e3b3d5b243892c4d0cbf6

SHA1
0e46c54849780073d34db9f5e0aa1f6ad0d16496

SHA256
e09f0df6a4adb36d4d71a361db448b97830a566133548805a23768d66a2d25e6

SHA512
6c93e271e061259a2a9fcdb95f7c6d3c7c390b32e22b941159188349735a10441b04f7253b6967ae336b60d14a8ec43aa4cc9714a0e9d8165d834db7da101c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMgy.exe

Filesize
157KB

MD5
fddefeda383043b279c838641c89506b

SHA1
1f639af72d5ba16b66d0f21477d67ce09dbab807

SHA256
89d7b169176730a827e2da9d15b06b4236dc6df9f92d019cf2cb9a99d7cb9312

SHA512
2f1ff4c7c8df237db886c8bb184262c2fe970471307df69da66ad10b7872a39296967ad6ac64f6c5cd19f7416bebbf3d0fa9ee0b1b22b5338999cefc80b2515f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYIEgoAY.bat

Filesize
4B

MD5
579dfa3278019c80746999ce28810a1b

SHA1
4d001b9f49262929e71fbc68b92e29ffcc89f381

SHA256
d97ea983b29082fb56c29ab251c03c90b479d4a50b31d10304238cc8b09027d9

SHA512
1491b4fd5e593cfd23d2015794f6864f87e7a104ff4de7a7ef99db8ff7f982642202bcbc62bc92016c39e3077ecde94843cbb9657f8d94782c066640b47d6247

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeokUIsE.bat

Filesize
4B

MD5
231a8b7692b8a338048fee4246257b0c

SHA1
4f01887fcd97d53d3ffbbf9755ea330dd62446a3

SHA256
1a4c4fbbc5add6941d496c1993d01d592b6313fdd73cd37f9a850f66a7c030b0

SHA512
f805ac87b5fa29e8586b341fc4e06840dc168d3026c6b5b32b5837d09f263b6d59d4dd8dfd9bed4c10186ce9c69abca038b698518b4cc297003afe2719476868

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEkc.exe

Filesize
161KB

MD5
b4e954f8384afeac2d0ad5a4fe2d4fc6

SHA1
71fab296101501bd4c706b9f8568bfa22db6c029

SHA256
02977f1273481d75273add61addceaf78931011913088f50ec0024da3aaba9e7

SHA512
9003cc0cd7268443c5587edeb29fb549c330e33b5a904234d6f4f871d0a8bd2a2e81c176a538d344ba4c82563cf660910818364543d73dee5edc12a806591b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQAa.exe

Filesize
154KB

MD5
d673830fa27eb6004994b62234137a33

SHA1
435f171919e1f402c84258cde8ebea0cd8b7fc8b

SHA256
0208c1697cc9e20f1ba7374e538daeaeb7644f75348fec9e66bccdbfffc8f720

SHA512
1fb5d697a896c7f8361e3c4d62dbfec734665385a754e4a0035e6e2f86010673d807217c4cfa0e37011fa243d84425a048d80114ea12cd5dd3b0dafb359dfa59

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsMc.exe

Filesize
159KB

MD5
fc5cf2eaf8564cfebe0d0d9a4922744c

SHA1
18750369e857db4e210908c5f714323543a1eae4

SHA256
f6d5c5c7df0020c69f18ee77aac72b1fe556ffdfb39635118647fd61b5e1f0e9

SHA512
53684a3762ed14fe2b0eb565f8235f21e4787bf310f86946c8a3a2be559b9f26db72c236c099ab905ebd65f77431f0480d751b97d5bde088ecebe52b7cfb2f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAsy.exe

Filesize
158KB

MD5
a63770abb52bab29675d4ae1fe6e0f2f

SHA1
28bd6c6673c3ce773b4aea2cf5d561d6a7c8bd7a

SHA256
79f70dfb260c03da2ff1d4d4bfea70aeb6a8cfaf4f3db05ec9e5ae3345053c1f

SHA512
ae20502dd5ad766b52a40a57c52c0d93a9d27e2a46d82db750f9128b9e06b05ab5a5e0fc91517d922ae3c39590a59d7dca83de3688a3500db741a7982613af17

Download Submit
C:\Users\Admin\AppData\Local\Temp\PEsAswYk.bat

Filesize
4B

MD5
61ce2abf98f7f50e00c0ad1c39ec96cb

SHA1
7dd17ec02fc04493a0375ded44354e5382464a9a

SHA256
c96ab92eac050274a2d18639cbb0cb5d91bb4daf4f641a9eaeeec90594564c1b

SHA512
96973b496e1544db56fe3f80a3cfa7fe4273dad7438d861db6bb248eb85eeb7c6cabfa2427c5826fa5cecaf8b1d0feaaf30c8e91de553e8414265a238707a271

Download Submit
C:\Users\Admin\AppData\Local\Temp\PWUwYYoc.bat

Filesize
4B

MD5
d27e1065029bf87c15dc91f627d2a1f6

SHA1
7c5ee49a56317743fd6c299d8a76b5274fcf661d

SHA256
d92d9198720e4af74ee4df87b600f28945e19d6199deb836853d6eb23a666fcb

SHA512
6fb3a59c8240b7f6e42aaf9abfff2123011594708d026191e9e857c921fbdfe0a602b14e1f53ac1dbfc608178fa9fa6e9ac41e20b0de5572e1b8e6fd25e49a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYccAwEo.bat

Filesize
4B

MD5
0630ddf17b74374fde078df3226b4979

SHA1
d1848c3b7aec297182e7a4599494d6562d61db70

SHA256
4e1a08153f6074d6fe4784485daad00f4cc1079d208b5730dd3524cc6822a4d5

SHA512
8770d6f7865859af74b2149228a09cab4af22f5a8067498e16517d7b9f6d1b5d09aeb103f772a3f2710dbb50558e87aceff082fa85f0ff8e19f42847e50b7db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PkgUwswk.bat

Filesize
4B

MD5
11f7d013cc66ad0293db3e8368db4ae7

SHA1
8ff8e984cce6dfa1e51968c1142c16e03fa38c42

SHA256
aa1cb620cd9cf3f223f563d4446ad586c13e3e0c9bab3a7b544cfb3649b85b83

SHA512
4f9d59dba8a98ea377c7f8d9ec076f459ebb3219d9624bf69e03a03ea8fb12dfa6d95c07ba85799d53888d5ad37b9b6df5328c2ac21c0aab57ddf8e963602d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIIe.exe

Filesize
159KB

MD5
88c08e347b40b4329eb7eb58d84518c9

SHA1
df4d82abde497c05d19dd2d9615540f27e33d3e2

SHA256
ddf52f199bb453468b50075fe0e67d9332b9fd5e54882bbe6e910a53406cc85e

SHA512
fea870cddda7f081a417affc863730d77bc6330f690c82b94342c160f4cb945ebc63cd527e76e6cec160a4baf064c6483b13569404cb1c7406a13a7f10e8d672

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIYUwcgg.bat

Filesize
4B

MD5
773df7ad477cbf820e083bfeaf003b4e

SHA1
aa2b77bc4534f322094fa3b6da639076c1952459

SHA256
5c1dc0984c4e7c8819149db328eaa742a485c1bfec2120bf57634840a8c8b40a

SHA512
0b918c771b19990f6a570f8c0ee1ab653b437827b5c6b531c1a7928cce023fc07a6d38b1d1084b19d3310b57bd729fc8674ecf3bce9424e429781bed4e087659

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkIk.exe

Filesize
237KB

MD5
441f1ee6bfe39412c995ae45b2acc3ed

SHA1
42f7b9c1a6345286923d901e335681fe29c812ee

SHA256
3b2c1e1b5d2b492a7752189b5de2ed2b03e4b43397fbdff7041f0b9391211133

SHA512
af3a048ec66bfc9dbd02c97e745e33ea0012a45e8ec1d8ef2f61b98b7b2fe6ac73d0be1a84a4dc8b97d7974baf79c55d910a3903f98aeaa037ff10b0f0deb6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qowc.exe

Filesize
660KB

MD5
1de622803460ec200ea367a1c450be40

SHA1
98cee9ab5d0449c40b1e52a1df4765ca01523098

SHA256
79257711f0935e892969c1e15035bf8d1420403ce7e7c11cfe413dd8f8c7d44f

SHA512
3f1e5a8465fb8c156e7114e2a1f33dd451b29ae6f0c4433f21f5568a0273e66b8a6437382e3d1067c2f8b031ab5bee6efa107c5da709cd1f019eeec7f35d5f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUMm.exe

Filesize
692KB

MD5
b894105aa7f3d0dce9d33a7a2295d03f

SHA1
db7a1535aa789b94a13759a673a272263d3f9b37

SHA256
1a9861e334914311f94f44fee1c31dbaa89d2967e860dd4f26d5fbfd8242c65f

SHA512
dc2243ed7e7617314ff25c02abad040b2d26ad6afcfa240945df57c732a543890725979f1d08968a9f183e951e831075d9b92edf116f94c97644242c36040224

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYYy.exe

Filesize
160KB

MD5
1835b7cd3f0d9007e57788919696075d

SHA1
8d583ff3feac34faaa431d795f4266be0d98ba31

SHA256
bced5c9f9db9d15208a776d18b88a55d31d588623d471b0cb5db273e6f9291f4

SHA512
e0e10dfb55a60c1125f80b668d90f783392a60e2a285cac7ef9c034e3a389a141db5ff6a47f8d479594a95c746b78fce8a39b63ea9129eb3f940223a926d13fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoUq.exe

Filesize
159KB

MD5
cf2527db54235484a09a45f5d3f11b84

SHA1
66ba2641fe39d49d8a8fcf6848dccc700b77d45c

SHA256
21f4bd8932b37ef2c65eaf0a0a7c17e4313fd2e537f971d01957344b51031217

SHA512
e933a91028f02cf4100e1e9afd29e86c01885b897bef28530f59a5027477353ae5003561317a09750db843a493e42627b614c7c93090a5b90732ca6a6afbb52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGIcIAkE.bat

Filesize
4B

MD5
61f602eadbaa8649f787d7e256864308

SHA1
4a7ea3872415b4c6edf78b082b9803b5b65383db

SHA256
14e0f3f77a058c9e5996fd48f43cfd694685fdca635de7300d69d021f7979376

SHA512
23b83900a41ef352bd1ec1199825c574ef665519c03a8ad521e4d5cbad664ae24799f649e369cdd3492e5024e0d021fa1db310e06acc709c66a3642a6af9b9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWIEkgQM.bat

Filesize
4B

MD5
0fd76da29f377ccb1a195abc8a4bfb40

SHA1
1cbbc2599cce513ec55382047129fa429ac58ea5

SHA256
f70603635215d6fca3b4f4fff0a4069f6af13653eae47c8d3247bb9df37a0497

SHA512
70d491b1ce729b7e936178460250f4c3905f82785a319b7f048dcf092480aa46bd790b42cde3e52ef3a5db63d57f9b1c022e0b2994856eb0b46db3e3deffcde5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeggkIIo.bat

Filesize
4B

MD5
bf556383ecb92b0f2036fa66d7d47ba2

SHA1
1234aec7b331b51641652e1a5e6b9c98dd6a1bab

SHA256
9aeeffe4fbd4ef82169f43d21cd868f011eb1144dd632ea4ee2ae2109521df2d

SHA512
b7f5a60e7730548b3f81ac5904cd0b4bbdbe5fff6891eada012868cc443db299b060467f095fe28fb3f87c171710936696132b1c9630131172bef5673637dd3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEQS.exe

Filesize
158KB

MD5
73ad30c30264947aa71a407af74748ea

SHA1
9dc7763715440126847f5659906670c11dd62d4b

SHA256
ad4645aad74d8e662c90dba8be4bf3afcdef4c6e4f6374f76c0cf6b87ec06c84

SHA512
fb1ab1b1ce37f3b3558f916149a27806892eef29f76ea51c03f847b7498e46530ffa20d35ee0d051345705b09585f29a3d7d9a84d228e805d9222390a13dd60b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEsS.exe

Filesize
158KB

MD5
73bb4e1022bd7d2579dc827904cca890

SHA1
0ec7a562f0908041abd401dfb5be3cd1c117f9a5

SHA256
fdb4b00fc6df23ed30f3fcbe7214d6829165d66318df77b9bdd39d093cc886f6

SHA512
163b92e11744dc05abae1a3a7872cbff302653427ba4ebbbdbc1c2f89c61f308cc1a06f00ba9cf04e613c0c13abff1c3effc7253a3e9bf43d5fd716b40562973

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIwkYUUw.bat

Filesize
4B

MD5
7affe13846781bcf0d46e85e18905ca0

SHA1
c06c540065187447f3f1bc955373ed02a65854e3

SHA256
c5ef388cdd9d7c254bd6ded0caa2b6f5284b9e2147caa9b590dce0bdba9928f3

SHA512
db976852cbeb9a6fc80adaf1cc4e33c7690e8aa58a4a826aab4646b992a2f4f24a8dc8d999bf76db980a5f3d7b8b1b7d4d8e623b7007254a31cf78da070441dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMcW.exe

Filesize
155KB

MD5
ad07c7d5fa5a814e686f36037ee07bfa

SHA1
2fa0cf75072ef348e016ad0b1aed71c16c0d3e2c

SHA256
319997ccff2fe9290bd9c3d96789f8d95bee71c90565f945c7e3c83c468cbf84

SHA512
bac9fcc4dbe1cb47c01b95879c34ad75e4446941babbbf04ceaaa0402c27ad7a9a8b9cddc2485af5ac40969f3b9000692825b5de7e25ba06d889615aa2d67587

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYEO.exe

Filesize
156KB

MD5
fb8911977a632b233a066d20e5b6c2ab

SHA1
26c8e65033ffd826b591d810e63aa121870e80b1

SHA256
540aac734c8619500dd6413ede53cf56f07a324aa877e8e1a9723a9be98ce2ef

SHA512
2c89535a97d2464257e1c8138583bffed5b1665a87d91b4bd6ff8f429ada63f1875d9cc53cd0df3bbcc3282a17bafb53d667cb54198da2cc9d27a82520e3a18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMQoAUIc.bat

Filesize
4B

MD5
b7f50b399c1305613e531f4d323d070a

SHA1
22e2b489ba14b8653ba04d56048ae075d6b703fb

SHA256
a75706f46ea29b89fad3956bc6af56071ed05650a0214f39e0d176728220ab63

SHA512
a4f62068000dd13aae96ab6a2364a90e669eb4a1910a684d12ea9c999c807f0e056eb3de58094455b474080715e780b10d64ed1e68e2089b0853e139695db2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUQcQQkM.bat

Filesize
4B

MD5
2967cc9ef964f14d60801dd26be4e765

SHA1
3d3bd622c7fbc18f0b65bf564c949ca3d1351cfc

SHA256
37d459752790379f4bf2c4bc5c829443f68bf715271c0c8fe1a46c52562a14f2

SHA512
079e26fb4cc5708363a3f97fbcc1dea86c379d756a158282c067b14348df5bbe88630466710557779c09b56cdf4252e5ed53ff3c31a94a3676c5a3aee52d0184

Download Submit
C:\Users\Admin\AppData\Local\Temp\WGEEwYUI.bat

Filesize
4B

MD5
40ae0b69ecfccea99e972f4a2b36c48d

SHA1
efe56bf1d6aee6514bbb3d169b48da04a6d6213f

SHA256
4efb722234d296f09d42461d09bfcb9406857e3719e7d4c48e1a0c7bab80e9ba

SHA512
569c17dfccbd4ca540998e65eef1f5a1080ed6cb5f6bf556a2f70b6230b43f63f8c7f024ee719c4fb9123a36dc712c571d657c67094e908d02c2a5407135f6d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwkS.exe

Filesize
158KB

MD5
e49c17985f3668a19663e8417447c1f7

SHA1
8ce53b7d93fa640cc343b2d2a1cafdfc15f66e4d

SHA256
7016336eae4ed0c52ef768851e849ecc406e2cb6bab2205d732936e58d5b5840

SHA512
a5b47362097a18efc9ee33af9ceea868982181ca892922970ca01166cc0d7097357e2723ef97c11b1abb76c84a4c26eda33be0852238bdb2c986a084918259a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUkgsYEM.bat

Filesize
4B

MD5
76dece0c886f71b406f22679c122ad93

SHA1
8e37cdb76af5c12d75465aa44d6d5b86a9de4044

SHA256
5f0a0447865c41c40fd6295dc8d41d533499c0a9a0c2be68ab04f09031369f4d

SHA512
9001554eac1f9d191b761e6d2d6ec008007e35688171200a001ccb77025b0db0b9888610d40e68856e38b07e7d120ad81151752920f8bcbcabf7a1482b844a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaAcIYAg.bat

Filesize
4B

MD5
d376db6227dc8d6138681ceb8166ea5d

SHA1
5ab18c3d7a3967d2c4ba9d1233a16e3d36796b55

SHA256
92f7f0431873cf44f523b9c194da6b56a0d3bb23468b3b79a414451e0afa726d

SHA512
93d2c63b31ceff60abc45a1efc7aa1fd1ca2ceebca5d533046ac9419734f1ef75568f9ce64c11d666fac29c5759641046fe6858d52639a883af4704ba9ec702a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAcs.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YOsQkosU.bat

Filesize
4B

MD5
4c6943082d5160df29f29f1d614e9153

SHA1
ce8ba4493183cd600e9598926f57528e4f2a9c9a

SHA256
f4376c0fa04fc9896f2178cf4ff6e115972aca75625597b3a6ad736e5761c85b

SHA512
0108b2be94a74684cac83313176ebe2044e21ead055b9e3094ab50a6643b2ab0236dc2236a8ea5e8bb3a6eec35bf8c74d66411536bddcc8346ef6e979936fc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkgIQkEs.bat

Filesize
4B

MD5
cfc7120e90840d7bbc2924c4cbfa7704

SHA1
3d0c1eaab2d2e9c3c0939ee9bc6a5473d2db895f

SHA256
81e360385dbcb2ccdac0a630ea636985a94ed4cdac125e008256641999fc0c45

SHA512
936c06ef7a233e26a3db203a52e1e2f31f898da620823d66a5527a57130db1b062cc6e7aaf4f70c6a38b71da335f0990195c936686040f7351a10fead9ce6f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsQI.exe

Filesize
86KB

MD5
26e580e7ee310b09317f8a49b5d373c5

SHA1
cd9d6ddc85eb2b6bd202519906193b178dedf4e3

SHA256
82680002a68e9841d2d1fdf5e604aef99349861bcae684e98d5cf2058ad05144

SHA512
6a458d5065f032c4ce132f3dacbd5b5732c46c9148e66682365a0b936a2bcd6f74e6ab189338216cc861044985bd4b65031ea392e200bcc8f5667bf18af605bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwogccQY.bat

Filesize
4B

MD5
78cbe3a0201db29a5929c3914b994505

SHA1
eeffcc580a8f711117879088516edab75ebe5c5d

SHA256
84674b7513d385d27542e73b7fa773c734ec7d781cc3c248e17e429dd23c3a51

SHA512
487e051f9fb42db248d2ee60f42c2bfb69ee994f8162926838f61eb449d35b0864de707e8e9c29ad1ec619043eb3325a6aac740f99d38d87f6899ccc1422ec2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZKQkYEcQ.bat

Filesize
4B

MD5
eaf22f8fe3f21684901ccc7bfcbf1a18

SHA1
ebdfec964e12a7b928c95253ffbb23eb0eca3e2e

SHA256
b1c0f048a6e6ad3009e30fdb74c7d59196ed9bcc49bb2928090702a8734a8ab8

SHA512
2d90bf510a1ef32224b2d7c8dbe5bb8a48593dade5d489d0e1a7f239dfda34d1ad0dd35d6c8a350f2a418b2f7a8a4da6aebc7d00b8094a26a882d2723a9a82a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZSYEMsQk.bat

Filesize
4B

MD5
cac7ce9ceb127f0a07501b01272c417e

SHA1
6363b173709cc4f46cb13ffc36d54b01cf49a64f

SHA256
ec96e3958382737b0ab44a8e3ed989f2663a5485090b1a612c3203b7c9ea1b0c

SHA512
c695e2ccc672221f4ad7d4089a472f9df63664244a739e629446581dc325ad3236c438d4cde1f06f0054c4aa811576889135c39affc32fd9acb5f2bba0d40225

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwIAcMAE.bat

Filesize
4B

MD5
f15c7f241c826722addd5c6ca5bff57f

SHA1
8cbd5145b902465f7626a6c4a2d6f00be3a98024

SHA256
e7fbab11a187abc4344c955ac79d05d14f5c45063f1bb2de09e268f35232197e

SHA512
e990c1e295317bed01fc833d17d86f9a04bab6e64493485412099772c8c07ef4b2cc0d9530cfa58b376599a4c30faa47c1276abf434e09d3ed97a92159d2c497

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEwc.exe

Filesize
869KB

MD5
849179e38c4023c57d39597238515bdb

SHA1
9944b35a42b7ab144e40ec7c3115723f63d99da8

SHA256
985c222ed1084e0989c62ff464295b7691a0d3fbb3f93e3bebe1a689bc78c14c

SHA512
9a35632e2cb5e1b3cb4b8340ba36f8deeec5178407d689d06b19c65bc40611c30d596f6336ad224cc766bca14629d630548377d54a0e917fbf53d39cdf483337

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUgw.exe

Filesize
160KB

MD5
9b5c25e68a42d61e20281adef51c02cb

SHA1
6ec142cba78c886b85ecbdf870ed580a55e12e91

SHA256
04f2b76e47de4fbb151506034e148c5114e00370c7f236410b459f951800a129

SHA512
af149a1a9f4265790fbda052741850d6f8d2e880d9fded1f3fe61eb1162080c190888e3b2d690934e2e6b941cbdaf6fc667841db6dd536f03ca258c1ce6087f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\agIA.exe

Filesize
157KB

MD5
47866e3de34c6a29539ae80fb2a52688

SHA1
11d9eca80c7855faf286d4566a6f6fd23eba6c14

SHA256
0779cde4f43577023456c27cab8c7a0cbf59c8b48f8c253c645c94e060390025

SHA512
25d705ed715523beea63b23a92e5ce41f91c9ac3ce0f3e0b566c0db8fd21f29f8b1ed00d7f5f499d5daa38064212dfd19256e4bdaee3c98a620a399b961dd82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmUUoYEk.bat

Filesize
4B

MD5
525b76f2d144d302ba4d3c0c36d38766

SHA1
a7675556ffa7fe8fc07f0d613fe70768354a1f8c

SHA256
69bfc384fcad3a396e9990459ea749f794d636fd72893b28c280306c9573377f

SHA512
117f7c08186f8b2eef0df5fa67b8fe0bc9ba6dcb9813a1053729c665a68453c55f04a53ec9b1949ca413d377312386b3f441074430864cd4d86526a613a3450d

Download Submit
C:\Users\Admin\AppData\Local\Temp\byIQoAwE.bat

Filesize
4B

MD5
5532c0b48094b98f508bd94f7891aeed

SHA1
bfd4e694569307ddead7ca85a28911a9c864da86

SHA256
1da58398c3d5f7fce7f2300d211e0955542aa3cfd6a8b2f55df27bd8a2c43daa

SHA512
36dd8e5368c2cb74e2f2c7a5c6b814c61d2348fc02b20abeb65b7370648dd970d88bd1303cca8fa45b9115103bcdae589ae48bfd96196a872fc193e5f5479621

Download Submit
C:\Users\Admin\AppData\Local\Temp\cGoowMYo.bat

Filesize
4B

MD5
06c2147441bd384c47cfb8556558e6f8

SHA1
e94d9f9b925037f452cb23cfaab3b2c368fea6fd

SHA256
6f5e7ce3ed6548ebedc099a9be2fba408359322874cd3ad3e24dc4353620d61b

SHA512
886e56a059f68fe13a7f52eb144206434362f03708619ec175c289dc3d0fd7d063f13c4d54df3d0afdab0b96b27973c610a974fecd56bbef50da4f21b0933ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIgy.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMok.exe

Filesize
125KB

MD5
9c4fc1dd741991f4aac87427aca0e46d

SHA1
5c0ebed30b12fe638708ea5415c199833bad9603

SHA256
44a9c74387584cdfdfabc3c4621f6ce4a0582716d9d98f2bc985ed21830ca315

SHA512
95e76d9f02e1cfacee7c8ae0bf9780271669f5d582fe563160f21026d29e0d499b122d1e26ab5f0364098cab7ff5426f6fb6f4cb482b5aecabab6e2af8e33fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQMm.exe

Filesize
158KB

MD5
dd18501447e23d8ee489b9f602a73f34

SHA1
a95fb54c275475ac03ffd45de7073c134fd1a46c

SHA256
3a180dae77c49b77fa86626da4c452f98584474dcb063431f76c320057d3e4a4

SHA512
7bc8bb8d5383a0542d49eb7dab692315cb94bc20e2d24936475a67832ae8a6f3444720b7a6659185f68b8b75924b434aa59708c74daa4c8e18b36ad7eae9ef85

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgcC.exe

Filesize
71KB

MD5
3928938dbbec56798a94612c6d4e18b6

SHA1
5779a672068f00eb552785a0e6f392cdd702236a

SHA256
af6bd47163e3062f1e619e73aa0f1bb51df2af20ce7d926ea1ffd7e202f9c115

SHA512
631985079394f973b5021be5cd39bc629e73e6349d71f0582f0a5a14a9ed91db41d40fb69333b2a1325ed4c3c28fde0ebe4e60c19c78c1e31b6fb09f43f9878e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecES.exe

Filesize
158KB

MD5
5d4073bec9c7de31e1e28f68877c513b

SHA1
a84a6ae2964523465660ceea698eb984a02cf6af

SHA256
8af704487b9b15f87341741d2f6d9de04c991cbae95e63a3651f09adc27a2aa6

SHA512
543b17ba6730741f8c51fbcf1f14b4730d510ebbe016d2d9eb262bb8ac318d94ed794ea0a5e1bb7de046924f95ac8faecc9429310faad47a57cd4189ab65444e

Download Submit
C:\Users\Admin\AppData\Local\Temp\egAQwgAI.bat

Filesize
4B

MD5
7c3d252719bca6c8c9233364dada8233

SHA1
d718d9b5c75ac6a52936a48bacd099700c53108b

SHA256
37b4beb61489a86d37e3642e56e0da2a9321662193f1c2dcec35f637574d8449

SHA512
ffd29ad707b4661e811eaf8bf76d9d5601376bebadcb6f4683c055907f1b88e6a5cf8fb1c8e434108150816aa1c84bab3b0c270538023919621dd409105d1765

Download Submit
C:\Users\Admin\AppData\Local\Temp\feIQsscc.bat

Filesize
4B

MD5
d044647c90d8542d2cb3cf2f934034a3

SHA1
ba4a224d76e56b9f46832353d618f3e446b47561

SHA256
d312fa59fe8620b87d685daa149b94db165b256d34cbbe88a12e8f00040c47fd

SHA512
ff6cb83132c7c5ba1372cdb474f69bff239cc52a96e3b4257a8b837ed2231a9386d5d6cfc3526c04eb0d3636b02c720dbb7a48af47dec1b4dcf861541f396138

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAom.exe

Filesize
157KB

MD5
f0409469c0484cd3d49f1b4246ae9c79

SHA1
15ce0b6618675a1fe01e3688ea5ede79670f42a5

SHA256
c966da4eca47aa3932e458c646aa04bcce5f7cd96e95f4d71674b28304d80e03

SHA512
b3eedacc3241a2e3514b09fcb4da1acf038de814d508f90c222dacf5de6492c6eea3f647a83f320d32240b610157f82b882b497bebb0878a6a83b6eabe7c6c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggcI.exe

Filesize
158KB

MD5
1b38f328d5aded179d558f8142fd8ffa

SHA1
e3d070c6450b4001a6f938436f6efa3be20e9e5d

SHA256
0d08c36b7cfc917f8386a40ace2a04d83d350afa763bc80ee250bf6a90950fd0

SHA512
04358ff56eb325739cd189b2be187037c20f43def9bc536ec0d2aab668bc39194e4eb8add07c721b33bd5608dd4f4326981558c5c9b57950b13364e349546dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMIS.exe

Filesize
158KB

MD5
a1c17ac3a40ed0f0ac136229fc1261b2

SHA1
488abd52b807a9d56947481f960fab039af0a8ba

SHA256
e47b799d377fb4a7c2bd8f969b0ae87063484db8ce70fc4c8666eb34f17022c2

SHA512
b8594779f4c08db89a7cabcb699ca7e5ee2ede387ddf5dfc94c357e2b48e9b2647256d6d946a374423b5146a2e15068c5d42c33a8dfcf48080acfe38af36834b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYwskIQw.bat

Filesize
4B

MD5
adafc246ed1b9eb7690de6527378928d

SHA1
6df5291260bf60771fcb39bf16898f29e10a2dcd

SHA256
2c3a9013649776d110d6ccdee2ef250934516fc57a99130d31566502c8190570

SHA512
b298f5a84322efaf966fafa2a2c5b56a0828b1da656cb56694aa2ccd1df9af11d83edeb6692f4330652fbed3a87b70cddf6dc4aa0fd3f040f11d74900ccd24e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYwIcAIY.bat

Filesize
4B

MD5
4b7da20e47401cbbf15605f3d1045452

SHA1
94d2d5e513fff3a588ebedfe077e4c897acf035e

SHA256
1eac6c9b46eaab26a8ea433e75b83d85f0eca4927ebcb2f03811baf175c332e4

SHA512
b70eef54f6115c21012e777b817964ffa6bd3657c64ac2e19bf60f36b885f8e7a33296693b5011f480f425930ef0d993c4bd00cd647eb7a30285052f7b9ec954

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwMgkMIE.bat

Filesize
4B

MD5
117a480b0f3cc1361bcfc228115b228c

SHA1
3baf33617e6f649fe12c06b3c8b5997e11634c6d

SHA256
455973537a2437209f9d6a829dfef50a90ae025d32e311196ae9382676324d29

SHA512
ae869aebb953d748ed0b0aeaaad2fb00ce7e3a3faaa25c35471462633cf0cf3f34c0f0d05c369b086205cd2752fb08d5d4b00ca178f040cb5dbdf7cc582aa289

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIUk.exe

Filesize
32KB

MD5
10e66d17443dc85d424157a4c180593c

SHA1
2df4de8f500e21961c5f231b0e129051f2e46de8

SHA256
1324ea4e22ba9069e6f402834a9c0162ecb04327b2d503cf50904a6506a7bc8d

SHA512
40c9e88a1c5b9369eb93f0ec9001211b1654d1f8a1b7a19c957c98909cd72ac13584db9d563db31646055d9e1ff9c5031ee058382995500a9ccee55dc7211db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIco.exe

Filesize
155KB

MD5
d4b92c8b558157cd7b3afe9764f2b214

SHA1
5bcaded36a2713cb217c33657edb589a60ff9cc6

SHA256
c7144618e070a52a99fd3d586e3371107884aacc0363abca914e0eaef8acad99

SHA512
46bafc8b120e0e3f92c0cf4072d49664ca65dd2473cf20afaa9f9fbeb9c5ade0605999756663d8043de3bce701863cd044e3dd2b706a1cfde2919373407dc206

Download Submit
C:\Users\Admin\AppData\Local\Temp\lSwccYws.bat

Filesize
4B

MD5
8aa2ca7932df8958d0e38d7688be8ab0

SHA1
bd0453f21438487a0c0ff66e551fc887b80f73c1

SHA256
d57c509ed39a5a3e0158fdb22485e0a07e9584238fed2a8b0b9aa100baee7e8d

SHA512
8b1f4a4f68ee0545a6a36ef6c5370b1eebff34f82b8cbe4dd367604557bc386d4e556996863bbd3326637a44e3d787bf5b11c209e97efc24191342677036c857

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqQogooc.bat

Filesize
4B

MD5
f94d8ba5357927eff56808c0c9a07337

SHA1
2b71000953b6485ad8a2eacd8e4dcc1cb8f8398e

SHA256
559bc014e5b75190d3a621c82298dbd567bf78949d6233cad73bc7d14a51ac6f

SHA512
9783c3fe6e182203f1a888a08632c8cac29ad2e08954bc580b473c338f4c7d232e3dfbbcd5ac913d160ae67dbd2870d83b2b3fa84789f13847636c7b5c3303de

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEUw.exe

Filesize
45KB

MD5
5bf62dee8751e6499dcd7f51287df714

SHA1
edeff8473232a0613a384934fa447b75e0f93266

SHA256
eb6102afbf64e66d85811374cc622c6874b1cf1a0bb0981b0b1fb1b4c373dc5e

SHA512
c22d15528f6117cd1db597fde54729ad1db9ef3467838d4c8da4b5e222e4955a9a5ed7b9d4c97c59f03851862c0d9bf06a6bb2e6bfec171b4bc7c3183638bfa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIke.exe

Filesize
157KB

MD5
b852bdf4288b6ae7e2138713f2009164

SHA1
e3baaaf5d350f92b7648ee37aad877962df6ff3e

SHA256
bc5fd18acb8c385d051a4b8fa9563f993edbf437ebd2e311343de1449f41b46c

SHA512
ce49ce29458b1498157b6e228e9c6e4725a248e9096e1caf78beeced87d4fd7554c875cad90495de59e53ab3d112cb56ec2812e19bdb1c4814305679a6c53bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\moAO.exe

Filesize
157KB

MD5
8511cf2e2fe642acd8f25253c614f03c

SHA1
c2987f9d11ee19eb5d85ae76e7ac4d84427faf2d

SHA256
c7efb9d6efe4a4831082c5630d50cf7e2ba2de97b2ec2e0168dffc85e61db137

SHA512
0480acc7ea8e1476217ccca7acae094adf5882fb89206532d89d1df0252aeae2a4bca43e721fb2de34fc4ee92fd84a6bf349c25a3f19f3a279f9ac2f8de2e70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mowM.exe

Filesize
158KB

MD5
db9179888b93e40f98836ad9a4223e65

SHA1
7d21cff73184cc2ad7c78d6dde137d5fc712eb27

SHA256
f580e2d7f92479ad31352eca7557d8dfbaa234ac1ebc0fc59543690f5aded56f

SHA512
5da9a2fc5bb93524def79bbe6cb83dd5cc900dfcbd4eb0b0374785b477c42a6b5cd0356e043b9987a9d49dc6b6ab339156cbb3fcc71b18aa075a6ef7848fedc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\myQoYQEc.bat

Filesize
4B

MD5
726451842bcd9ffe7fb653e1e893ba9e

SHA1
bb3a6fba710a2921b231f639455e7dab8839537a

SHA256
206d2ebfb33545c8a14fd2f6c59f0e29ff71c86bef26fcaa70f6c8d73831861b

SHA512
9c5067dcd0c741c8f2cfc58d7f9f0166ace10cca566bd35b5ea5f814e4987430562fc72f4ab59ba650676bad9d502a56c89c09a0ab4b081a32b0a8dc59fee1a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nccAIwAg.bat

Filesize
4B

MD5
7c2407b1a847e877977504692d595f51

SHA1
090e8753c0807a2b9e95ab14823e6da566d51063

SHA256
ab8e719305f1fefd9c4b6401724bb9272742411e082761245095d2276d2c9580

SHA512
627c2840301a565ec4c4be8f4ed5a8d0044fbdf706c6a5f6b24af908306c4823e87e170e093ed4cec6173b2efe5ecc775f21891d538dfafe1a5d80faf8acac24

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMkwAYsI.bat

Filesize
4B

MD5
1f663b952e1674b0c9d3b366271aa5dc

SHA1
f09cb2650769b6b38f8cd399e1007f5ddb82e99f

SHA256
b1fdc278a2663102acb66518a5ca5838de863fc106a049b7d6f7542c78555e6c

SHA512
a2e49b3b4f38d5c4d963d6f9ffe92446f8c0a484a245e4e7b4a00fb05bcb0949e5d1712d9b9275bb4ff48faf9878e688c238b8e7b3006250ccd1c4c45304a9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocEe.exe

Filesize
158KB

MD5
9fddbb03f5f68bf82f45d8f0c152e982

SHA1
883bf4fddd4a276cc4dfb531dc9caa9bf7bb218e

SHA256
0e87f17ca79039cf9c2f712b3bd872cb2f705632fdb1adf562900c194fd12729

SHA512
c8bbcb4a019f263165a5dab9ff8b56f349e3aebaaf4b868c0a0925999646aba723e06af3ef941bdbb49882ebafd904f2b42413df27ab1be8678e144b61dbe962

Download Submit
C:\Users\Admin\AppData\Local\Temp\pmAQAYUs.bat

Filesize
4B

MD5
1476669054be8154dd0830c1fdca8f57

SHA1
5466e813238555df3a98a46f7701b415b5bacdfe

SHA256
13638494ebfd503c3e7a5c03d64a36224aaae8b943d7f8dfd92dac82196669ae

SHA512
4f197f994632d66a22e9b85065b79b7ab7524416cf9f8f516c2d380e114e5b774f941ad90c12ac6a45491772b823f9243bb677424b279127fa026eb3817f2cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIYG.exe

Filesize
140KB

MD5
c1fe997dcd765455589f6fc2f233b08d

SHA1
0fd81ba17e7771731e1cb95249eb9bb397af084c

SHA256
88d08704996c5a0438e8c7f9aa2c40a811b10642e9af00cd32d8e04ae5565040

SHA512
31dae2b7e2e9293aa8dc61e8bd30b353b31a895aed0d7a5352f51304ecec66221b584e42b9f69fd86943f3ba9a0f8cd12120cdd2a21079f4781c1e36ba47298b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMUI.exe

Filesize
157KB

MD5
35bc62c8c683914121a481de3067236e

SHA1
1a2c57e5b6c7edea7818fff2563afec0be98a9ac

SHA256
9e3db7e381a84348ce88e97ab7e7f136e129170df30f8a511184fe134a53f270

SHA512
f6ad2173b33ec534c2c3c85a7fcd0275415dd2571f3a2809d838eacedf54c4f60b65635c0faeaa93e5b52636a5fdfc3f46c385325f8e91fd91033034e937375e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMgg.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQokssII.bat

Filesize
4B

MD5
13318adb9c42d4465fb7cbf6b980481d

SHA1
9587a9c0b286752c90ef392707855a538ed32e1f

SHA256
e9bc43e365e5c5eed594c303f78d7b43a1c81a58d3c00048b40f87972107024c

SHA512
12cc23f86cdb707c4f2a33775305411dcb7dda717ef531ad52a3f6c72f0cf4b822fbaf935f115aa271c9e79c9135c48c8902a3684ea78c5e1edf02a88caeeae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsEm.exe

Filesize
159KB

MD5
d0553a3654daa16a15ba5d92f539fa67

SHA1
130f07992f509501d1928cc78fcdafd5ebd93ad9

SHA256
b3c73f1e84c379751aa261f62f6bed3554915524491755b49e53c933bf9735b9

SHA512
a3e619bf0ca65faa09c497fa4051bdaef60816efcac5739d48c8914ea3a4cf812bd61469a7453b9a01c89b431d212395a2bd23b9a8ef7b7942a53f0d16639eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQkUscQs.bat

Filesize
4B

MD5
b6a4e10d10257e3658b0876dd1dba3b2

SHA1
f127c99e16b01aea7757f9fbf5c1ce769718c80f

SHA256
0463989c74b043471f2578c68d5a94da431901718200ffd543665c9e6c1ca106

SHA512
6a138140111589acccaac256a8f358f899d83f60ad9dd1ea42c3aa26548919170abde21d2daea7e8b3d978016ea1972f59c59249a8aa2b458f024b12a98557d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sowm.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMMS.exe

Filesize
158KB

MD5
e6e9fa859d280dbbfdace4123a0edf95

SHA1
fae728ef005b71c554bd9831fbde3c64cd7a0d78

SHA256
7aa5e625ba6cdb433f4365ad5c566aebb43ccf3a1da9bc30950b510361689212

SHA512
1ab0bd5f68ef14c47928f4b2d6f09c087c0e2bd8015e416a8cbd017b6a0140e4fbde2c734c3d0e5f014b873a0f742b55b71b38f1204f88d9c3a2c2b3bbd3049e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMYA.exe

Filesize
160KB

MD5
828ed0a62517503d2d6a3ed392c2b972

SHA1
a839a61d2cda70810778e02cfaf92de844eaeee8

SHA256
06da2079d814975f3f1d989b626e2881914888b11e742b3a4c1c9170200e4a52

SHA512
e6400be99f0b59ce2281a5067901ba53a8ad42f80c160db18a458485cc87751487652aba9f3f99db83f04271ab52ce119e9bc0955bf32720129c313f3c6c64cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQka.exe

Filesize
157KB

MD5
566f88a47f81b7c460ef4c5e186c3193

SHA1
b7ab86b194ca1f023c8c89923df3f340189c9ae2

SHA256
2ff61ca136dfaf72dc0cb3353559ea2207b592a763d215ed640245460e958638

SHA512
43cd40dd18b0a1d7e3ccc409fcc855898e59738dae6cabcdc87c47029620f5f31fc279d80bb78cd8994f633d800118f4267969063595511c15d31b9a36212692

Download Submit
C:\Users\Admin\AppData\Local\Temp\uWUocYcE.bat

Filesize
4B

MD5
342a9de14aadfb6cd551a03634b10d53

SHA1
02912efccc79e949934898d77d1517ba8256bc6d

SHA256
1c0e38e147c5dfe5e28c8c72279412673aac3274fd5d4a49bcc43bc1f1cde5ee

SHA512
6ff0a41df4eb60e0cd9ea49b3e82f072df2945f77cc4be816ce782597dcced1ce33b6b2043c1c5871951f1a7bab03a5fde2ed5df264663d8080c933ba12e7c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYAUEYkI.bat

Filesize
4B

MD5
8eef1059e7624a25d776bfce1a0c6c9f

SHA1
22d5b0bbbe4f91c7d50c903c5b30e3a1c89fce59

SHA256
091227c3fe5932d297f605096eacc87d05b3c53c54673b0b0484b112a3e89653

SHA512
e89841d0f53b9533d286ae9a85f59058c6c88551c0f7a9647608827f2d2d2ded5d5c698fb58167c83531ffc935aa63b3307956d7387dfd9d5c489114189c3924

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYEO.exe

Filesize
1.3MB

MD5
af69eed622df651364d9bfdc6316b73b

SHA1
9633235f79533a8bc277bb8bc2b0dbf47de495d4

SHA256
6d306a495951860249b847202cc30788c450947f613dcd7bba69a855e164e017

SHA512
2e94e54117efe4b754a6884a77ad5893f23f1541711c8fd80d3c9577ee1328f841a7d7bba87cd4d95530d66306af2512807a384552b57f317ab6fbbdca325897

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYIm.exe

Filesize
161KB

MD5
b7bec498a7650763c21e247e80f988a9

SHA1
b2cb74c131cd5a0490d96c7c159215be1f9abd56

SHA256
01d2ec7c500e5c9e86a7c7d6b492da2ba09600be2bafeaa89c0dd93fe5adb907

SHA512
35c3bb96bb5f29180424ebe2691ba59786d9278f740c6679ec1cdfeb14b6a91a4a969ef47ee166c0cfee7b16976a8d7a1b431cd35c69e81c1345f07d310a7281

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucIM.exe

Filesize
157KB

MD5
9cb1597f3906780701a2299d3a79e64c

SHA1
9eec882ce7a4adef667bdefb6bd4e076c1f7c884

SHA256
91099405a69ac88cfd4600d4f220c26c6f14464355e471a974b14f46f2e277bb

SHA512
1d1451b65629b8f8edbf084280a52bd84bd6bff92c683ac09d9e0250ca8a5efdb3dd1f7d16a64c6d94d56277c32fd8ab46c8a74749b690760ceceec666762d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukwA.exe

Filesize
135KB

MD5
3997b1c73d3f64dc45dc7d576e39b85a

SHA1
b880764479a21a2f82a8e7e483c64c128339d32f

SHA256
083c42d1ccf24daeede9e3d596d33f49482c673208187073f81e1a6228efd24d

SHA512
02fcf6c1e41f1eb9cd322c77b81cae97844f2daaa0eeac182ae6fad42c0746216b614610b12767acaba5de03bd1a1503f0d0b77663fff69b6dc305040abc9862

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwgk.exe

Filesize
1.2MB

MD5
ed84ca932aa93588d1858bca8f8b0a5c

SHA1
7b07eea9826a2e462b72193b0874f1e71abb7ef2

SHA256
fd0cd7d121a18f8de64950afb53b67c51b079b64228b9455c292f01ad6fde017

SHA512
68197ae117a84ee2bce6ddc4224449a4d26d3441b1b3d4034f4d9091652be8c717f00aaf040f084618af5b5f9af42335e84c3b570c56017b08aa57ebd1043ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqUwAkoA.bat

Filesize
4B

MD5
0b8214cb27fcf7500fa0571677598ddb

SHA1
7442ed6518db2dc8976ea097cb7a0402da3635b2

SHA256
d7461095f1d9d4bd9a26e7f7520fef01c673980f428e9ae3efd426346adf6e46

SHA512
287b714b3894f45050d439c963788761615920e47a5cde7b3411b1b8d7a6f778c8db48c1c1be19ec91e5538a3af70aa3754c71d3c4ca9b42bf9cdfc3125d1217

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQsM.exe

Filesize
160KB

MD5
38d0547244315225a52ccf4402e7a0aa

SHA1
68552e6dba805fa6753011072d806764b0f4573f

SHA256
b983b17d9c09a446034c4fed0f41fdd17830d7c87bb7a3a1236a129d83810e8f

SHA512
beb8fa9f5f98dd39d9f564ad25a1c5aecd6fef6311222b7f2c116698caf6e84d8d17dc1a76f9af19035afa08fd2b91233a82f8c344eeb6f931695eb808fd4a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUQm.exe

Filesize
158KB

MD5
f5e9ff8a29bfe865cf52e7feea9748fd

SHA1
ce6640f7aeb8d0df4d33892a2f85523919dfd2ab

SHA256
0a03c270597558308414dbf82e6c6bf93a1b6c58ffb075f06fd234696fc760df

SHA512
32851b302549b6f0ddd751484efed5ab4a6f013fd461414e43138e5ed148450c1103c16120af1b766da2624051d00f014564893ca726e7ce431a7bedf6d25404

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUkk.exe

Filesize
172KB

MD5
c27061d776ff9ffd27bbd41e0329fec6

SHA1
2a41e9ec296009dad49953a1856418d0cd5f1652

SHA256
d335643e87e8842f36fc236d10db30da7ef374e20aab683db3fd302e6518535c

SHA512
752eb051f6789c24f06e42ffaf4b1ab2869ba5e44d43b6fe3b9f41729fac8c8a7d35ea327e686ca068c2cdfcd4751a9f9e4cd3153a4017f00cc6e684bb2c1e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYII.exe

Filesize
98KB

MD5
4a1b09c92175fb38ce3cc9ad38ec1483

SHA1
71b67930c4f2b9cab63e2bfeea702529a9b7c49b

SHA256
8486ba79c49c9441fdbcba49600e723dc5973e7600cb95a9be743411aef8c2f9

SHA512
a20a1d496d9c9815c4a3278fb71b03fa96cfe87912d088b84b2cb27014adbff33a9e2863526ea550721cdea7b14e3fb8c85d2224a97e009b8447664a6e7a2549

Download Submit
C:\Users\Admin\AppData\Local\Temp\wowQ.exe

Filesize
772KB

MD5
f64d40afac5df95e255701cfe1f59b70

SHA1
0c65e043e8a7db504e5ac4c5f2fe247661f42b4e

SHA256
0e72b268748f7bcc6ab1698791a9a12cddd3179fda52316c7480fa4a79fcf097

SHA512
f7dc00d119b86ad14720f49cbb79bbc910398d8072464043830c1c0e8ddc41513d1e986d226b97b10a91bff2242fefa6c0ef75ab8a6eebe598544a106db4bb1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwkUkkYU.bat

Filesize
4B

MD5
693dcac24c0a8f8612ec8e7701e0364c

SHA1
b89e26ea80c87315dd1173407a9608b0e0db5331

SHA256
47f924c6112f3c4ae4e93317efd7a6f5e2f03a46704cca69bd5ee6dac1124046

SHA512
e12e32407af8239ea2a4836589b6d2831be4737cf7a96c8bab1ac73974211d349da565090496901113c09e12724c4385587f6a842479f07491fc52202e52cb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\xugogEMs.bat

Filesize
4B

MD5
621897413cead77333acc08432d42a1b

SHA1
4b72ff3a045695249f536730a5c18520988c254f

SHA256
2b49aa477f56dc7ca64589bd82662d635696133266097a415f8b55720ac35efb

SHA512
9c20da7dd0930ccf2a9b58a7576ef650286048b87e8961140c8de0a9e70e1beab4f8608c33604d5e5e1d9ee62823fd215a385e1ded9bfb402929625d00d10396

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAoc.exe

Filesize
744KB

MD5
629e8eba6b92d9bb390de54e921d5894

SHA1
ff8312e768ab5d2ca073f79115c2eea9356298f5

SHA256
cb6c7607e618e9e4b43f3b29c66efa55ce8ab931e078cc302774e247d0402d95

SHA512
e2040994c70d2b1c1ab4de87dd60f7c191ef38f5bb031f0cf207e8e03dcddf555fc29f86eeec1982dfdf8195e0badbca3109a5efdc5055eaaf06da93293be920

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIoI.exe

Filesize
157KB

MD5
98308dbefe8c661f4d71080b919090a3

SHA1
717769ea31a47f5bcda76e7caa0ece896fc1dfc3

SHA256
6e5e299f460e41ff50ab9a8e81574d9ada241d8ecd93980dfab78e17b284edaf

SHA512
62ab7003ed3f6612df89e654788e92a56243fd76c1483abe5347be857fea869f4637421597b8b659259de8ac8c673589198c37fefafd2646fd39d4d668d764e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUMW.exe

Filesize
156KB

MD5
8b17a2a488579b40dafce87509dcceb4

SHA1
550d5c4dde297b2260f70657d90763982bae69a4

SHA256
aebb0d198de3b442a4a17f6cd74dea3932db9e5c876bc61327fdf63c09004707

SHA512
d5274d6e7c57b6ff603d4cdcfc555be2a55cf4905ab2cd6c38b2ffe6de529354870f7da10f6ec01978e0efb7fad76762564579dcf65adeaaa00ace825ce355d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zeYQMgsE.bat

Filesize
4B

MD5
57840b80a0cb6c83066dd955ef20866e

SHA1
11d9921c804a88ba908f726ef38da6f4a8a82149

SHA256
15249f0935fa91e3937f4e1fb908e29ae8f60383eeec185a7404e7713e027657

SHA512
dc72121cf9e67df5f76605b2b46223308967550d1230eb805072c32ffc32ac120d0d6fad235cb4cdd4d6fc58163601b19de26ec3e5e92473fd374ddbe7fa522a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwQgEkwA.bat

Filesize
4B

MD5
1926c573953b64be33a887379ab6a072

SHA1
59b861664b1ea073eb2867d1195be1797ee352af

SHA256
646ca8d5e8de206017ba548ff5c68663a3f31565dce77013f16b896f95395851

SHA512
095beb1718a4949195f4e3035a2a3d4b36eb53a6385035e74db4b3e93d4ed15b87c0f3dff8a2c73674215b2a8d2aab3dfefa3c3e0a43ea00ab691adbaf4ecc63

Download Submit
C:\Users\Admin\AppData\Roaming\ReceiveBlock.zip.exe

Filesize
569KB

MD5
9e4fe6886cb65a17e777b5c54c36a437

SHA1
3846bc89b51e785f75f9420a24ea4d3f5374f351

SHA256
42567374371e656524885f97022e4de30e3bb11ae3dae1b46875f91695e288fb

SHA512
1277085cae9cc22e770f6e72f3617cf5cedfbad6dd82f92155d2cd8b11eac35e30ed8616606eeb3cd6924c950ced41e4c3578469ab2a32e88c604087c4810e12

Download Submit
C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

Filesize
1.3MB

MD5
43ba0db4874512f5a150eaac392e3e0c

SHA1
51a212ed7ef85e4e4b5ceb230c508b0d044bbbb5

SHA256
bc39d9f3cf40c5c8de9ac171760bfa19117879661ba6b115027c1d9eafac4a9d

SHA512
34c630bc56f6a1b3c08d5ff2bf8647294fd1dcfab3c0f707211c98fd0b6e341daab234fef5e340cf420f53f587f8b594ee8fe8739d778b4220f93fdb94b0f2f0

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.exe

Filesize
968KB

MD5
65416d1e76156b2747725decf253ff52

SHA1
41bc131663c3711f0064423fc451b7342d9e1322

SHA256
f0630a3dc492f4d0a3093d1b1d6c4bd72677b0545fdcb892b08403254550fb69

SHA512
4f32c04e8f53daf1ad98b0c8aed852b2d71456f7185789ea44841b0363388d27571d76cca1313648eb85b91df43f600c290da5c63dd929e224b600dcaa8576c9

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.exe

Filesize
936KB

MD5
f3511f77e5175caeb30a2a99f1a2a825

SHA1
9c587c6107613abc6d1e362573849dcb76c4663c

SHA256
75fe5967de2f0699731292f974523997ff070fb31408b4fe70212f01218158a5

SHA512
a26046cf5da11a09c3a8fd00bb511b3479b7a8ee231355451022c3468c9bc6df4f461215df7ace5a16b9dd46540c70da4283a9233f84a0f5b691b5ace4c0e5ea

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.exe

Filesize
867KB

MD5
e7e27b33f3f93792416368489b0c1865

SHA1
a3364414fbe5d3efb4ad2f9576e5a3999372b8ef

SHA256
289a70b1092e0eb7fd0e049784064764e969f11bb70a860db207b2a275253537

SHA512
6689a3baeb0d9bc8bd28a3cd7a2340f7cc4ff25017a18e3d9975d858f9592ef9cdb05323e433312037f7e3ec8019d1ac86d4eafd529c3ca0d81e3b010ffd238a

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.exe

Filesize
716KB

MD5
d8f14ff7e70cfe24131edd45c92dce17

SHA1
0ace47fdcea6ada65cefe97bac1a9f4a6e542a7d

SHA256
ee6dcc4d555e665dc0fe1a76166c4924d08960dfa38801945a4e2feefe88b1e4

SHA512
68de6a7c4a73e8df1e6fa3cc7ecf5a6b402e72af5ac37e86f18978f4d4d6655c750148a82313f100288b9fcce1b6f58e6fa7cd36309d3b6362c0c62037ffadfe

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\EsgAwwgI\KiIQYYQE.exe

Filesize
109KB

MD5
cad2e7acbb14149e2018832f66133b96

SHA1
c7b424506772f5a49ae0feca1415e9241f8ccd9a

SHA256
eb0ff564dc0f1e77743e5c8ba07757cd386a876b8680e9e52024a7d2e7c84290

SHA512
3e27007257cab7ec1d7b8bd1e2825c9de8d9079643fe48eb36abf0535c0d8d2a54403ec7bac68d7e351194c7c05e76bb19a5f1d5cb78be580a12fafd565dde52

Download Submit
memory/376-150-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/376-151-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/468-244-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/468-245-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/536-137-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/536-104-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/604-303-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/604-270-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/796-388-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/836-126-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/836-127-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1068-246-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1068-279-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1148-268-0x0000000000160000-0x000000000018B000-memory.dmp

Filesize
172KB

Download
memory/1148-269-0x0000000000160000-0x000000000018B000-memory.dmp

Filesize
172KB

Download
memory/1348-341-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1348-340-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1520-294-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1520-327-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1704-364-0x0000000000160000-0x000000000018B000-memory.dmp

Filesize
172KB

Download
memory/1704-365-0x0000000000160000-0x000000000018B000-memory.dmp

Filesize
172KB

Download
memory/1764-81-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1764-113-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1976-198-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/1976-199-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/2088-342-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2088-375-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2132-103-0x0000000000830000-0x000000000085B000-memory.dmp

Filesize
172KB

Download
memory/2204-318-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2204-351-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2368-128-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2368-161-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2372-152-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2372-185-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2588-33-0x00000000000F0000-0x000000000011B000-memory.dmp

Filesize
172KB

Download
memory/2624-389-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2628-175-0x0000000000160000-0x000000000018B000-memory.dmp

Filesize
172KB

Download
memory/2628-174-0x0000000000160000-0x000000000018B000-memory.dmp

Filesize
172KB

Download
memory/2664-316-0x0000000000270000-0x000000000029B000-memory.dmp

Filesize
172KB

Download
memory/2664-317-0x0000000000270000-0x000000000029B000-memory.dmp

Filesize
172KB

Download
memory/2708-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2708-67-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2764-176-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2764-209-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2788-80-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2816-200-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2816-231-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2852-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2852-32-0x0000000000390000-0x00000000003AD000-memory.dmp

Filesize
116KB

Download
memory/2852-12-0x0000000000390000-0x00000000003AD000-memory.dmp

Filesize
116KB

Download
memory/2852-43-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2852-15-0x0000000000390000-0x00000000003AD000-memory.dmp

Filesize
116KB

Download
memory/2852-30-0x0000000000390000-0x00000000003AD000-memory.dmp

Filesize
116KB

Download
memory/2888-255-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2888-58-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2888-90-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2888-222-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2904-29-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2972-293-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/2972-292-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/2976-366-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2996-56-0x0000000000160000-0x000000000018B000-memory.dmp

Filesize
172KB

Download
memory/2996-57-0x0000000000160000-0x000000000018B000-memory.dmp

Filesize
172KB

Download
memory/3028-31-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download