91c0b5030b319793a7ec551dcdd9859ddb32e399b042db90ff11fc71d108a48e

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Size

213KB
MD5

ce621c0a61fa467b80d3942f722fecab
SHA1

6ce0db0be9eae2b928220c7d54d6c4b1a998380c
SHA256

91c0b5030b319793a7ec551dcdd9859ddb32e399b042db90ff11fc71d108a48e
SHA512

c22f97d586164ed5e47cbdc6bacbbc74b80a0d3500194550ff8e56493c89ca0fd2782c030a508b9037de8d639c4420c67a2e6bd13cd4f35290cc21ed2b43d4d2
SSDEEP

6144:0/a2LZw/RPf6t8DFBoHx9kpqTEWp4hhF5jQ0ig1N7XG7B9OjZN:3xPfC8yg1N72FAjP

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\Geo\Nation	DKoIAYIw.exe

Deletes itself 1 IoCs

pid	Process
2648	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3036	NgMccEAo.exe
2724	DKoIAYIw.exe

Loads dropped DLL 20 IoCs

pid	Process
2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\NgMccEAo.exe = "C:\\Users\\Admin\\bYEYkAUA\\NgMccEAo.exe"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DKoIAYIw.exe = "C:\\ProgramData\\GUcYAwQs\\DKoIAYIw.exe"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\NgMccEAo.exe = "C:\\Users\\Admin\\bYEYkAUA\\NgMccEAo.exe"	NgMccEAo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DKoIAYIw.exe = "C:\\ProgramData\\GUcYAwQs\\DKoIAYIw.exe"	DKoIAYIw.exe

Checks whether UAC is enabled 1 TTPs 34 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1740	reg.exe
1716	reg.exe
996	reg.exe
1980	reg.exe
1472	reg.exe
2676	reg.exe
1388	reg.exe
2172	reg.exe
920	reg.exe
1740	reg.exe
2060	reg.exe
2576	reg.exe
856	reg.exe
3068	reg.exe
2740	reg.exe
2344	reg.exe
2036	reg.exe
852	reg.exe
1736	reg.exe
2292	reg.exe
1652	reg.exe
2092	reg.exe
2588	reg.exe
2740	reg.exe
1540	reg.exe
2036	reg.exe
2320	reg.exe
1660	reg.exe
2036	reg.exe
2448	reg.exe
1948	reg.exe
2920	reg.exe
2912	reg.exe
2164	reg.exe
968	reg.exe
1820	reg.exe
1920	reg.exe
988	reg.exe
3020	reg.exe
1280	reg.exe
2104	reg.exe
1096	reg.exe
2316	reg.exe
932	reg.exe
2656	reg.exe
1612	reg.exe
1252	reg.exe
984	reg.exe
1704	reg.exe
2672	reg.exe
2812	reg.exe
1504	reg.exe
1496	reg.exe
2460	reg.exe
1008	reg.exe
576	reg.exe
2104	reg.exe
2672	reg.exe
2128	reg.exe
2608	reg.exe
2408	reg.exe
2552	reg.exe
1856	reg.exe
1912	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2884	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2884	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
1484	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
1484	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2244	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2244	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2764	conhost.exe
2764	conhost.exe
968	conhost.exe
968	conhost.exe
2748	conhost.exe
2748	conhost.exe
1684	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
1684	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
1692	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
1692	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
1464	reg.exe
1464	reg.exe
2348	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2348	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
1600	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
1600	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2828	reg.exe
2828	reg.exe
2232	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2232	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2328	conhost.exe
2328	conhost.exe
2472	cmd.exe
2472	cmd.exe
1656	conhost.exe
1656	conhost.exe
2148	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2148	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2180	cmd.exe
2180	cmd.exe
2808	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2808	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2340	reg.exe
2340	reg.exe
1136	conhost.exe
1136	conhost.exe
556	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
556	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2388	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2388	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
1648	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
1648	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
1980	reg.exe
1980	reg.exe
992	conhost.exe
992	conhost.exe
1276	cscript.exe
1276	cscript.exe
872	cscript.exe
872	cscript.exe
1688	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
1688	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2024	conhost.exe
2024	conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2724	DKoIAYIw.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe
2724	DKoIAYIw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 3036	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	28
PID 2436 wrote to memory of 3036	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	28
PID 2436 wrote to memory of 3036	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	28
PID 2436 wrote to memory of 3036	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	28
PID 2436 wrote to memory of 2724	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	29
PID 2436 wrote to memory of 2724	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	29
PID 2436 wrote to memory of 2724	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	29
PID 2436 wrote to memory of 2724	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	29
PID 2436 wrote to memory of 2684	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	30
PID 2436 wrote to memory of 2684	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	30
PID 2436 wrote to memory of 2684	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	30
PID 2436 wrote to memory of 2684	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	30
PID 2684 wrote to memory of 2624	2684	cmd.exe	33
PID 2684 wrote to memory of 2624	2684	cmd.exe	33
PID 2684 wrote to memory of 2624	2684	cmd.exe	33
PID 2684 wrote to memory of 2624	2684	cmd.exe	33
PID 2436 wrote to memory of 2128	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	32
PID 2436 wrote to memory of 2128	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	32
PID 2436 wrote to memory of 2128	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	32
PID 2436 wrote to memory of 2128	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	32
PID 2436 wrote to memory of 2576	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	34
PID 2436 wrote to memory of 2576	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	34
PID 2436 wrote to memory of 2576	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	34
PID 2436 wrote to memory of 2576	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	34
PID 2436 wrote to memory of 2588	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	43
PID 2436 wrote to memory of 2588	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	43
PID 2436 wrote to memory of 2588	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	43
PID 2436 wrote to memory of 2588	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	43
PID 2436 wrote to memory of 3052	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	40
PID 2436 wrote to memory of 3052	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	40
PID 2436 wrote to memory of 3052	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	40
PID 2436 wrote to memory of 3052	2436	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	40
PID 2624 wrote to memory of 2908	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	38
PID 2624 wrote to memory of 2908	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	38
PID 2624 wrote to memory of 2908	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	38
PID 2624 wrote to memory of 2908	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	38
PID 3052 wrote to memory of 2680	3052	cmd.exe	36
PID 3052 wrote to memory of 2680	3052	cmd.exe	36
PID 3052 wrote to memory of 2680	3052	cmd.exe	36
PID 3052 wrote to memory of 2680	3052	cmd.exe	36
PID 2908 wrote to memory of 2884	2908	cmd.exe	44
PID 2908 wrote to memory of 2884	2908	cmd.exe	44
PID 2908 wrote to memory of 2884	2908	cmd.exe	44
PID 2908 wrote to memory of 2884	2908	cmd.exe	44
PID 2624 wrote to memory of 1780	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	45
PID 2624 wrote to memory of 1780	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	45
PID 2624 wrote to memory of 1780	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	45
PID 2624 wrote to memory of 1780	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	45
PID 2624 wrote to memory of 2132	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	47
PID 2624 wrote to memory of 2132	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	47
PID 2624 wrote to memory of 2132	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	47
PID 2624 wrote to memory of 2132	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	47
PID 2624 wrote to memory of 992	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	46
PID 2624 wrote to memory of 992	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	46
PID 2624 wrote to memory of 992	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	46
PID 2624 wrote to memory of 992	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	46
PID 2624 wrote to memory of 300	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	48
PID 2624 wrote to memory of 300	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	48
PID 2624 wrote to memory of 300	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	48
PID 2624 wrote to memory of 300	2624	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	48
PID 300 wrote to memory of 984	300	cmd.exe	53
PID 300 wrote to memory of 984	300	cmd.exe	53
PID 300 wrote to memory of 984	300	cmd.exe	53
PID 300 wrote to memory of 984	300	cmd.exe	53

System policy modification 1 TTPs 34 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\bYEYkAUA\NgMccEAo.exe
  "C:\Users\Admin\bYEYkAUA\NgMccEAo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3036
- C:\ProgramData\GUcYAwQs\DKoIAYIw.exe
  "C:\ProgramData\GUcYAwQs\DKoIAYIw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2884
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        6⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        8⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        10⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CuYgAQww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        10⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\deksYcgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        8⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2248
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2552
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CKswMMIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        6⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1088
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1360
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:1472
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1780
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:992
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2132
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\cCUUkEEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:300
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:984
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2128
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zAoQUQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3052
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2680
- C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:2164

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
1⤵
PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
  2⤵
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
    3⤵
    PID:968
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
      4⤵
      PID:2320
    - - C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        5⤵
        
        PID:2748
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        6⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        8⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        10⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        11⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        12⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        14⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        16⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        17⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        18⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        20⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        21⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        22⤵
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        23⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        24⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        25⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        26⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        28⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        29⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        30⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        32⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        33⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        34⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        35⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        36⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        38⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        40⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        42⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        43⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        44⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        45⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        46⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        47⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        48⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        49⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        50⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        51⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        52⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        53⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        54⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        55⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        56⤵
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        57⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        58⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        59⤵
        
        PID:272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        60⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        61⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        62⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        63⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        64⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        65⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        66⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        67⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        68⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        69⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        70⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        71⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        72⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        73⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        74⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        75⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        76⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        77⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        78⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        79⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        80⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        81⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcMAIIAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        82⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\igsMkIAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        80⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UsokoQsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        78⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fOUsEsow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        76⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UigsMkUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        74⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        76⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yWgsUUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        72⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dKskgcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        70⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KyAEcowY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        68⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        Modifies registry key
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kQUcQAQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        66⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies registry key
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jcAgcwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        64⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\REIgocgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        62⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Modifies registry key
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CGEwEsUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        60⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UoMcckIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        58⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dgAkwIkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        56⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        56⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GQswQYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        57⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        57⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        57⤵
        Modifies registry key
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        57⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        57⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIkQEsAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        54⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VYgIkgwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        52⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies registry key
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kqQkUQgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        50⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies registry key
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OkIIocAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        48⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CWUwMEUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        46⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zoEAkEMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        44⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AuIAMgkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        42⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Suspicious behavior: EnumeratesProcesses
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BcooEIsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        40⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LkAIsAcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        38⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PSkowUQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        36⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies registry key
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tCMgcEEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        34⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oiEgcoYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        32⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JuUgEIMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        30⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iqwkUkMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        28⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OkUgAkQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        26⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fKkAsIgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        24⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oMkEAkQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        22⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sKsAwEco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        20⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eOYgMkUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        18⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\REwEYEEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        16⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        Modifies registry key
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fIIgQQkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        14⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EMcEAQkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pCoUMIkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        10⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FIMwgcQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        8⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        8⤵
        
        PID:1152
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2964
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2624
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\haEAkYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        6⤵
        
        PID:1252
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:2740
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\JOwIEckM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
      4⤵
      PID:2896
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2960
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2656
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:880
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\noMIYAIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2828
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1952500770-1321879593-461084620-725921287-13888639214089867371818726384-1960750020"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-64220645021214872271347414253725423500-559227278320523117-8030999621040184860"
1⤵
- UAC bypass
PID:2552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1479271381586108198-62671666520480109021012858620-415145732-7766866171153408726"
1⤵
- UAC bypass
PID:1868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-47871712-778632472169035436282585269418878024002105967983-1762236526640350754"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1902896264396233328463291321-1962459218935255241561853396-157524142842245812"
1⤵
PID:2104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6448299931463210161-1009692710-1689260393-1417520638-17659667401584996645-1293108188"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "387275362618583152-8481661861418199474-266150737-1392033915993106759333838642"
1⤵
- UAC bypass
PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "908828006-708037052-1249240235824136110-1325707984-2137745751-23152455366260545"
1⤵
PID:2024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1456728357169056691595276407-1988474086-559263290-4928500141416249552-344251247"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "716726011-27433214619236715921224428411437977141735441228-18411253451306078974"
1⤵
PID:936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-950228755-13592073011490241697-28730201417767491808394112071986457918-801148760"
1⤵
PID:2844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "162605204-984277181-12162675711788754954400414382-686282397-19915751721335727294"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19318172002986086531616716312561182451775210077-5748815952143094453957766659"
1⤵
PID:796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1375139616271837417109684120911411562741396406148-477325923794869406-1388872648"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1269192041-943291399872256849638108230-2019626051-1169839896-13386282311289214218"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1590199076-11184235462079356286-31677373-21174682451748183287655974825-359047587"
1⤵
- UAC bypass
PID:2052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11595258858127812326132355-2034403451-7455428792033014385744282480-31684475"
1⤵
PID:1796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1108523960798033734-661446110147745870-1861991096-17454343021501766283-311309957"
1⤵
PID:852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1463619514-108341206-698705710-1487855861170554287542553435-301322308-1440686090"
1⤵
PID:1724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1365962795-395710330594526829-1281681042721207809-78048728-845893132-2009712911"
1⤵
PID:300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1162459095-1995005628278130969-1883771196-590676543186620237-1960660725-993890229"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2460

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1572854793-6975011755275308091281586340-866907987-1168502454-8587537491493041487"
1⤵
- UAC bypass
PID:2356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1139199376-751480312194825673311363083011614779863-1235038737-1984672206-1425488451"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-997878498718384191644750398-1643704584-779129417-13019819041581131675-1860263257"
1⤵
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-28855755688673714512243387061350832845368072093-17414367651307351197-1727656562"
1⤵
PID:2764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7093429422059572032-9978026881707808336111616068-2088983204-679749944-1440462700"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14431276501751026225-1968041801-119859298-235477718984852456-82261329679099527"
1⤵
PID:2676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-601149151-20587151161568116918635386931377782534-1973429058-1769834496-587692273"
1⤵
- UAC bypass
PID:1640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2029590555-14580498721931643965-220543125-1889984442-525887593-1187264823998851826"
1⤵
PID:1468

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-164983365418951161291710074906801927794379188425-1291220133-1791046858-1670414375"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14975094409616844020938070551168725606-524258174335898151435506061695570048"
1⤵
PID:1536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "353885522445345741-13185772672130629539102889232210834834317442641572110151771"
1⤵
PID:3048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1174506080-136628287910087607763824677191327948047450651812-479086740790173796"
1⤵
PID:1984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1805026214-172531079139414398-273006745-1202569236-759486783-115108016-105316746"
1⤵
PID:2848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1250050466871604773-1150427417-2116752472-687136724-186378482911198946501105473663"
1⤵
PID:2172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1799036456-165498226716382192171357565317-1999767982-17241072059218630-1292368343"
1⤵
PID:1340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "432252302-915582659-2015716240-1326315275-726308364-382813603151966361180810590"
1⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
1⤵
PID:1028
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\mOYQUAQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
  2⤵
  PID:2792
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2132
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
  2⤵
  PID:2236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1400425082457588548-531617183479672780-17402153241812746103470088296-1010889583"
1⤵
PID:1996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
1⤵
PID:3056
- C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
    3⤵
    PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
      C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
      4⤵
      PID:2648
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        5⤵
        
        PID:2292
      - C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        6⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        7⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        8⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        9⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        10⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        11⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        12⤵
        
        PID:272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        13⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        14⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        15⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        16⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        17⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        18⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        19⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        20⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        21⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        22⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        23⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        24⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        25⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        26⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        27⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        28⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        29⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        30⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        31⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        32⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        33⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        34⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        35⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        36⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        37⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        38⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        39⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        40⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        41⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        42⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        43⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        44⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        45⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        46⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        47⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        48⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        49⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        50⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        51⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        52⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        53⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        53⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        53⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        53⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fegIwQMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        53⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        54⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        51⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        51⤵
        Modifies registry key
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        51⤵
        UAC bypass
        Modifies registry key
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pEUgIcwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        51⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        52⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        49⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        49⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        49⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ReoQsIIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        49⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        50⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        47⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        47⤵
        Modifies registry key
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        47⤵
        Modifies registry key
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MgsoYQMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        47⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        48⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        46⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        47⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        47⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mYcgggEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        47⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        47⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        47⤵
        Modifies visibility of file extensions in Explorer
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        45⤵
        Modifies visibility of file extensions in Explorer
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UqkYsoIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        45⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        46⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        45⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        45⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        43⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        43⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        43⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GYUkQsYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        43⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        44⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        41⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        41⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        41⤵
        UAC bypass
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EWUUwIQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        41⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        42⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        39⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        39⤵
        UAC bypass
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uqAgIYMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        39⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        40⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        39⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        37⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        37⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        37⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\goUkcQUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        37⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        38⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oyAwMAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        35⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        36⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        35⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        35⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        35⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        33⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        33⤵
        Modifies registry key
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EsEwswww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        33⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        33⤵
        UAC bypass
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        31⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XQgUwskg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        31⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        32⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        33⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        34⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        35⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        36⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        37⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        38⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        39⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        40⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        41⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        42⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        43⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        44⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        45⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        47⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        48⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        49⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aGsAEcMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        50⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        50⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VCcQoksM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        48⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vswgUAkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        46⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        Modifies registry key
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lGMgkYoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        44⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUEMwgog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        42⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        Modifies registry key
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NEQIIgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        40⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RYUAAIII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        38⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LgwgMogc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        36⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        Modifies visibility of file extensions in Explorer
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KYkgAIAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        34⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        31⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        31⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kawosoUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        29⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        30⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bqAgQUAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        27⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        Modifies registry key
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LaIcccAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        25⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CyEsUwYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        23⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        Modifies registry key
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JgQkEAgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        21⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        Modifies registry key
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        Modifies registry key
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        UAC bypass
        Modifies registry key
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        Modifies registry key
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BeMgUkUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        19⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        Modifies registry key
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        UAC bypass
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgkcUMog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        17⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZKccsUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        15⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqQsIAsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        13⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies registry key
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        Modifies registry key
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lAoQQUoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        11⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        10⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        11⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        12⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        13⤵
        Modifies visibility of file extensions in Explorer
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        14⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        15⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        16⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        17⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        18⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        19⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        20⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        21⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        22⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        23⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        24⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        25⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        26⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        27⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        28⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        29⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        Modifies registry key
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        UAC bypass
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rEIEMUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        29⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        30⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        UAC bypass
        Modifies registry key
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lUAgoEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        27⤵
        Deletes itself
        
        PID:2648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HMAgsoAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        25⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BgUAgUso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        23⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        Modifies registry key
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        UAC bypass
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RgEAkwsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        21⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        UAC bypass
        Modifies registry key
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cOYcUEQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        19⤵
        Modifies visibility of file extensions in Explorer
        
        PID:988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        UAC bypass
        Modifies registry key
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NoIcEccU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        17⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yaYEoAso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        15⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kCEMQoAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        13⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        UAC bypass
        Modifies registry key
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZgUwoAoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        11⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies registry key
        Suspicious behavior: EnumeratesProcesses
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        
        PID:1832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZksMAQEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        9⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCsYIQQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        7⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        
        PID:1096
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:2552
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WewoEgoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        5⤵
        
        PID:1508
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:936
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2148
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:1272
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\sMMEIMcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
    3⤵
    PID:2692
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:340
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\duQEMwko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
  2⤵
  PID:1280
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2228
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1080
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
  2⤵
  PID:744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vEMsYkUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
1⤵
PID:1956
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-21414527201909795752-116222784115586300561717181941836197257-1773831300-141165833"
1⤵
- UAC bypass
PID:2180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10649618441863969573-591353327-3177758436658032-1157116302-14324269941428506784"
1⤵
PID:1680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1920920847-12516130801877645091915023546254195289-106325760-525485450-1936911481"
1⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
1⤵
- Modifies visibility of file extensions in Explorer
PID:2452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1479890373-523349439-1694475777-1755109760-134836732506356659-2131494142-1058905089"
1⤵
PID:3020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "50913372414003782477849769684801135361411269435-8430671877311679421014316822"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6351386411337741464-1666600566-2087492495-1550778906-199463618110470791401963366478"
1⤵
PID:3004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "415374202393421819-511675763-14816345452013678952210302576553153802-1527986590"
1⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
PID:1136

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "965989040-530798791-807239022714256294-994343023-1026524562-18048289541629654064"
1⤵
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1294531100-16894162171521594858-844954743134091796311197860471133207352-2061767618"
1⤵
PID:2816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-481989697-107376638610459302301490360222-523582951936114920-352126195-531032377"
1⤵
PID:524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-88774345314039785321619038102-18286176221841918097-1939309303-1444128070653037006"
1⤵
PID:2072

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1784585411-145767415014186643051016711371611852004148149052-1953007552-1234991716"
1⤵
- UAC bypass
PID:288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "119696803-1584728467507982819599242181244912264-486836043-852760481-44047034"
1⤵
PID:1096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "226119869-328361567-1241988081-487660532-18252175951499379534-1643253163-126607927"
1⤵
- UAC bypass
PID:2408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1036471153696991314-12807260711050622783850424939-9746464081780317865-1828011214"
1⤵
- UAC bypass
PID:1848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "309995788-7254774232046923504-45668924521341170141400213946-291321417-1659906623"
1⤵
- UAC bypass
PID:2488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1932376475440481077-1763973361979023965-774480942-620739019942201856125549780"
1⤵
- UAC bypass
PID:2364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13867327012144005421444665971-659782664-701819763237102129-162200344-286103028"
1⤵
PID:1668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1253155719-888031582406564444-58538248-665076238941997864-83057692433842380"
1⤵
PID:2208

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1956159302-585540550-1846276771-979778995172123691-376189058-389312445-1066092705"
1⤵
- UAC bypass
PID:1656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12065473344791574331677003792438668284681177065-1067151684-1522202501-602810261"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-147762248249543047068595989014040271611609940343-2013900551-1294646801-3480688"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "332118164-4721966861283959442921577633-1372353726-1259248264-1806880214-1573810342"
1⤵
PID:1728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13592861152038675785380594049-1627103380-1552957208-1558415786-9392262071524987131"
1⤵
PID:2312

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1305125338-1185470076205999462413119141614717525911120838783-30961554-1289451134"
1⤵
PID:576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-686257963-1435287505-17218569582132440207-16340402431281011648-260716632-1837573541"
1⤵
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1510800534-12706308527510698915518332271660008583-1872880825-929986450-1226449986"
1⤵
PID:2264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "79233235657652193418301679021273189251-2062944279455398655986897279486525801"
1⤵
PID:272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1996815485-1735296888871295141-5635557931775692905-474871969-2001409511-1380266739"
1⤵
PID:1824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-886785284-17627935042324729467355413642092455281518141055-376829506-110757239"
1⤵
PID:1100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "546490661814631098-1825544982159468818461031856828687237-3055072531371902594"
1⤵
PID:296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1015993723548020822-159494603913836319176100303561466453435-589209857-2085097185"
1⤵
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "558700845-1023591604-1524444040-10728837112055362669-666618691-1265281362-1164558635"
1⤵
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10044762912095805388-809737382-612778849-146050286218092712469080644681816670871"
1⤵
- UAC bypass
PID:1572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-90579027-515689281-203320290362365319-792971771-43264133873398658604777521"
1⤵
PID:2412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "963080724-157243441467503809-12624864347470792547962942-18675563631334926582"
1⤵
- UAC bypass
PID:3052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-451984990306441783-1647111631-21197376-1730821323152178175215886719831679149578"
1⤵
PID:2248

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1866112725-15260492801226773674-6123626493598482384978951081614592954335621899"
1⤵
PID:1956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10960098961786493706-784807084-490336669210077337453169638108121905779716181"
1⤵
PID:1472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12783447131579683879-389894845-1878818635737384101599233802-999360765662346782"
1⤵
PID:1796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-79314146-1412261301608101908-1433879319692670746-211904343917118031341128970400"
1⤵
PID:1640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5743492201444823946-115995898-1589612931-112622834418261694512146148885-599935284"
1⤵
PID:1748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1614909881-506383830838716600-2041477529637122627-2551224491124271487-1901660270"
1⤵
PID:2040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "877142120268156917-2445863002002493108-20179068537393879211160777673-1371223680"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1536874781-1230980082-237074292-1089125528105905234454144239113557146602017719845"
1⤵
PID:2880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-849440601461846048316049792-475197658-4271284572129592693-1349687650-2097925052"
1⤵
PID:936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1529470145134476043-342795929-1291688758-775575477-1216389270-1764162130-194915833"
1⤵
- UAC bypass
PID:1412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1395646630-1951787833-480806943321724536-1170516879-509950005-250739567-1201454777"
1⤵
- UAC bypass
PID:2336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "219222438805216957414109488-1067154353-147079511-2061331486-16153297381979020159"
1⤵
PID:340

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
1⤵
PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
  2⤵
  PID:2052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\loYkoEoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
  2⤵
  PID:624
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2964
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:852
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2320
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3040628398829990874793482201793510489-211019793-26151566910949839481034035532"
1⤵
PID:2900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "838697505134788252-18670790761090855226-323044828746745636-1729762241-2105433318"
1⤵
PID:272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19946764111256632926-16376378677640095761083502130563211741-1325993073-1158882908"
1⤵
PID:1324

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GcYMUUEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
1⤵
PID:648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:1652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1252143903-1940258450-1253416390-4963174571237976011-1386956252-119844147-1509460942"
1⤵
PID:524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1695387779-18674514381492038998399064201-1327493130-1827145937121067593-1521771988"
1⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
1⤵
PID:1504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-72116879015778763482127811743-1523617062-806183134-2039922519890190671446311045"
1⤵
PID:2444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "713209546-5244462871261675141-786378482-9129322795499192411004158039-627544842"
1⤵
PID:2316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "757248298-170807956816524800-1107647426502134166-141396023737859626126262456"
1⤵
PID:1552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1084032731-1072684921689356299842900854-614935518-13270069101794150858-1981328306"
1⤵
PID:932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-900170893-17949946905422879884435771731748586274210503276782708718-1076073454"
1⤵
- UAC bypass
PID:1736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "700944418-1763492773-299289469-1006948904006865228691466063543584191094942591"
1⤵
PID:2356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "637645454-93533561956872985-1756189398770213851399077963-185607552809631782"
1⤵
PID:2720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1028984357442664344556712614-503577548-903878734944250451611408844975594991"
1⤵
PID:1280

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14297584424231358301574284868402921447589343581874486226-1541974347-866302608"
1⤵
PID:1632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10459179771090881441-1885396742-508557286211465504912902285973525660841792547873"
1⤵
PID:1252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1015728975-13066777451343420339-20133014683120519021948904338-1379779705562721736"
1⤵
PID:2092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "394761393142228183579373326-1712763363-1149513071671411793-966498431906236306"
1⤵
PID:2296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17980339749521157274480315781570402967-6759383301502592355-1403663896-1015474118"
1⤵
PID:2152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6020243311531288420-19102278601251229085759817152-80876948112186822332061025615"
1⤵
PID:1604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1794053187810781623-263051849-187350476822751951072980702-1684001483-1380784749"
1⤵
PID:1492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2050540155-98299963512940735141805916361-1490084733285260912-1942619091-33971022"
1⤵
PID:648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "535820771860480578-691409413773270-134156958-1765560947-1203495101-57995431"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6980723901849891601794404291-14757845341344121470-20954221501898246537-1864504517"
1⤵
PID:2892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "912905395-338818144-571233723-717156222-1273478531-502136620-663167714490341038"
1⤵
PID:2512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5264985206971431191263633249647889239-1497159530-1295719716199270693089136427"
1⤵
PID:2532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5274442541008989147-5427136351606433703-10981270381015167619790561258-1282673175"
1⤵
PID:2980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-662491301537589520182460136620136631781106956463-8159227661036161572-1561008924"
1⤵
PID:1740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-508612351434942817-1450502618-4009532021488023867-1015546536-169325267-1824824288"
1⤵
PID:1496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1682859139-289371168-2031444241-1540533344-355263792-1394288603-2044600895-328799256"
1⤵
PID:2868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20287202305009604221914594462-1645831523112764910613206684422513396-1411243528"
1⤵
PID:2836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "127124797320875011871638461535-17165997292076891021-108920840-417815498-590073700"
1⤵
PID:2292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1472032837-22023869214503801691838514764-1899509432989602937-722941163692773941"
1⤵
PID:2896

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GUcYAwQs\DKoIAYIw.inf

Filesize
4B

MD5
f7177b96b8615aacb6fa83e66c692818

SHA1
a7a03efc4f48ab9d2f85d7bc32d24c5435004be9

SHA256
4961f7d104a8851f6750ed1a2adfbd66d3a6dd18191bd4b0b54119217419aa72

SHA512
2f42320c5b88fc07e2771d61a6f74710d71c21335fc5045951ab18cd631f7c886329daba68741a247ee71531de9ac0b9cfaec7ca2fba653cfe89c563cf8245aa

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

Filesize
236KB

MD5
615664d0e7ca6f290c8dcfc7045afc13

SHA1
0ee9ee8554ea49f3ba9723b512fef35b2af55fd4

SHA256
a5d1b705bb904f1a4c1462473f08f7f651c937e04e59965e67e348a01c3c4860

SHA512
02be078eeb03ea3ed53d4a21bcd53f5f20c888b9a140c55855c066cf4b976a676b2df8eb183cf84fcdf1504987b75a234ae68cf49fdd7192e7448a57a2cb3d2d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

Filesize
227KB

MD5
d339305d7db251a889efab2f485d2963

SHA1
3c7d4f5275f54a401425103e03807002ccc19755

SHA256
d9e2613debb09913c28631c86dabe1309d46deb29ed764b199803b3304d998a1

SHA512
9d476b715c051c12820dd28bbc6e3ccef90a3e0e451f6180f2a5f306877d522094be15c7d9a2d2c136ff32a51e694a42a54343434991bb72361f03b6121dc93d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

Filesize
250KB

MD5
dc26cdb7ec48ca2028eb95b4bef95ba6

SHA1
23db01171c16554af8d43c3ccc5e83bc58a5aefe

SHA256
2bb26d88263725a63b0e01008f209c973e79a7f2e44ffba5d5c63cb26f8328f7

SHA512
263afb4f71222dcc09089e348435d82f5f6327980079239094a4efabf9f6e067f179689067bf126ddde371d6794e0f2c74e0f08b96bc0de1017186f344259815

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

Filesize
235KB

MD5
5f6ef639e95ff6fc58579e049a37bf03

SHA1
2b3c595f24c53091c28146b61329850acf3d103c

SHA256
9dae408039b66a9e000f4bf59ce41dff1d27edc42622c0db8979aabf32c06492

SHA512
b73060171b3c753c2db184be79a2d3c2f8e17da831c6685036fbf2c17d7acbc585135eb03be964fedc0addca743e5c9e9225337149fec08c1a78f10f42cec745

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

Filesize
230KB

MD5
83400072d9d029cff6c98b7d7e9a8f47

SHA1
d7240f89d5a4e1bc3d1acac9331da527520c2884

SHA256
d5ee66aba7a2ff9c612ee883ec790233e66b1a75af792001c34ed73f901b48a8

SHA512
cf3af7f8df0243184e55349d7ada31ce619c9c36264121341534a3082e9313cd97b9fe6765f0e7885120d5e8c09f80664ee81f140ff5f5f7e5fe64decb8c5d62

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

Filesize
245KB

MD5
060d5b084bf09bead6300bc8c6e2db84

SHA1
4e365e10f2a14c3f3d54225f90d25cc55ca419d1

SHA256
18d57291199fc00569b2f6b7586f7ffa1cc54fac445610c4158310d6e53a8714

SHA512
6ff8412c7e1cf9019b0c9ccb0c0cf6878dd52b40b1b15e063dd210d409ab963b17b2f5bf62bf503cca569932865846050d1d34fd484c18a86f3291cb0790273c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

Filesize
232KB

MD5
effa3df7da45e31d60514adac03a03de

SHA1
9d5e18c1e83b0afbf6506a4207089fe56ca616fa

SHA256
ee2449484524932320874e2b05aaa20ffb4286a23d47a6922fd1b675237571c9

SHA512
606ca6c6b649693c3b233953fd653c5a78960847224a289bfa4fcebc2caec60595d90a843ab7e3180265bb4e11e174bbca0e27126905f58b2f61d753443a806b

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
822KB

MD5
a83f21f48f43949c5d3b0cd26f8727dc

SHA1
c006eeef7c3e95d3e26d3436f6fce73b93913ee2

SHA256
a12c1cdb25a500a315d54ba1beabb9b816827e9eb4b5e59ca0c8e0d4be27152a

SHA512
bef13e445c1d6166635a1ec1bb1660979666293e2cc0bb8c03e34f470d4d985ac68f48a9f288582d1effc088911d0dfd7520d0e25dfb7c80faa85b57b26e159a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

Filesize
10KB

MD5
e0a80154e2c7c04bdff156ce10733245

SHA1
1c79f105e609481391cd58ee99339abd10dc8926

SHA256
19a3fe8192c7b0b9062dbd36d0223aa2d4ed15e571e2a16ff5090297b268cc21

SHA512
1fe4c9c18322fe7fa2bae34cee82dde8aa1d99bd798fca8486a2a5c857e6c93f645dc0780478a827574cd46492dc61a1b9044cbf8f101305552107f5f4c07e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAMy.exe

Filesize
254KB

MD5
3e6fdaa1cb5049dd0d1dbf5cca5047d3

SHA1
8d80db294431ef86dc7f7766a2efc3a7c055a98e

SHA256
eaed1a14fcd696efaa80442cc86d3867b31dec5c32e43736b31a404ecae4435a

SHA512
5e3503dcd9058d9ba43ce590144d6d1b06194bd2a04597e1f121693f1e24dd67b979bd9a43b33a1c8d0d2ef19d48a1b339bd18b22e82ad19da5c4e43b1171b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMsI.exe

Filesize
629KB

MD5
545e5adf38c8e1bb618323f1e0639b27

SHA1
f7d4bcdaa9474bda67b31963c916a0be91eb1572

SHA256
0073e92036d9a4b520311ae27a6b06cfb59fd42ae62abd1f94632969691a45e0

SHA512
0403ab60a0709c61ca12ce75ce496630c9b0ddce400cf46402a373c39a502168929160a860855dff5644f4ad462737b1e4714718e3c889cb0eab5106c36b3778

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYIC.exe

Filesize
760KB

MD5
28f4568ab21d4e8b006837613092ba45

SHA1
a44aedf3d443f23149d3a82005c2dcefe0a21cb1

SHA256
0dc4c513f3581822454056829cd1b3a8b5c3bb55b053e247501d9b64d3318f12

SHA512
4b2eaac2965a5131f02f7c4125060810052df28b6f00cc05fa35380aaf783d46ce8e6dcce5454d3d919a5cfaad971b6e392975893245fa541196f395a61219b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAAw.exe

Filesize
836KB

MD5
a054edefe0840d28f66edfca664463b2

SHA1
d1476a41df400c3b28e9f60fcb7865dc0af30c27

SHA256
61fe0dc6bad16dfe6cb026965c62e24ee14ad93faa0a2616e30b1b5e73a953a4

SHA512
489767ea3f69d31d7a74f40ca6e537bde5fb92e9faa785bf734edb6924d08ad1a18c70ac5965dccd6adf8e25b63ebf917bfc620db22b7c36ccb7a039cfff8a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BkkMkYkw.bat

Filesize
4B

MD5
f981fd4396482718e7dc8803748b9eba

SHA1
a452955ac1ac81db01a577573a23a84d389cc519

SHA256
6365b0fbd3c71c5d01fe833815ec6baaa09fd3a0bae2200e9aa3011ea542423a

SHA512
a2cd1dfdcd3c5a0947af7ff8e8351c1fe3ac9e0a1ebb13744263c934fb6450779fa5ebfda9529ff9871b31ce73f5f8feaabf7b27ab05f3391a0e635a1925871f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCwMsQcE.bat

Filesize
4B

MD5
88e49b8e84db69c5a03d91156042d453

SHA1
32ae465472c6a23ff511690518d902c19e97dff1

SHA256
449777a5d1294ba443972a38ff8b07e56ebe6ff668652be155d98cab16849d27

SHA512
3b2ab58b2fd2ea67b6066f2e39bca08c878ae9171d3d1d3a6f3605b7b951bf30d1cbee7b72e0305f7443768ff7f1f5774401432663c23805ebd7cf267361e4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMcc.exe

Filesize
787KB

MD5
25c780eb157f0edfae26be630dd52f7a

SHA1
e680ce030422e95e554a88cb362b57eb7f47431e

SHA256
b787ef3f0a9b50548c920e87015ffce8a19c2c2f9949f47252a9d16cf7e1f602

SHA512
59e459ef570fc5609f5a2087311d8799a4b11ca39e90f8fb05951f2f33e3904e585694e9176c5efd2476cf204edc17841ae8f9486268e27055ea798cff2a810d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUkK.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUke.exe

Filesize
319KB

MD5
bf143f100d49b4c9172fc1f6484534b1

SHA1
3d7841d3c0ea85926b23f96700726f831836229c

SHA256
a1ac283b54c8f26bcbfc7f163474a85666806a67411cc0c594c87dddda73b9ba

SHA512
c87cf0db1f1fe7b5adaea7b44d263fed1baeea15b08929592e28333d2b8e00789ef0eaebd7e070a90e9c2f76b3f96f53ef0c1dae826858235e33314fa042c493

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgkokUAA.bat

Filesize
4B

MD5
6d4906f247f21a7b07f4ffdffe47d860

SHA1
474a4fa0cc083fad6edd013ee23128ea11bc435f

SHA256
38c42a9e58f6b5d9148ac9cf680349be168201d4caf52e2db67f3a3a6537d17d

SHA512
1b1acab81d2b470b5a5a721c3e52cb8e271f97aa5685290a2476778ada203dfbb31e0f70a75cb1be48e13b6784c79509ea904a72e26988f019f20fdc524a1523

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgsIsYEQ.bat

Filesize
4B

MD5
c49b8311a2ea0fa955060b7d72ffee9d

SHA1
7d1b2af2bd21966f9901243fcf7c683e38e6fc55

SHA256
b0f14d803bd191a31b7de5b7acfef213f4c9ab97e9c50227e24baec218d10133

SHA512
4af33b74ef6c59ca9c525cfef05d34f32d0530d8d9f72f21fc1204037c192a86b2ada878fd3ad19225ee51e8dded8d49ec845d41eea659d0a919ca3deaafa710

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cgsk.exe

Filesize
239KB

MD5
e5a8a9128c36a2313ea4e1dc554a348e

SHA1
0612a1a2cea95f1803feed828e67d297ea311dc0

SHA256
ac9a7c2fd4b56cde9ebe7fdc6726ea396e44c50cdae0c40d1230f30723a985fb

SHA512
c47deae06cadefcafe302dbf5ec14b0428f5b75490122a8794ff4501f8bca3418cfb22e59431bda3950ae8f9e518e65aa6327961c9f1b5815dfa35707f5a2fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIYQQsYc.bat

Filesize
4B

MD5
6cea5eaa818a17f0927a1b626e060456

SHA1
6a86cd0b411c62bff48aec2b1b2613137285e24e

SHA256
65390abc2ec06bacd70f105e6e47e9df75a63bb151b84f1dd01344ee230fd32a

SHA512
a8e36725693326503617ebdd67bfb6c03cfeaa34bf7d08080bf756035ee57d7682d699d624a1acdf08f5cc323569346772ace8f6282a42f4951028337afa706e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIcowooY.bat

Filesize
4B

MD5
0b36150471d46199da9828f4d0e20d4c

SHA1
ad03e03f5afccda54841b887bad90197566d15c0

SHA256
e404da1d222ed7543ea949b921f5c3bc3935b53934c9ca28c3e3ab43bac0edfa

SHA512
c87f45392541286b919de4835597c544ece00c2de0e6fecd1f276e520c19fd6ea7a7e2534d45ea34e5fd732b965fa1055d8738d8c44bdc7513d1fed1b9e84161

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIgskcgQ.bat

Filesize
4B

MD5
7b9b8dde663698f985b4e146ee04355a

SHA1
82f4c18da5b5402734c3c8b0675a8a1743880fe6

SHA256
526545764d2576d051b34e1df71ab600c4a908499b9d797f5da4a40de18a5eaf

SHA512
aa9b8d5b17c141402e8e9743be4e3904450d2b0aa8df647514faf81d57836554c46e7f3768d5cf0958a6205bb0d115e6872dce289fe76b9ceb36ea4e314bf51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMgO.exe

Filesize
4.5MB

MD5
fe2a3a5bfa040089f994fa65e1c4a054

SHA1
39f50f569cc26d23f15e1bb1ca84f911e2cbf28b

SHA256
1083266fd788929558cd345c059db4565b9173f61124799066827b928adff5d6

SHA512
2f25e0257d5918206c2d2040788c559b49fa5aceda369cc71e26221707a0e9019cd29c7f5699d9348ee9e278bfb64a270c890a502392237981e23d3cc9ad13b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOEcgUsE.bat

Filesize
4B

MD5
022e1df3e883b50a81a9a3db33e28601

SHA1
c8fd78f4e533071e6e00183ac874d2319278457f

SHA256
bb00a0a4c9fc2d900258069aeeb48d47da31bf65d1dd7bb1bf0c9478d16626ab

SHA512
fa6c03e49aeee9016e9c81dc0b0a51ce6405efa6c739586c42c012c9968a0cb1f985b360ff3b354c21b9fce0d36871dd3875e72b31488afc76999934d49a532c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUoo.exe

Filesize
248KB

MD5
2842a81337c96d33c3baead583dc8cf6

SHA1
d59477a8b24ee6587542a0c0e556fd91ffc4ebf8

SHA256
80eb995ac62dceb03240b39693d9d1430d2cffd0d063f770fddff93d1f4d1694

SHA512
a54a6b2c990929f1028c243fd23105f163fde5dc45cdf4eb27f050e243d6bdd066a3315a2aa2106a2b062e0db1dd94b6494648a62e80ba0603160e5d414064fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYUm.exe

Filesize
228KB

MD5
986da7f7e96333550f419dfe57a50ff5

SHA1
97fa08d0bceda616cfce9e36206f6ba444549fb4

SHA256
5de569a81ddb2d479383543f9b40a89793e597da29b707d1ac9ce977d4c4db11

SHA512
09c37892afb1b4103b29d5101105ff5d0a3d3c81bcfef7a47f553e8455236ba2e0ed6df35060aebcc29ac08f00bfb3e946d7ff26ea41d30ee31c0bf50f266efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DccS.exe

Filesize
1016KB

MD5
2943b1ae7d403b47fc68d3ff2ec801f5

SHA1
505d9a06bb5da0ba21c32d1d77e8323807ffbdae

SHA256
aafb1f25bec40a7ebc4a3ee994fa3a00c5fad4d29a9eff677a80dff45bfa3da9

SHA512
1e15ec1bfa491ede55bc297a5463c83836380cce7878778d1fac4b6054f31c0d7ac25fd3ab301d2aac2871f645b31b7003d9643cd798eb5dc3481ce7cb7e4b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkUC.exe

Filesize
217KB

MD5
88371aef1f130ca7f8b3bd8f5779c1f1

SHA1
718eb93b7e6caef6a7fff9776296e3d1e7fca476

SHA256
07b4d87918704bb29c574ac7a8740fadd96ebf6f5652fec897431d255adf33d2

SHA512
95ed651044e370047efea8e494ff325f2deed504f3b401bcb8371ac78f7d7ab555b6015729d07d27b1350965df42dbbad2e4144c3eb0eee274c18ab87c82ae04

Download Submit
C:\Users\Admin\AppData\Local\Temp\DsAu.exe

Filesize
235KB

MD5
05b077043f151191e2f47665d9213796

SHA1
9a62824a21b1c942f5701862c772905d029d0fb9

SHA256
fc0eb9b9d9fd7370e66cf89d8885ddff797c444384a379b89892edf1ea014fbf

SHA512
d8a638c212e033b589e64ed0507a41b217c106f40ddfcc506b4e85c148dc4d4a125fce3025d2e90cd640d264d509fce7ea1ce4f11bea81cc663c5ac8ef8c6cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DsYu.exe

Filesize
960KB

MD5
ff77daf578a5abf1d37f707eaff8125b

SHA1
9f374418740fde367825f45f0ba6f6fe0b2dfcbd

SHA256
d2577fcd3c5ebd05d0c6b401a959b59d2e96311f5221f060f5d2c648ef806f64

SHA512
deb641b76cbb6f7c6f8a23fe551c2e993dc29a6370b5aab4f2c69ab68f6905dc46d24cacf94e355aa715a063fb307a090b6f63b5f696a87436601c2f2d3013c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYcA.exe

Filesize
218KB

MD5
7e5e7b513d6ef130455438db72576709

SHA1
00c1580146cce9bee0786168eda8b2b223155133

SHA256
b6fa941cc14277fd4678cd33a978900d17a00b374ec76e12e6f2b8a8a37756b3

SHA512
5473b597151db1a83c412e9c201d9f29e62778d1114241a022d88f96ad0c5e9eec9570ea140be0f650ffaa2ff8a49f31e223b8cd619d26f02e5d0ad84286361d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcIgYYsU.bat

Filesize
4B

MD5
b4043fab1334427273cf36f9d8115535

SHA1
f1bd769a3c9bede3d67be0ae108963d454aa2310

SHA256
9b08bb0cc613a1d820ed4e74e8ac943c65287a770c99e3643e37f261862f5fe3

SHA512
4f9442ee0aca99195dd73f4b81532d6ff08fcddc6aa1f3a4783bf52398aaf75dd2931fd3a7ad5a01da3a116b0cfa66107d127d7e2f8c3136eec53821be271d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcUQMMkw.bat

Filesize
4B

MD5
c8a065252781b54b806f21441744c66d

SHA1
269c0f56ea549e9e3674e21b295135165898780f

SHA256
db65e675b3e85a0ccadad254160bfb5739970a899adb4a4952c03645e87458a2

SHA512
a376f2122d6d0edf4226b9f8cdf9bc1db85c2ff8fe3ec6c99cc1a80501a1458901386d1849fe321bc1299605e7dc6c95c50ba12a39c51f6f7002d9563286d45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoscwgYg.bat

Filesize
4B

MD5
41073f56b77b883c17bd5d1f2465f59c

SHA1
923cf7e60345dba3ae0b9aed1b2df27c00b31d3b

SHA256
6a134489a099492c42b54cbdfa87ce2cb1ec46a777d67985a8fe06dd9dfa2ff3

SHA512
ff99d85e99afb79876425a27dca01fed20a5a2868f84aea49fc5e37ec27facb20dd31b4d0b1616d1a3d4d8c15b0d5be24a5e57cbdedac2da71a1ed15c1eb65ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEwE.exe

Filesize
245KB

MD5
ee1ceea643fadb1e5549cdbed13b647a

SHA1
56d3d22f91ed4bfe686fe1d6e7cdb27445b533ee

SHA256
e73d0911cf7f88d93db4bbd8c54b808f1dec1698e8420c2d9ca34be665621212

SHA512
b09f7a1b56b37fec1873678e35b14beb88b794e91f6768152c529dea6da63f1bc4c2902e5a55eea388be6c66ab54116dfa6483317e6c478c368bda807db90060

Download Submit
C:\Users\Admin\AppData\Local\Temp\FkQI.exe

Filesize
247KB

MD5
c89be3e6c169e0687fdb9e566ab189ba

SHA1
a08f9bbf1c4596d7b741ecc8b9237cc338c90d39

SHA256
5225833b253c602a47f4454ac5518e14e32614db60faa8517157966af30b1bce

SHA512
eefa49ce64b472d6797d16a83bc216e4240ed284397d95bae681a8e951c6bfedc83b3839e51b658144ad5e82c4a755b2152ba282768e4bd9754b526fc07d25ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\FkoM.exe

Filesize
236KB

MD5
d1ba258162be453460a648eb1bb421d8

SHA1
04c89a5c9c6fd3e1885337cf50e077e390cdeaac

SHA256
eda350033b3a977090cafb09874fe11080b699bb6fe724112b687b89bc6f4987

SHA512
fa8341217e633a32f45ba38228b2ad1f02ba0fb4ad70e7b02fa1a2f23cb6df39820c964eb66d802cc95247d0a83cc4d9e37d46a39b6c0a39c912e369a4027776

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAQk.exe

Filesize
881KB

MD5
ea6fa38f9e0657db0e4421d06bc2524e

SHA1
30c70a3059d454efebb3aa7f4b37884b73888f32

SHA256
dba417becc838f14d431bcaef1dd79d2776a962630d7157ec7811725e5779671

SHA512
da0a1cf45de00e72864179c5c00ad034ff800edf9ff60c4f05a33aa9e392eeda7f468419077cfa491b1bc9b1c8622c1f87517f885daec9e4bcf42a698b1cd0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAoQIEok.bat

Filesize
4B

MD5
c4e7cb530b89944fe5fbb1010e0609cf

SHA1
45bbaaa03750d4f55a62bee3ee4551c497480cc4

SHA256
ce423318f49647c224b139cfa1b10923295f027f09344bd1512f1e190a3bc704

SHA512
e4bb0de7843f959384e67896d73d4df2923020534c7a366d9842359eac5e3938d524b8d323fbfd8973c25ad2647f47c3eb9e25358b7948bb73dfbef2040019ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEsG.exe

Filesize
240KB

MD5
f7f80cb2bca8eef3761d2db7138750dc

SHA1
0ef2f4fa12402e1fa20556e16f8588d59ea91e75

SHA256
9b3b38bdc32cbc24fea6861f768bc2cdf62850bfb613bd570647bda5a5005d5c

SHA512
93f9381d73c53de1f726caeb1cbf829a911dbd4c9fc089d8c9ff806d827068c48f8f6d7b94d511774c891d76786512f16211cd7c418a7631eea33b0398d73c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUIC.exe

Filesize
465KB

MD5
c50369d3e841afe3c1b9d60b5bacd285

SHA1
ecf0b0c5ad24971768f46b495acdb6cd20fdd287

SHA256
8e4ba56ee4af2da6a7fafdaee1797de62cf547ff28dc6d3abae5f56a2d768118

SHA512
4fcb2ee7403211fd5c169bc0e4ed15d3cb1a4a016175adfff0dddcd78933f43c721846c27a99780bd394c5a7b209d28b7871e3de9ae6c753763fb1fb6da80f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYAkoQoA.bat

Filesize
4B

MD5
a4b6208c55774bc08bff988194417077

SHA1
c224bea22dada62e8b2c15c27e1a46ca3f497b17

SHA256
f529df0ca8f0a0fdf2044bf9c57217a4a5a4ccf93730615925b198a3d0f15ec7

SHA512
9be778131148fccbee9bfbedbc1d8beb4e8f4eb7ea6d57a82d37b8f191da8ff0800432fc2fa7f0e430fdfc26337e107660ffe2503c4287c4b5a3634c18837423

Download Submit
C:\Users\Admin\AppData\Local\Temp\GawcsIsg.bat

Filesize
4B

MD5
2a17fed74e9f2b069399cc68414299e8

SHA1
46bc8acbd26b5a5b2e01aa0af86e50fadff2c34a

SHA256
ab83aa31c4c797eafed072f009678e9121cd229e9809f2c953f82d34e4534398

SHA512
db46ed3bd7a3ba775641fcd1957d68a681c8dd62f6099176930ed46a7606c2c597c56d5474af30472969097901b3c1f999a5ef2d935803bb5aab8d0272d71e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkoU.exe

Filesize
247KB

MD5
d3b158b33527bfa5415da96d6a4268e1

SHA1
33311342828771fc19e86b964a0f820d6f29d0d3

SHA256
cc8849cf408bc5c52d10f67f74072118b7a046a5573153dab753f7bbe240ff50

SHA512
11c5477f8c49907920e6816b79a2704f02403eee7c4ff22fb520e6535840a511046edf90753f9019ccb83164813befbd7d98ffebdf189a279017805ebfc3d47f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwoUEEEA.bat

Filesize
4B

MD5
378d67a7f24d48f8727e6b8dc008c8ff

SHA1
96bf758ff68f415cfd7147a90323d625d403c1e9

SHA256
007223149cf507de69a189db6bc0ca35158e151c1b316fe2db3bf5c671373bf3

SHA512
edcda27de4346dc0698338c01ba56290aa13b431b9dadb823065fa0e2e5d2b9b50844fc056a7d9ba0897ff1e18d8613e9c4ee2abeaa6f23e1e36bf73c9dadf4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GyEgMscQ.bat

Filesize
4B

MD5
6fc0461124161512888762c9259a4258

SHA1
1105fbd8166818ea5cd430c16eea2ec19eebf518

SHA256
3cced5d6161de367df3bb164b5f62ace3e60363d0abb3687635b547069130b2e

SHA512
32e65e3c9c51d3ffcf6601fc214bc25c0b3b298ca9a8f6995bf27240a0fc0d3f65a1b27a6634adb7801e55a93b4b9d0003ca98495f62c9e19e52e6be31dca83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEMe.exe

Filesize
229KB

MD5
01a999d49d7210dd10db0b6a439d4f58

SHA1
e88e6bb2405f8ff305d92b81397c268cc8224a3f

SHA256
59dd068a8fff2fcca1368c768758ee9fd831cc5c093a504874db2e824fa4817a

SHA512
af93176a99132eccd93ea11c3136a119fffed04e4583bb53a55552406ba5d48c682512f360bc6474147d105b04e7c934aa3551fc4391172de0f474d1ddbc7f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIMW.exe

Filesize
247KB

MD5
8302b96845b71b375b116d6d1038cf6f

SHA1
0e704e046f7f9607f013be020418863a4c752b80

SHA256
4c8ebe7f401d43fd0343f97308604ba8061d9c1dbde17e99f5e7ee1924afa7d1

SHA512
a4f7763e174cf8c3bda6b416d7d7037df4678ef29560a1175643c6dee216c7e43c00cfd1a9f86972cedda5347c36c454b67fb2f74422d62aa1e88cb527d0ff6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUMo.exe

Filesize
231KB

MD5
a76cbd667d9a5c3fa6107f296bd6ebbb

SHA1
3a289d65cd3ad1884a736d658efb5555b071fafe

SHA256
16621be0c5ab325b7d3626b3c87034234ec5c67cca99b617153bdf54f0993b06

SHA512
412c39e610b136c243b679b6f5fa53564f6ea9a37dc8cbeb4307499c403f02b82509635db7c96a5fa53213347aab316fc2cdf467ecdc2630c75dad0d507ae0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HWccQcYs.bat

Filesize
4B

MD5
855f4959f89a18a446950f3171ca820e

SHA1
13cdc7e7b59d1bab6ee28dfe98f66619713e63c7

SHA256
76c9798e6bab133c10635690940ed57b3484a4072edd43e1b7844f4593a954cc

SHA512
7a954589b6814d3b6ebdbb531ea42c946334783373028089c68e90fbf7509eba15941bc3a0f259193b90bdd89f11239247b2eff1599069aa8e873bb37d5a3556

Download Submit
C:\Users\Admin\AppData\Local\Temp\HoYi.exe

Filesize
242KB

MD5
c8242183347b8f6794770faac23995c2

SHA1
e7d2bb87c6e0c161d60424f012f3bf96841ff402

SHA256
5235eacbf862417e6fe823587f84ce70ecb42d8c8d443cfda4c4e3b211273c6e

SHA512
c69d61a5fb93dd87423806a25e55f25bc62ef5bbab1d3b24ba75bc70712c454666512a76195b268091409697ddeb872534d5dee6aee3118512e66d3618971568

Download Submit
C:\Users\Admin\AppData\Local\Temp\HscgQAQE.bat

Filesize
4B

MD5
02bd792ba8561b6abd391d7308982450

SHA1
9a83ec8eec9807a77165aa620045cfe6162136c9

SHA256
2ca7967337f1892e02dd75d3c485052b6385a0e017b10aad50006bd16ca7dac8

SHA512
8861e1a0386b4f02091267fd41450a9da5fac5e7dba70f8198b336f1595ea5ea8447b08262ad8b14db32f7cd552c0b1af7660e90fd14d7cda0260ab9101de81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQsC.exe

Filesize
247KB

MD5
839fba0ea7af9e974800fdf6ee262598

SHA1
0f32a60dc5239cef50c8cd08e77593d9fbd1390b

SHA256
505c4b3dc24a461de96ea14ec1acdfadcc46a19c5bfbb0b92e232727cd49fe45

SHA512
3f459cfbcd9229d1e556d0aed7bb512017097170f5f25924894bba1fd42c33d335000a1199180cf561ceed999313314baf5af9a5c9a921272a328786b8cd974c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iwcw.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGcIAosQ.bat

Filesize
4B

MD5
cd444d07e7c3fcad7058748f0fcd6e7c

SHA1
85575c3033de4c363748598b99194f9da17545c9

SHA256
9df76073c89a82c365fa6679f6c06102e71f57647f368032fa104ae33b2b048e

SHA512
c96324c1835dd107889dad84303da8ba8c4cdd10fece4db6b6c712615ae716dd2a157d41127d23373ea1e529dd99bc5c34c4eead68306161043543c0bd6c39a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIgA.exe

Filesize
235KB

MD5
6fdedc07d15114b06368a5bb47f0d694

SHA1
199d4806ec37584135bec60e73ea761fe9772df4

SHA256
ea180691c35e28c8c9d78d3055858bd3ee12f597e073ecf929bcd0ec0cf92469

SHA512
2c53cffa4bce4bf945420b1e15d044a3ba280921bcb9d61e8571d799e25157012760ac82c1d2a8c599ca0fda4f087552bb8aa9c47c00f486284fa8080951746e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JeMcscMw.bat

Filesize
4B

MD5
bbdba7f344f723d22b5c90c500ca643f

SHA1
3fca97eecb1d6a2af66c882963c113543f85a71f

SHA256
d3201ae7cb77459882a16290c9a43403bc4cbe2f1668c048db44709e5ceb3025

SHA512
6df3ebf90e8bd0993962290c6a934fd9f9aac34bc342529b2fb32d067263936ff01670e7bfe74b2d635e095f129e1677987ea52d543c5916d311a6d9b54aed2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUoo.exe

Filesize
692KB

MD5
507b8ce05ce0a326bde72c7ec293f7da

SHA1
03610ccfef48ea9a30ff3e65203c8625954553ae

SHA256
bc7cb8306e01258b25f52fd33cf4ca055c9217c5dc3a359d43e053f15f07b8f0

SHA512
b5230c440aa2c2c88756a08d10ca4e385978cb4179592ba49680dd5dfb2932ce74eb154feb0965af331430af8def36a64dfae84f3d77f37adee8fed1f58ac2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYIcssYg.bat

Filesize
4B

MD5
9efb18e802a2ad0e2175840a7f8c0d43

SHA1
d7c1d1a5b98221d902dd0f2605043551533bd53f

SHA256
2d26c87d278906694b4387eb9d07bdae5112f5a2c665096ea9cf1808f3e0940e

SHA512
dc76fc055b8bf0d1affd5d36887fd22ce00337cc25cb241dcda446e4912558ad1c6e1300f161b7e1d7efcd9e34c1a769cae3195135c5c7b6c25c2a15d1ffd910

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkYk.exe

Filesize
764KB

MD5
ad0747dde37ec4cda67839a393fdadb7

SHA1
b7c45a8706ca4e4686032a0a5d2fe79f0a28149c

SHA256
6be4f4aff6c5fcca65ca437dcfa67ce5bf516b9ea788cbb2ea81b3634dd58df5

SHA512
c218a6103b66059a8c40e4e90fb5b6584b887c545684929e5a7d548d872db50de1a3ab2b2ea5ba1bda73dce7d394995c45a41391a52fd61ddfac4c310693d4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KmoooMkk.bat

Filesize
4B

MD5
ccd3e2580ef8ff1335d1ddd58da515e9

SHA1
aa78ad3034a2767b2fa54045b5452654df8556fc

SHA256
a87ba7f5821003d5b9cad5517ee1ef5b99bda5e95b49b17a9d5ecddb10092f13

SHA512
c45f6349673358c35944bc3622bdde177aa680cb782c09ae9f195d86547e18f8fc720b2201f860d07964e682c6f6e70b158b7d4eb07cb3e12806635f0c77a9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsMAYYMs.bat

Filesize
4B

MD5
90b45782ce7a6e3823bab49b18228768

SHA1
9bfeaa8f6dd8046b798434dbc75b2bf6373540ef

SHA256
35124d86b5bc3882787b79e57ba2712327440e3a7a1c91b994eb788fa5519e3b

SHA512
cfd20397668b68fc3b6aaf96f0f3aa2967d2ad41e2b4d8ab22bb03c02d3df1a904798074eb7003566225f653f8fc7b328375cc9b437ea36054f875471405ed65

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOAEIUYU.bat

Filesize
4B

MD5
7efc9963ddebc9af9c5b77ba86984df6

SHA1
7949376be9c5df9ea5c48e47d788b53850d47145

SHA256
3ba6a10b1551ae99717cdadac0d178aad24e7a12f767b3d3a9929872d2cfb681

SHA512
5384782c16a42f4a6c6af86e8358d9b6370fe2d128e19841d52c5d0e7599d86fc0f69727bdd5355394b55390355c2b80748fdf7207aa4eccdbd1411642928dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LesswoYQ.bat

Filesize
4B

MD5
1cfdf0e8d0c87a228c1f40d9bee7888b

SHA1
526cb7425ab8d8d55c981974917cba26fab9834e

SHA256
ae5239ec63f28cd401ccd63e9f56e4ede8254a738a135ebcd33e844c18dd247f

SHA512
98562001733fc78ac1c3632e1f3b722c2e079000088dd153f3f0f2def59a8597ff8a948cfaba9bad8fa7f847fcd9c2bf8497c8d8a0556183fc7604f696c13c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\LoQcQAQw.bat

Filesize
4B

MD5
89b9b0fd00df407f87c01878f2fb526b

SHA1
d87b24e548280de64d6b9f411f6ee29c938d1b2c

SHA256
642e4f31874d6bbdf0a0505c020071e9e24f65765ede6f036bcf51ffe8cfa522

SHA512
a7181fb951f7292ca55c5a750fa7e972ef900bc65489b870da7ae740b90adf6069210d2ecdc3c31f50566aa5402793efbefde884628dbc63b2571e164fb6ca07

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUYA.exe

Filesize
249KB

MD5
0efabe1f04600ae6712b83a7f9779fa4

SHA1
40d1282916c491ecf0a2a325fc35e8418c2a63fe

SHA256
30d1c8d38880fb05320435f814b47a026d304a5923fe536bba5ea318a5fc4a6f

SHA512
a28f1fca0ed353482a773ffa93f0d3215384af9d63d221dc4b44cc7339e2d199057a17188d5ef02d33a6b0d44da38d55712dac691ecf50878a527e28becab4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgMQ.exe

Filesize
227KB

MD5
ffca7e70f16a8e95c90f5fa14e8a4f26

SHA1
a5a40619d14a222193c9e382ba644f88d406105c

SHA256
524280255bff4f256e50540b46bf3669859f813b24fe5f713cade31f4e13e247

SHA512
94f755c83cfdc593503bf393c80d5293357281875af8b3e6e6f3516205502efb2c9556b8b48705d44b2763abc99eb24f4b380942f18559fefdd815e2dff002e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MiYEMcgM.bat

Filesize
4B

MD5
5ec7270890d27b334c45eca986d88b7e

SHA1
85c95143179cc6faabf42bed8129fc3c2c185b82

SHA256
e50b16f9ec90aaeccf4a2673bc5fb4a85146262e9ba3092eecaf4f292a8e0442

SHA512
86912a39c23440065e3c3fb9aef0a7019750d74e99ec4d498d48ad587d23993f3b091e3836ec457ea5e8dbc62cbd1c69bcb0f3ba13f7884d8255783069618f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwoEIQoo.bat

Filesize
4B

MD5
3656573464c31d285f5de4304c4d91d9

SHA1
dd444cf4f7914c34db66572b25416f6349fc2159

SHA256
a152bb833fd4c07aaff46f72c26a8e78b958a1503b16f806f16aec4ade1b4835

SHA512
7a7ae5564b9223aafda8aeef0f504d2a924aeb4ee2a5f93d4a68115bbf7099e6887e471340a62816863ac44f8e074b236c31550c6a8810db4ea6cada2ab8a951

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEwM.exe

Filesize
229KB

MD5
89a3f123494fa4a7a1c59d7e8c96a239

SHA1
23e44b8f8fb6bfb1b90396c61b69beaafa3ef9c3

SHA256
f0c514c6377c34529594cb7557143d03a873b42826e8c95ee5bcf7377b75236b

SHA512
73e71e0614b483b725916e6c9f4d9b7feea72fe256742d6b813b28d9b06826860b615e739598e4ffc84be9c9e5dd59014ad530dab488e442e72edc14e1feb82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIMy.exe

Filesize
244KB

MD5
ec079863dd42d7b1e4af8c5b27802c51

SHA1
e6d503659aab5a73456eca2c6c57d90130a1b013

SHA256
79f664bf4ab4cce9377fa4aec3965a4b94bbc1f4f3d2b6904dad6d53611b846a

SHA512
4f27de412d1d23d9ccbd90bfd4dedf83fb60cce36ae0724fc50ca7fa6b2bdeb04bae88197f68f9d3fb2fe01b09e684dbcafdf4d706a03df4f83f414159f6c31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQsg.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYgMEwsk.bat

Filesize
4B

MD5
3a3e267fd1bde55bd253078573a72235

SHA1
6d9aa3a2d2b222133f6dc1d08439a3b93efc0b4c

SHA256
e1db7dc9ef4040ab09eb14ce53e3db0cb85fda3c68a7542a8981ec589047660c

SHA512
22d13a29af816a7b5e5e010bf75b8b6caa2153ead7f06e142348da0af90ea97f86a355770d27a88716eb18e48c2dc76c41d1c642029a7f91e6872a79f900a02d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkYw.exe

Filesize
245KB

MD5
006867b3c6fec22be671a74c8dcb9f43

SHA1
e9d8e1c9d386f832f500f1ac50f6849f342e1f58

SHA256
bed72abaf4966cd13feae3fe0df1778f41d267bea78fb6643e8a9509fc3ce0c3

SHA512
11f9a0d9e2cae3276e42974b4a01c1e244200e434c34c82af3a70b1996970cf9c92ef4006edd3c8ae392909d6b2b2bb01a65fbcffe920edaed4b8e665d716007

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsMW.exe

Filesize
234KB

MD5
6ff44c9f651d287dc69af25d1ee57284

SHA1
ed8c57ff50ac0ac5449d36145b991e1571305cc4

SHA256
6566cc00665fe54bcaa28e3ade48ca19c4d1af93b7ee3974e5b1359b11725d89

SHA512
ea0f184a6c49db987d858445bbae498783b041fdd34ad5c6e23f5a26ed38024b8d0b713084690ee5eed957637770027e9553978823b70415b900d82b710a4762

Download Submit
C:\Users\Admin\AppData\Local\Temp\OyUgcIgM.bat

Filesize
4B

MD5
a2a4b4bae81fd328ff8da224a6fb1f25

SHA1
730167ec0c55edc1ea17ccfde837a9ec85b61cb7

SHA256
3af785cf491a3558dd3b912b439745e8769167f1102cb5e3de1e0b4d66607173

SHA512
794c677cf1a02406b6563e0df4a2229205e5008a9d616f59eec07675d9e23f08b68d48fdc594ad86f7ca63970fbaf0c236cf2b27b453baebf11d0284e07d93ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMIE.exe

Filesize
235KB

MD5
a81520edab8de58ca67fd5d5ae3b99b4

SHA1
52441b49c5321fce7a0c1bd478b2d2f271e55653

SHA256
988487c56b1f02660bc5398f17fad69efd2f92cee8ab12cf024eb618cda6d4e5

SHA512
1ca735a79238dca770447b79bab02dc1dab2da63956bc9c7b1f6b7769fbf6656bc14ebf9a342d95920866865b7620da0724c0a2ae88633809c2b75d2f26d1e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\PQAgIAEQ.bat

Filesize
4B

MD5
4e78d03248fab16a3e6bd0c19355ea4e

SHA1
44400d5bed3a65d1258903f9d367945f784110a0

SHA256
2749c8c9799015af1f3ae7f2dcb18070a181ffa14a5ee0e294891c2af874fb79

SHA512
7edabab8277fb6be8b846293a0de82c785c5197d3aed3be6674a07fc05b624cf030667d28b2131a523fe41c3329ab749a2bb8e909010a85929ed33e6e08f805e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSMwYcgs.bat

Filesize
4B

MD5
c0ef20ca25288c581ea190392b43ae1e

SHA1
8f409f54fa10fe1a93d1cd4115fc45b9ffccaab8

SHA256
97cae2a73e5db8e5c085a468c9f8654af0c9a9200afe674da548894eac6fcd44

SHA512
f27f55a62b619142500e8608fed23a21e55abebfc1a169ca498899bc4114594477c9de297181cb726433c96aaf876d8b060b5bb25a7438536facdec323c22bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSkAUwUc.bat

Filesize
4B

MD5
9b50e9d49fd7d945d5086e34b7862106

SHA1
c01f9cbc1fd7c6538b4a53d00f51dce7dfc2f046

SHA256
44148c592b8bfb0d488a659878d503b864ce4249492dad04969915fe98a7b98b

SHA512
1fc4580abe7ee9c538176b018fc2a50931d7b1f44c06347ef34668f275fd8b4b052b2ec737c091b88c16b950b911ccfb49c2440a6cd3b97856a88d678b8dfce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PWMQkEwM.bat

Filesize
4B

MD5
fdea724229ea5b63c969fde8c46d8f01

SHA1
6f477e2432aded6cba759e9600c48ea63d9c1752

SHA256
42f5b7f286d0467fac757a70b9ff17f559aa87e6d464f82c0e98db79bedc7b37

SHA512
041674fc3959cd96f1f081edbf38fbb6639f92d4bfff04cb1d1e004a8f3504e887b80a28127abc746e175bda0ba80ff25d0f4f526ffb32a63a8add162a068a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\PcQq.exe

Filesize
237KB

MD5
4a1bad120c5f05859f08f922c8a2bc21

SHA1
ba0b31b9dc4cb740aa09a4e5821907ac9ea9bdf2

SHA256
e751ddb86fa08f241a87309c4cce05b4ba6d2b7de089043b4fe435cdc35df4dc

SHA512
3b27fed75b04463e78e2981c3ef942cc5a493aa4e06d9fcfa955a2a3f45789652b4bd6c1a7441779b8620e5e6d30d325d88d56b39919621d086d50809f14304e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PsgO.exe

Filesize
228KB

MD5
474a58b8775d7c90a373a0411810b171

SHA1
0b1b5361f431b26b64fb7424757129dac8d750c4

SHA256
3f64c265f41fdb6a0c78bb3d3afa521c543e315cae8c98577c8852c40031994a

SHA512
2b3f0eaea13eec98b5306a39b49e8192162b1c82e77395fd31ba17bcaab88da6480aee19c334d1b78af3d72b2c8fe2d3b1ba80048c456aa3be6e1b3a3d1e197d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PyEEgwok.bat

Filesize
4B

MD5
0052cdbb22a1766090d39570cda69dc7

SHA1
963b03fa31771625311372189896e6353d9378f1

SHA256
e5cdb9756a6cc25fa46203b3217f4f3ac36b0b56a5427fbee024c3457d2175d1

SHA512
62cff580aba29745d214e7f7238e6c0bb4644600461edb5546a0b9f4f1f5251df4a0e98cc2684fca688180055880b9066c0baf57f1f1f0b68d4a21fede5c2d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAca.exe

Filesize
227KB

MD5
cc2de512c20c3466b787896bf47b8131

SHA1
1817a826c5950d8699e332df676972ef6582823d

SHA256
8a4c0a3f939a861c4a3f0da8d6217fe77693ddac38105f5bce6ca15504a970fb

SHA512
aecad487ee7ebb13d7756871990ab401d880c47ed69dac4705c0ffcc39d4deab123b4c9df233901f6e0fe121d21b3a8d2a1696399f191f312bffc1cdf591af5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQEMkwMo.bat

Filesize
4B

MD5
07bdec8ec410fd9ea2740430fd7d8f01

SHA1
8f01af8cde3cc9ab9417a240bc6203fd425e8e9d

SHA256
b1b95543c9f6445a9e93858ca72301d6b541d97d6ab30278e568bf7e9aac430f

SHA512
24ba45483a988b59c5241828f3f2c769382cc6b12be0aa485a420faa092b22ae45008f4e7da016e0be45d0cef5c4142c4e1422fc5afdc8e5fd69c44c513973b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYQAgUMw.bat

Filesize
4B

MD5
7d85942318257a2f25b20ba3746ab105

SHA1
9c9efa52c7ab4fee9a1fcb644d3dc832ca2740a9

SHA256
e2cddb5d3295c60cb5712d98d84c9d3b877bc1baa6f39a3656111b3d9be8d749

SHA512
67325b7ec08e096da08fc5d9c39f4e4cf4d7615a289688f80c65d82ab99c69315d6fabdb556361993d0f1ffe13413d874e83334795f3bdf221290d161a7a3483

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROMAscEA.bat

Filesize
4B

MD5
359b4fff97d2385035e8829084a1675e

SHA1
05cf1687ee49722826ffc2f60237ec25c3b57bd4

SHA256
3d35f0f05413d96138022230022223276a909edc4a45b4d45e83705b8d958cc4

SHA512
9dec520874382f1aa04dd1f31f32eeaa64ae011a78dde76e5c7a0fdface2e0c815c6caa6e2151b7dad22482ca9b557934b69232c905a4fd336d7b3cb656da8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQYE.exe

Filesize
950KB

MD5
2c35a2928f8169dd1a607e5f393d353d

SHA1
83fe8827b268f8944e3e6ea9783773742ea392e1

SHA256
c187d67b50f35ade4f98d6d84824ab0b9d4152f1aa36aa047528f091306b0652

SHA512
9ac635a8d18e7f1a3d160305cd4e44197fff87f7e9852ae5ec1ac8a21fcaa3378f4852b379903eb316bf2faec2c5d81ff4fa291be1e6129b6a3a3e0cb186bdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYkUcgkE.bat

Filesize
4B

MD5
19b003b2894cf1d270fa8f4a039606b8

SHA1
14d4a14c4cc2b9592e0de8be07d5dc63cc91f077

SHA256
997488922c3b41417b53f96efb00d58f7d9e5fd3f06b50deeabc21e399161653

SHA512
6b1d1f832f285e40b08358a7230dc429b07db6020ec9fdd317a8a8810233261f275fe7b45513fa877ab98ac7ecfe98bb935a03ac60f1b05c9a5b1bf891d02963

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgYQ.exe

Filesize
246KB

MD5
3a147f12624f3b3f0aae30fdc4b7d7c4

SHA1
1a0084187380c09e12abb556db933f194906b9ce

SHA256
6ad4bbb5688d1dd94f37f7f3b2b69a804f4cddef02e47fe7130633479bc38f31

SHA512
437dbf6e3477350ebb3e281b602d1481fdb31164596500e24b73dd28a37ffe4db9b8cdf9594edd515069997d1885215e3476ec0448c920d2291fe37ca31bd0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUos.exe

Filesize
649KB

MD5
4c85000e4dbfa2cc788f4f489c905884

SHA1
c87cf3e34d85ad35e7894cff461d451b453c62c7

SHA256
6276b78ad1e9f2941440086f5c4ecba5c2f7c1bef6f44b066efc32164714a3f6

SHA512
410a337ec98717d149983e32f27098a9cd33bb9d93beb4e1c15cf35b5efebbf8dbcbe1d54a665df759e74b97ee91254c2b1df096ea720d2d89e5b9e6e8facdb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TwQU.exe

Filesize
224KB

MD5
722e55c95f0dfe6c648ad35e286f8167

SHA1
48df31918df835c65b3998e318875adca30f1bb9

SHA256
7637c6ca8aae16802344f207ac396302b8376535ae062702fda4b5bcf8938565

SHA512
63124897558542663c86a2f88b8465b9090a6014b3743edc56f57c790f3957dc1bff09e527a53f53eddbade04b21948f7f4a6c83b68476fcf80c0753865349c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAAg.exe

Filesize
242KB

MD5
39e1967ccfe91db635bc84275e24aec5

SHA1
83141e509d5755cdc78b4cb9aeb6b225d27e9f46

SHA256
ff517333ec6693242a479695c8017cdfcc6478930d315183f27c4183bfae3c1d

SHA512
b572a1822f9e86ec615a8cdd135a04d92c1ed4e01f5a6f776436d6d66d749875ce8dba09fad1d072fe565eea3e8561e14472d945d5f42593b22b9a8a19c2ca78

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIIG.exe

Filesize
219KB

MD5
1ac4c8994930636de3e6c832d2ba9ec7

SHA1
a51523349ffb489bf86899747b733357b4e537d7

SHA256
6b6e789e3981ac702d094491ed85f9bec530eb355ed45ce4182b4b5bad535162

SHA512
e4dd3fe412f21028007c61e1be29a1aa47b569ddc7ba87cb4b55def3bc2131b1367694b864210e109f374e193014ab92843642ca546765a094727569a8333142

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUUO.exe

Filesize
748KB

MD5
0c8380c210bf239c22c841134b1863b4

SHA1
50ca3cc1c1ba7ad7e50bbeaf63c3b2d2f7bbe94e

SHA256
e39309a6d071b61a2dbdddf8345bba7ac68e8b575cf3482899a7cdfbaf679a25

SHA512
fd5c9aeabf6c10ec74c051172ef72e59f056ae54743f198f339e7f11b5c9d67eea919b723b6b7dcd353fd3765e388836196ac9e0d8cb48085963890bfa75b6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYME.exe

Filesize
469KB

MD5
405100679244cf10f9770e2a260088a0

SHA1
778e49281d0b99f6566aa19e82a6e2971f8f384b

SHA256
2cef7e6e492febe4e6d5ad9c52dd04ee2f2239c6046cf475728157e94d356ad9

SHA512
7610dcc0135fe2974ccb73c64d8d5912c0d0b3daf5b86dde9be05ab97aed2f39da02ad3d3d36785dec2173f82a14092cd58cccab44cc5e195c300a102a839d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwUM.exe

Filesize
235KB

MD5
54d727ae58a692d8d09144066d902837

SHA1
881ee24b6679fc2a331cec0f0c5e991c17d0e58f

SHA256
3db0daaf82e37917b5a5f4dfec637dd28c9f5cd5ac9db6882d618c9cfcd3c500

SHA512
4b43c24cc2ffb852903dd82c82807822335e6880edc0a890c3fd8ee316049d3c8803fbb2ddd8440af8ce9c96e5cd2402ac82bd46e12d4285b418ab6ad3a91bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwoI.exe

Filesize
243KB

MD5
3c8af2d74ca9695d13c59bb524d36d7d

SHA1
ece525850f3fbc0da402eb45f3e6d0ccdbffb40a

SHA256
f0ea24e67b8712c895412fa1a1f887f5d1100447991bea77d604818d0acf6f0c

SHA512
d418ad745a36386430473d82a0df510401b7c03d750270013f6316ddaf7d8b9ce5005133cab67b50209e5c3e9c73983099a851e9014f5433e7d155980aac9bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCYIYkgU.bat

Filesize
4B

MD5
95b0e9eb64953508bca7fe072e9daaf0

SHA1
f12c22b6597178ea5a4beb38d815333d1a3e1b4f

SHA256
32fa94141537982663e9369bcddb74fbf1787607a88a3601ecc7501df4e993b6

SHA512
27c197de4b304dc48bd38808e5c8b6203f3776ce6770e23c1092bf999bfe50bccc207316c19003844a4127e88dbdcf387d0c17f71da5ba36c4c094cd58d32540

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIUE.exe

Filesize
961KB

MD5
4ca13230adf656b081b8415aae341985

SHA1
3b68d0efacc609f25a006db4edc0731058b66566

SHA256
be245448a8d610fa44818d0ca84d5bdad063ff4cefab14ca906f4eac1f6e66dc

SHA512
92feaa28ccc3a61540b0daad194ba25f101c1462b424793ea9bb29c24f5c628faf991b314b714e346988cf232f4736acecc9c153ca0e6f6196cadea160feb6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMUw.exe

Filesize
4.4MB

MD5
58c6c94dce3f38771e9feeb231ca1ac8

SHA1
a75b1bb99b87a3736aaf8b8ab0e21da91667df12

SHA256
387f0d3fe094081db669a43eca030363fc5c32a6cebe9386d90712dc666b769b

SHA512
49493f1cc0de8f75048bb009fa705ecc9dc394592c67e7c431d0b7aa1ca795e364c6a910646daa8ec8601e12bf7eda0081c5b40dd0713177f717b0606ae96046

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMoi.exe

Filesize
240KB

MD5
910e007e7f73bff2496b5582ee7da4bb

SHA1
1309f1ccafbb536f9604b123673e900578284a89

SHA256
75fee20589694265281871dc10c3f4e1c01952c9ebebe0f234ee777d79902e0a

SHA512
1a743a6fa9e73a04e64f858960f4b64e5a193e028d33fc9f2b2ad4005e11521d0bd18964e315554caccf8ac4d053be4c40637db89c1536d64dfbb6ed46ca4ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\VsgE.exe

Filesize
805KB

MD5
5f129be44a897fd3cb6416f7006749d2

SHA1
24595dab45a93957c9dca41f312de8dfeb315cd1

SHA256
d037d9fa8bd3a8d9279b209dc255623dbc224e97162f39f9dfdd5636ca1d1f89

SHA512
bab53c9a17fab8fdf2b6bbd26969dcb16607b8c6e63a2286cf5386be37a8e0f472eb45d931cb8e23aee9d3976671c9082fa0cc3fa9bffb774e5c089d4fc4866b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VucIQoYU.bat

Filesize
4B

MD5
d48de8ee351941bf7ceb5eac270681ba

SHA1
7e2152940b9908b380f8ca08451b307ce2fb19ba

SHA256
39da7b1b850daa32bc605f0b68b1cc46c248ae0f3bc92461ba618c541c375500

SHA512
381da0eb39da3cd0148b39cfaa18e0aba72893a9f46d6faa42210f646811fabd951ba2423595b14ea67e71978fcd351bf10890da3f8c28825e712cb88941ae7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIgE.exe

Filesize
247KB

MD5
031d4b0f468c415dfba85058c2a01c53

SHA1
705d8ad552a24ceb25dd54d149b928d134d95318

SHA256
a62a80c84d4dd540f98a657a216999e58e50acb8b58cd01ed1a74451040b098e

SHA512
1ef746773c5d8337d3be571ff9a792d0f81bc04aa1451e341d245daae7a2364324161e4978a497b1fa3b956af0dace2f352d6b57ec369a0c63ba2f99d389a4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoMg.exe

Filesize
920KB

MD5
e8ef7ec0515d033a4454618ec7cd6150

SHA1
8e821774fdf83b8bd9a3a91e48f70bed313c7ec9

SHA256
be5da3ce5972346075bc49af5ab2ef463f9dd813278a34e86e3d9888bc51fdbd

SHA512
6bc45d1759d938a01f208783f79f64a6a97763b0007f057588d219f0520c86ac5961af5f96e1245e7a4ca67c9abdf2b5d29131f4d4dcc33364d99381fb616f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XYEG.exe

Filesize
229KB

MD5
4e78d1bdb17ef57311047dfba4d96632

SHA1
cba269e8e287970659f57c5991465353fdfba9b3

SHA256
81567ce87388e1ba5a110e50ce4546ddade094d9b828e43180e124124857e519

SHA512
4df8cbce300adf3146e222a0c7952088d560a944482889884ff3dc8159e1873ecd77e3aa317b20fa513cb7b319c43e2f2f954835442638ca8c42d53c6d9a80ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xcoy.exe

Filesize
238KB

MD5
45db192f4b3f28c98eb17f7cc7b24763

SHA1
ae2c50a0bdc1a306863ecf5519d6606849742a18

SHA256
58e909778682bee617ba6df6901501fa8ce5cbf441bb58456e18d2cdb0746432

SHA512
875c0a9565192977776c6cb0a1c657aa60759550dd9f7cdc4fff29ef5a768c21d425fd3435e83f13ec74c056b207d90d36d751253ef003b3a3a818dcddf036b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgUAQsYE.bat

Filesize
4B

MD5
914948e9a1b6153f9240256aa8b8e360

SHA1
a842b92b2a43819dec6a422749b090294f1699e4

SHA256
ad7b6ba3b7cce9a607dd8af36a9044547b911655f62e3618cac733c12098af01

SHA512
04eb7241f6f119687a354d790cfe459030b3396fce2208b77b0ad183cb155061d5ba95e700d1c640bbe000d95b9af0b4a1ad9ed65ef0b8cecad7a220e16c7e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XoQIkogE.bat

Filesize
4B

MD5
ccd7b39ed10a0c8d5d3bf7eec1d37085

SHA1
c1514956f0106ded43905b5fd1ec42bd05a23915

SHA256
1114a20fd64b9e5ddb74bfe3acee4065fdca80dcefeafa3faa81cc0d5a2cb643

SHA512
932a0859c4acbab1b500da02432dbedb00aafb9cfe852f20546bf4aabdc01f56dc8446f52956b58afc73c4f3fe9041cadb94e4a3b8d7f45944bb770e1629931a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XwwMwkwc.bat

Filesize
4B

MD5
2112c130baad4fe6a5b101313fe1935d

SHA1
b89c0f37f67d1dfc8bd9d337449ba19bcd4cf1eb

SHA256
58c8f464cfef8fd40ebc0b9ee8f77d28355210fbeaf86b73312e62d25cbfdbf3

SHA512
2d78d411903e67d2925fc778f23307c4695b43ae85ebbd7ad114716a091d71f2a52a8229afe262853282697f34998c83328b02e42de9186ab31fb5bc81d7d372

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEMa.exe

Filesize
251KB

MD5
bb78913cf47efac060389e8dda6c3533

SHA1
47ce7a4f65080b12dff3030a784b52823fb3db59

SHA256
8bd97a5c25aeec362e8800a1039fc555c36ba2fa2f4af3099082b7b1eeba4d33

SHA512
927511767c0da23bd5d41077b8777e1e187bca3874649be025316a7c8af83dff2e5ec6c52480ffa9d29a34eeecd69486a22b72e180dbd4cff26ebb5c4c720523

Download Submit
C:\Users\Admin\AppData\Local\Temp\YGEYsswU.bat

Filesize
4B

MD5
a0c514044147d4ad5aa27e895a2f434a

SHA1
c1393f6746fb158a2a62db9274220b10a7197a1d

SHA256
a14f7d1acbd231028c291598f20af14cdbe7ba2e80f3c8b6393174bd1d4de66b

SHA512
11bf00956a79cfdb5b6e4e60eba8a3d1560421abe43729a92ca3ffe6c23db178de85d7832c4629c23608fb60df7b63414cc978067f01362323f71982d9f28877

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUUEskYg.bat

Filesize
4B

MD5
93c404820210b74fc141a219cac3347c

SHA1
8c555642185924469092f0aee4ea1ccaf543e9ac

SHA256
a6072b80c68a339e42de08bd97aa25c56be8a7d47b36134a9330de7de4d2afd4

SHA512
77814f1245c79ead58f75b02743408bbccefb7abd3bc57c9cde3a8a0f9fdccfa47bdc3723998e9fd720fba297945384f025768cc4dcb1439b407674ee6d78ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAgw.exe

Filesize
252KB

MD5
bf999902befd7f7c00f89e4616131878

SHA1
45250dd70091265d244364bd34bd5cb8eccc13c7

SHA256
e40e8ba3fc296fe071ba138d3c41c06db8d5d06a6f17449679ac93dfcceb7a73

SHA512
27158cd72112e8f2384a321801418a2695eb490b3a26929769374a52c8c85f16930ff356697787b851d013774b8a8576adba75367d8cb4f10b7317d1e6af3ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIEQEckg.bat

Filesize
4B

MD5
8bebf35bacc6f852c2db4b50bcfbe7fa

SHA1
8496d564ee0d5012197996b8fba631a67834787e

SHA256
e1a1f53fc607765f3c798e816ddc6299bca1697407a833e48f82bf7fe8ff3237

SHA512
d8fe77eaab1bb24a083fe611c978bc1e643b9c3deaca810788dad7904124c62ae873d881c8835214b508bca87da7022a9312fe676798570760cd4aeb9f11e858

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZOEcQwQw.bat

Filesize
4B

MD5
6e07a85562a7dd94447125049ed29f62

SHA1
74195f105bc9d3fc173d294fca6f9827f7ec9b20

SHA256
8779b2f9d686aa684787ddf7cf338216cc9c420ec01778992c803fce61e01890

SHA512
4fe6fc5a0b02ca01902d5a8a209ae891f4fb123971dbc53f53eca99029c69adfd82f501adf8ea38c06b3749536ebe26bd1ea60f34f81b16c4cf79245c3302c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZkIy.exe

Filesize
244KB

MD5
a0f3b48aabb050d250ac54e4e530cc1b

SHA1
e5247291175cf6342ccf8604968709905677caad

SHA256
8578693f1114be5a216164e7df18ad287ceeb18259888f0f13314c6d39540289

SHA512
0f0cb4d7b79aefe55689a89d3fd33afe709a3ebdbb73b6d759023b8697ba2a6f8ed6e96a09a59816bd9f78eadffe5bfe9e08a16bb690ccbbad9609bb8d6bd99e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMMM.exe

Filesize
235KB

MD5
ee0e2b6510bd1a0f941cffd25bbd3585

SHA1
39b84f33b9a428584267524fb7f3f635c400b0c3

SHA256
34e3454a21b1331250c7dd4bd3493d3d090dfdf08442bfb7a6b689421d1a95dc

SHA512
b80e226f5218596200abe9e75bfca56bb839a8b538538c44c84e11580096e900e767ecad881141e72229dac476093b80817359ff425c8ffac1e067501df11fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQwYosss.bat

Filesize
4B

MD5
f32920369d113843e7d99c5479c92828

SHA1
99f56d27a3ad46863119d7a548f0f590a148f2df

SHA256
f8abb5598b3c961a5c961568c26daa8b61c4c0a045bb5df7e9e5dcab1add9c9c

SHA512
1600bcac1496332808b237ddfe7848d73d25d54479cf025e843d1c6f66298d898b86e24e1c5b93e66abcbb9f8b2f327e1ba9cf7806caf08875a5a7baa7558692

Download Submit
C:\Users\Admin\AppData\Local\Temp\agAgUkgI.bat

Filesize
4B

MD5
8c340b4e4f7a80b8be61e82319440e2c

SHA1
de59ab2b930adc4ddb6f9e83814fcdf9e47ccf44

SHA256
62ba24f8ee56fa7f0493b94bb0869a209baca95a1074076ab17441bd261fbb7c

SHA512
12cd466e56ce7dfc68915626fe87342426b63ce95c9d5719773280e5dfabc481817b5ce038d5f064101c538326b3b2f6b510e822d197a5236d18da200f419f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\asIEcUMo.bat

Filesize
4B

MD5
476994e86fdbcadd56c94afc3d3b2312

SHA1
74a0a317525d77e997a714ca9a378e7a86582cb4

SHA256
1962ad7493afc075f2c20e060891ef29f07d0278bfc00c165957eb04381594ce

SHA512
13735289428481482b839c4cd8572df4f74b8a55ae25505a73e4f9f89bbf286c1fef547c16d22613373a8ac204fb8321b79f83f61b60794654dcfe467acdcbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMEO.exe

Filesize
244KB

MD5
37bf83984c7c9936b9ec690e6824508f

SHA1
a5dfd512b9bc4bade510b8c6cc4b40b62d8a3fbc

SHA256
62dcf7021d849924124436c3851306d82de8f8d72daa7c39783c3a3a42556b69

SHA512
020088f14b1753c73f277eb3a6fd555d26c0c3226bc17879a1a4765ac31ec48277fa05736a4104ee6f4b492cd05c01d3afe540e50eb20d056271835b7afe994a

Download Submit
C:\Users\Admin\AppData\Local\Temp\baIsgkck.bat

Filesize
4B

MD5
0d8847eb441c2d3da22a856e35324f43

SHA1
c14b08e9adb932ec2734a2eafc67c48573bdbe33

SHA256
b3bb3a3ee019e1e6e4dc1463fa004512fc15977b12a00eabb94009646c8916d7

SHA512
06ed1a48e00cbc3ea6456e12c0649c1915fd5914ef634a8f95c6ec7f3fb6e1338812ceff8542706de7c69e1206fa5d4fcfbeecb23944eab6386a702bd8c92c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcAowUYM.bat

Filesize
4B

MD5
1afd334a8ec33a5539459667393d02ef

SHA1
f086c2b689c845bfe3794756bf44776f8990f67f

SHA256
dd6bfa164c107e104b29ef334ca3f786763b39cb7e2e0d8aabc364c35539995a

SHA512
2e110de48de79136738ca3459c8ace2bfea207b5963fa9874aca98abf01e4c5c25d3764af6d35e9f8c76dcc6bd1de548ba1eac8217e8facd6cbf975d4d0cb605

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwMC.exe

Filesize
236KB

MD5
17f4173fa21569feede05998f7c7a502

SHA1
f836c1edcfd0ab74515d6f81a665f2b390597975

SHA256
a0b1cbb6391d6868dbbcc3fec986304a7e186c4be67a32c4fb27ebd01adbdd52

SHA512
57c7afe0a4ede5f9f7e56982c28676255dcf5354db7be766b63cafc1acf635d7cf2dac91effa72212c08a6524b8532ffdb1bd22831fc194e7458342d608d8134

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUoc.exe

Filesize
226KB

MD5
b04493f0503ceecb3f175d0796bd7425

SHA1
7435b4caf6d75ee203f81fe74d69d8774cf5e79e

SHA256
0bef24391d59031ca427df41f7f77df357ca20740da4349c58e811621a26ac09

SHA512
198200efbd71e12de7174323d5fefff03fd30f6ea8c148b7e42b7d1a20a657d982196900125204a63fe42ec58fa4c2cb3b1e5381501db7176e5f98a7e5923744

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIUu.exe

Filesize
833KB

MD5
009c9a5121e2f4253772995b043e117a

SHA1
58d3ea4177832ebdc34a0aec8f995a195fe5d346

SHA256
22fdaff246dcbb5fe242a396dd188bfe42d9bef80a2e5f9047a91dcec0236b55

SHA512
519b984d8641899745760b622b4204f0032b6da2455d70a034ca9ee1f0fbe7d2d77d887776a8fb2503ebf42401750e8d0f06f31c53bf11822ee73a12aef0db74

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewcM.exe

Filesize
638KB

MD5
77371a2c949936215f5dd85d626bfd4c

SHA1
43006a5d027df81190c45f39b625a9276bddda04

SHA256
dc0a30fe9da7abeabcf82cada7cc9f0b6b8bb0f412a67f507fd8a7ee5f2815a8

SHA512
4176f45376031391f3564382ec22a5b21f4bd7fc01411f1dadf79577e923beedb922986d3aafbec99b690b14958408a299c15aa8d6bfaef81c3009aba1b56594

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQoS.exe

Filesize
316KB

MD5
c6bea4a45849b32edc87b03460113d8b

SHA1
bf2d7d340b2d3cccc5e51c201f330883a81d37d9

SHA256
a3f66099be940b83c78a0a1636f212d2a77a61b07806f59b179a4b61b88f4062

SHA512
dd957fd14d3b7e2348045e8da5b0d3755f18e2b4f5a8b235a0eb1b2de9d1e15ebb2c85fd42c917810dd7a79ab04b472753da96a8261fa3436761e2e903e5a65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fWkgwoIE.bat

Filesize
4B

MD5
63155c0cdcc65ed6af15dd2a8b48064b

SHA1
cced75032a6d312049f9f092e9df6da440d383e4

SHA256
750aa8f2650597a3364b3f2dc596d721ee41506cd3d90bc2dbf426e5c2ef5235

SHA512
3079c451dff4057429bb155aef008f002adced1998f3c95929149b4238c6199eee513eeb1ebdee80aaccee6717064df48dc7a8213503fcb05c44c50a7ec2b195

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\foss.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYko.exe

Filesize
229KB

MD5
1c8fbbc89f9e6ceee762d4b99c948c9c

SHA1
236bb0bde58f3f842bb8171fa1d625fced24e2ba

SHA256
7c2e67f42e422048e9c3852515567e72c57e4a8a1cf130623b986aed9c6d2dbe

SHA512
854f468452efc1bc2d10d06c2150aa65448ab30a9e9a8cf8be3551db0e0799af24a21fe1c4e57091ad5cbd6d7d664800ce0418572482ff40c2d125ace04b4807

Download Submit
C:\Users\Admin\AppData\Local\Temp\gagMUsgU.bat

Filesize
4B

MD5
0d1f99edb54e5de06f73e293dfb3c6c9

SHA1
be022756f97c92c4436fe589b603d7edb4b4cf84

SHA256
cf39cd31f1e49c8f54f15f77883c1ae59c6c752443b9ef5dc52df6b385f6158a

SHA512
2610496bf1589bc56e47b5c60b69d99b3ffcc26ebb3dad90c6be4c72c7e1609e0941887d148fd53f0b69b4d4188a231ae395c014c224a66fc41193509bf35315

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwAu.exe

Filesize
252KB

MD5
2508d47cd8d70ac6875560da784c9593

SHA1
9adf96cb400869ca97dd0e6833dc0953f9604376

SHA256
d23a2cd88a9d1a2d3bbcc641a277df53c5ace047ddde36711402f31e3236691d

SHA512
8fc63b0e2c71f95133b1fa9c252b46bdc212f1ad74564b6a2a1b94acaba8e3dff2b5bbca1320228454ec8cc7422688cccd93586db22d11158dcd41e8e4dab47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hOIMMwAU.bat

Filesize
4B

MD5
3d6e03d6410ee37992ca741228cefa4b

SHA1
7a40fed92523650943be1a83c8aad66677dffe5a

SHA256
2feb76b9c63735c152b9b2d71fdabbe0bf1732020d3a84ca2278ada133d640cb

SHA512
60369c26844b20ee988dffdd79728f04b18ed581466d4a3e9edaa23d36d494dd01566e263e867d0f24c118add5d8b9cad38e2b4d6b46d79cad61d584589eaf76

Download Submit
C:\Users\Admin\AppData\Local\Temp\hOMMsUgY.bat

Filesize
4B

MD5
dabb9206d69fce00a0327f92fd21b31c

SHA1
a511a99f3ae05c13e39f4bb1b38c084fed81cba9

SHA256
b9df765908a91464561832c051a85bd75b62a9d468ce48d912bd156c76c63efd

SHA512
71a50137236c5761222c99ea43fef8d801ce62386cada0274b7535f0de4cd051e816dd832f830613131a56fe05c90bbbe2b8347fde31f818f8492cea06478bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQgsksUM.bat

Filesize
4B

MD5
8ad66dc550123b78d7496db30b171022

SHA1
84df444d24d1469728cfb398ded82f0238fd96ae

SHA256
597b929fc8aa6c0edcaa350c9a41bbb0b17fb0ec1553e3f576501e7395b94df1

SHA512
4e5c250715651fdfca2d0fd4dc204ffebbe850030114143106748710e6ac51c0c6d07f0046a0c2592dac107113fc9573ca59d81f2dfd5223eb8139cffcd0cfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUsW.exe

Filesize
241KB

MD5
58b8aafaac51ef7d35d9bac74b529a4d

SHA1
befa62853e4416601d82a0a65e94782addc975e1

SHA256
749df7cf653fb51634cd7b34e001a777765fdce813f2783fec7d2a7abde81698

SHA512
3636b7404590f7d98097f21d3d2c31498a2d5bc91245cd8ab03e266141ad16079b1b11dbd76b9b1548a7d7579f07b426e97f4c35bc7295939c2e53ab3511c458

Download Submit
C:\Users\Admin\AppData\Local\Temp\haQAAgcg.bat

Filesize
4B

MD5
e0f82a974aba209cf5375d988b13a57e

SHA1
e9cc9cf85671c16cb6d6eeb1bebd55a8861b099b

SHA256
5cb88f13ab3435891f98742297894e05beb0b4b3cc6ab7e3583f8d3409097003

SHA512
5716448ee701b2dd312aee7619b94e9316e7e049d121a21b1bbf21d77609fc3e0a728ae8d3de287599a878dea012e24026166bccd63c97ae5a0056a9f7a1cd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\hacQwEAQ.bat

Filesize
4B

MD5
ddfb339ff0df0bd82117406a13b6b96f

SHA1
df55ef3b618224bc02ee0caed36b336c3691b479

SHA256
38a4819435e43b17e1ed6dd88c72776da34527a811e25384a0321e59cce0492e

SHA512
c2cdcbd11618b1eae68b676c38e4afa77e9948033cae3d3eaa6846f617cbc8664c6a89957421a6373f9acfa0002d669941ade65ee3678a5252b9cdbefbf6cfed

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcUIgsEA.bat

Filesize
4B

MD5
4658c84114fa345ebbc5ec0edaaf6a58

SHA1
5ebcbd487adb94f59db273800c487b3cbb963aa8

SHA256
ac5c1e9a4678616d8dadd99ccf9a8b3fa10a1e9b40caa157abbf0f774e5cf41b

SHA512
4f0e60f783f47f77d98c802d138f024fdf8c7d6f7dc3c084c4561bf942d33df5b5c0abfda2212828730ae8448b96ebdc11f353176f57073ab62d4255094b71d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkkc.exe

Filesize
234KB

MD5
2459c1a85653b4ebdf5a662989e09a23

SHA1
f1b064678d17fa6a0e4b5521b4395eb73397bcda

SHA256
588af530195ec1d50368f5e5dd2bfca21e614a05f76b8b41933fea7e1e9672bd

SHA512
ee97d35e1a2aa00d2012a5f5b102cd706273ae47d4c3e964ce7f213c792a309d6779217f5f393c3a1e5da4b9dfef364046410b1d9eafd54cb9a78901df8e6aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQAc.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\igQs.exe

Filesize
238KB

MD5
5b30a6aa8092a6287d0fbf31fd5944d1

SHA1
930f243c956817fc1c1d7334b4bde3876159ecf8

SHA256
059dd439a679d2e107f2d28221cd37c07843092d7937eaa233fd6039fe2618ec

SHA512
c65adbfb84df0a682dc88c13e0880f9f0f24da7457a0cb0c8ed1945cfad2c4137aa55d8041babd4fd391f6e9b2134819c68a49d1cbfd45c64b51af650fda24fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\iscc.exe

Filesize
244KB

MD5
dc3539f6359bdf8f78a32a16364c1062

SHA1
af4d6ec192a3a8aac13ad824c26aaf030a0c3731

SHA256
88cc4eee1271cb840ca9258473d7d9799bad8f29c82c6dbeb5f09062d265ee40

SHA512
c002e8627c1b468339f7050fde9055c7251a0ef1be58b36f5470ef8b5eae598782bc95a9292c75d69b79a3dce388f7861faf1cb60651e68bebed40155abf94da

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYYS.exe

Filesize
229KB

MD5
2835c2f6eff6871a77c7374741fb79a2

SHA1
6d51e93459893b8a88ce5b8a9218627f216330e0

SHA256
cbd0f4835ac92f7e966c644bcab4c93be1716825d82e5f784ec30d14ce33082e

SHA512
7c416a0bcf8e1183fa7d055ce5ba34fa8e666212ce90d8ad65f5c85d8cf7d36d603b80dec24fd67820f94354c82354a6bd4a6fbec831aac0353ffe7d003d4b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkwgMAMk.bat

Filesize
4B

MD5
97842759cfa7ba7e7d80d5adfc135912

SHA1
378e31cc89082124bf49af4e0b6564d0167a2b97

SHA256
8ca9402a6ac9a7ea43a42fca9f6ee8fa32209cf30106e6e4f2506d1434a04c0b

SHA512
a1e95df3c43433c7ecfa4da7bbf99b5a540e05510aab44a3f560761ab672c280d96b36ac0ed57b579a28c4259bc049555ab67c305746ad3ec8067253ed6c8526

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAYA.exe

Filesize
251KB

MD5
e32dd32c76e4f7af0a60894e1b0751a8

SHA1
3702f3c872661f1515666c5ee411a857f58ade11

SHA256
fd716ec31a86d5377a057df041770b20ed401edd3305ad02588d156e68e54140

SHA512
2c1a0c834fa1400088ccaf9e04a0fd3b46bc43691b37fbbd071a7995bf777713194de55ba8a3af2f67a93b91a6e7d7085aee84302becda6767625238c9dd5add

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMMwMcsY.bat

Filesize
4B

MD5
e7c411c63bc77b25656331acdcf18f0a

SHA1
fe534c363acc80bc0e5409588e9d69b55f479459

SHA256
f9cfd6326b489f6624e3f06296777cb96a97ddd18e6c72dfd0f3952877240afb

SHA512
641289165481c5c81f669cafc0118183eff51e113096de16547339a825312b76fc4f8e67c29ceaab1bceef5d9059db027cb39c8f5d75d2fec6bbdadd2dddd17a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kaYQkIgs.bat

Filesize
4B

MD5
58879f74b342aa6fe100d178bf68f86c

SHA1
b9765c7ff85d98cfc8a53891041525cc9869e8fd

SHA256
af6f2103b17a1148e6f8b45aac2a7b7aa70fb0fbfaca362217e7d412a721851a

SHA512
742acb5ccc91bb5da197653cf91a61bce101902cdb69a475552c831fe3ffbfc8a1aee4edd2f6d2fe7a1874916e5875abc45799d537381ff937ed86ff4a48f81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\keAcUccM.bat

Filesize
4B

MD5
f03590735a9a2e7c1124a19cbeeed6e8

SHA1
95549a4ee57ac5b422d78c562f71c2adadaa211d

SHA256
7d97095ab7a8fc03f7525aef54174349618f77140d22597c8535cc2f0855104f

SHA512
7b80eeecd22b6b3744d1ef880188d8cf583ffc7ed94bee3f0890ca40b31e5f291452808d065cf65287e823971a0cf15388cbdfea3c86e5fde721277eb1bdb84d

Download Submit
C:\Users\Admin\AppData\Local\Temp\keggccYM.bat

Filesize
4B

MD5
a18bcf4e91375e291061e48c79cbbd75

SHA1
fbc54ec27382da216d9881819b7653f73e0c628b

SHA256
451412ada97b808b733edda0b2e08b6298a5639ba4bed6e29a4f146db95a2d47

SHA512
ec74f8e0a91cf68c906b751075a22c05aa971cc23efbf5a436f50105f548251707accd7ce9d515c160a2d956a5e53d44ce4890008a077c7a3a1cc1299dcb881a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgYE.exe

Filesize
1.1MB

MD5
1f0556036e87d05592543fbbfa5e78fa

SHA1
15925ef54b29df3621c572b3cd091e5edc9cfaa7

SHA256
8ca9aab2adec1d859b6da1a369d92db6657d97002ec59b2edb926d65130ed020

SHA512
7c41ea68b1b7bf5567a33838c87a32dd8ec9abb8397f2da26b0135da3da9a393163e77138dbaeda881450db0f55b8a80f30ec33356cf4216e4f147f7385e995e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmocYwYk.bat

Filesize
4B

MD5
db3262c38a21f5c1b48ecb03f379c190

SHA1
a87cdde6bf74593c79ecfff211ca94386d17499c

SHA256
4c8fda41e71cec4ecd3d2019354cc0e75acdecb5785ac469400dfe3ec56a4120

SHA512
20df52f1a23825b79bd0b6484f35bdb95a47bd7a9b0838160454943b749380584149dcf77e2a14f18a89252276db70badcc5939a1536fb9bc750b3c4bfc93184

Download Submit
C:\Users\Admin\AppData\Local\Temp\kssooIEY.bat

Filesize
4B

MD5
a89dccfce8f678e3f7c587aca9c0ec22

SHA1
cffd5ac7e54223cf1026ba3f6bcc89258f25d53b

SHA256
9bff5f3871e02c01553b18cb54c4b392d0b3a4a41d9180393ce32acfda013417

SHA512
3b2f10f7e7a19a5034b3762d6ff89493c85dd06ff6f419487fd9378a414443f8620328ebeb7cd3d278f88d41f03598161fae12a2e9ae375743370c3e51bce698

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAMMkckc.bat

Filesize
4B

MD5
d797d3210f60b2d47efb9c47d4f6f19e

SHA1
f3d7107498e9b6a006431965b8a9d13f9f331da2

SHA256
9ec20062381642aa354d96fa7b44d6cbb38c16197e55f4ca0f4a439c79e05b97

SHA512
6ade1d7f6b548a1abd6afbbbb59a9296b3ce28749ded508a38108289e11b68d5a6f6267435cae496a1befbf5483f922c99dc5f4a439c9b1bcb0f4c4fea19c908

Download Submit
C:\Users\Admin\AppData\Local\Temp\lKQcMksw.bat

Filesize
4B

MD5
f66234f70a4491224659f4b23cac66f4

SHA1
50f060c3af6537728443c3ba9deca962d5d3f294

SHA256
2148a524b3bbbdb819ff9e532eb2e1123ec38b79c181f518b223256ea1b115d5

SHA512
0525985b7ca3f7f4a5cec072306355c6c65719e516664020b75b41ceb2c278b9cfa0d91e6ace3137fd2e12b46837c95eaa8b86e58cbf08c2c5e0f32cbbabc6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lksg.exe

Filesize
3.6MB

MD5
da2a371ecc1362c80591b1791566fee5

SHA1
8eab5f597e46242bd8fefd4f81089c5548115302

SHA256
397b6c39f0a4ac3fc12f758b9f61af9461a9872b763a5ac644fc803270b826ce

SHA512
a4318526cfafa8b97d9f082da850d1b82b9122a3a4a8d007995c193da38a9c681e3f1473ab43d77101d5adbb131f0bf62af6393d499d6999f6f2c42c80c4dbdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAwwogsE.bat

Filesize
4B

MD5
9f70df04b38acc5ce1a80b11a5ba61b8

SHA1
fd8c1296ca37817e3311f9d1f3575bc018fd2425

SHA256
f8a2793df5c524055b94a42edf277aef800db31d8f1c27de1dd3f727987c5f90

SHA512
78447c0a9dd138f65898c3bc0a6e5f616fe95cd3cadd978a422442e067066a14c45ff0e0426cf0143ac4f5bcbd5ecb0e3105e60d75b3b6eb31952be1c48812dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMocUAAc.bat

Filesize
4B

MD5
3d79884f39b4c98be4e71e2c94b0977e

SHA1
ac5bbf0e544f97e90a6cf338eafb73269dee3990

SHA256
3ad97fd1018ed14fa901953f0190d9b6aa1938f7a0aba8abe7667added741f56

SHA512
2fad8c183f8b230d0a1a634c50255be3a7f623f06879d18661e690177d1f9ad7ae93a564ec6f44b1c8d990a72eaa87d532a4e8c0db58887f09f0dd8ac4968309

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMwO.exe

Filesize
251KB

MD5
1dd0f0459036dffae5f996f8c661a5bd

SHA1
a1e393ab1a6697e79e0229a3e9c28b45e02706aa

SHA256
3d91bbd02da17f5ef702b846d4405b446d1e152023bac4f143f2103deee5049e

SHA512
29c2ba82c26db2139158d71b008693294ae64148fe3b767c9615dc6794090efceb7f76faf86c879a878d619195cd3e01e617c57260d6a9cc5187401e3f77eca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mksMMUgk.bat

Filesize
4B

MD5
b24380c03ce52314a37394292c0c7422

SHA1
900b193e9c0b5ff2f9ba443b8a8af2cebcd18c02

SHA256
1ad4459851e0206a97c06c8cf244b314bbda2d303352c27556987f0273428632

SHA512
810404415eb296c3d32cbc6004529337f8cdd051a8dfe91f4573fbb69f44c4a828659dd9f9b5ad8200787792f96c85aec33b30d3ab1180ddbdda5d5699bc44bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAoY.exe

Filesize
646KB

MD5
d66b7b5d7fee0d8efb116c38d4fc386d

SHA1
c3651e7490561f5198bcbd921f9f23313f8d0405

SHA256
b6d08894a9139ddfa76eb32c7387a36fd35593ba86e86405c9f2d622a6f433ff

SHA512
d754d5dd0cf10099c6f8e7239cf7ca0f35ed82db77d4d97b332d28fb5e8fc324010a0a0401fd9646cce4d0fd5267c8265934070c668ca9d3d58e7967cdd7961a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nEIQsQYI.bat

Filesize
4B

MD5
48057d9c509a721ee36f55d07cf479d6

SHA1
302f16ea15ded44847301230d0a509f983f89152

SHA256
fd771a230505dab7883a1854111ca5c0859c794f99e085fca6d2f62cb8245473

SHA512
c29af15c811a090ad3de3c586ef07c20ab393715e0ae4a5877c50ab65599309bd851f5dbe57c877dfce8b31b37639574201d84a4f7cc10ce44df0af889781b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\nWcscIoc.bat

Filesize
4B

MD5
dd4b2215708e9fc11e3819fd74992e89

SHA1
41126842b41a66b1ac5ab58e50a795d0e12e5241

SHA256
1bf521f18f9812fdc63e6e780532f16d63610ab3f06bc9fcc48e6f9daa0fef36

SHA512
b4b09da3b9161dad4a9984855759b69f2111d0ea84c383c5871923d37ea9cb751f4258991cb0f53968ab4fbb8b888de57dcb15b8d7b700dc48a16aaee03a07fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYEUIQcg.bat

Filesize
4B

MD5
29ad0676b0a1235587278d807874e74a

SHA1
ff5c97615f05636d47f9588ea2350af6750ab510

SHA256
4f740c19ae161ab07cf2b890a11dca517bdabb327a96494d9b101d05567a3efb

SHA512
5a66c8cabff4262f5febd35b2b2b4a002792f76ee4a60a2d188ad54e75bf2fe19b93d29097cd429cd46d5ffd493d1bb8aa10eaa51650a4245783a709f62e363d

Download Submit
C:\Users\Admin\AppData\Local\Temp\newkkMoo.bat

Filesize
4B

MD5
2f6fbe95d2d256af467a79474f51c9a0

SHA1
a41e02c4c155a5d42059a91ed7c6b5a7a939d9cf

SHA256
3c518981407e37758bfa1fbcca72c5c41410492978d88c9233b8241a0de58ba1

SHA512
057a7aa40c0bda3165144945bdb48b11b0baed2cb8dd54e4b33f4d49a211e3c579ecbf042e5f3328c84490392888222977ff4e167adc1921f2781f42288fcf9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkwU.exe

Filesize
961KB

MD5
8f0d86c30d36a4f3b798e6c5540c7d05

SHA1
e03b69787f68c696b71907055bb4621d3636f687

SHA256
da353309c369d10f8e5497ddd9d0a6e991a6ef60e3fc4d3b1dd89390dce65706

SHA512
5f8debff2dd94a9bf155658e9bde0a98c8226aea039ecfcea61ad45cf89a1d9e4437fd71c1d8843ce90a33bb9304039e476b008ed01422e70d7ba493c75151c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwEW.exe

Filesize
879KB

MD5
b31dd27388c666a73bed3b22d9acb426

SHA1
791d8163396f9f4610b28f41ba447cc212c08412

SHA256
cc2b32c04b736b52c180cc10e5b3687b3d4aa66c477d9bbaa550244ff345c1b5

SHA512
4c0246d634d8d3193ace4ec3a4a7bb1b82aac686bbad0c354ba0c6133d506ec46e800f93d835a9ee612360511d928ec73786d0b1ce7be2d79d37ac781c8a4aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAQMMEsM.bat

Filesize
4B

MD5
b2a2d589ec662d02181a13a5e4f54f3c

SHA1
8cc9bf3d31c53c2f50203e63842d7a0c198c4986

SHA256
53fe3707f739a6295d5b6c8afc280de0f994486783b15f408b5ccbaa966ad1fb

SHA512
d9fad42d086db635c936ff6aa45e0fbd969227484d392fc7ee0e27e74cd530d987b580819558784a5cc51be2385ee4f631e0e632dbeed8bc4503c1557678656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAgW.exe

Filesize
245KB

MD5
346165b2229bd8e2aa6e692e80928139

SHA1
38a683360076dcc9669130200a2da2fe93b3109d

SHA256
53440d3ac35e83a069bfa105e5f1b9fd7f401806c44587ecbd51cd70baccd847

SHA512
7cfcf37eecc16d0e5fcfd38fe3ff16aad9f77fdf62d003e3d3c0e20585e2c02a060b52f9302606548dd171b552f31909f3432a498a1ab1cc6d5c074f54316269

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMAC.exe

Filesize
241KB

MD5
ca4706ddaaf9ade3c4ce1a151c031f72

SHA1
3c4aead46af454ee22c0ad9bebba3e7b7d630203

SHA256
c4f075d227a25478ce4aa9fa920acf224b5c5f756770f485d2588d84a08aafc9

SHA512
c529f75120f95205a28dcd6ebcca458b989e08b9dde7bb21154c46a0602d5d9051fb64319b9ee7b6dbf398c97519891b67a133528668ffc18778645f83d2df19

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUEs.exe

Filesize
307KB

MD5
61deb894e0e8777bb6bf2d0c4be595a1

SHA1
1af06aae92aad02ebce93d21abc1dbb2c5be02b3

SHA256
e421709a91c4a3954909ce6a5ab7d50033e9d0449f1ac90005d71804fc4f6cbc

SHA512
34c1c9554c6abc212e7cc46a8a4842dd46c9966dbfdd5999ab5ede2aa7b34ff6b2f00b0a8041f08c792b73c0fa9f07e98fe11d6934d42c506e461f8e9a30f744

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAYMkUoo.bat

Filesize
4B

MD5
1fa06db72cc45813916f27d11a23e25e

SHA1
44a00cd5750e99f6ebaa035f2f53f3fdf4febfa0

SHA256
c63734f7cfeaecc728630ca7647d3fb923a6c48df2b74a438f5386c6dafa3a0f

SHA512
531e65cb3d3c4b6d87b7d78b9ced337d884703077bbedbd1cbe7bfb315fec5c0c9a28c8ca228d9c83d79996ac8c0609416c3de8792194441a311adcbc57e79bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pIwcQEMg.bat

Filesize
4B

MD5
4f9fe515ccdb4ad43c160f0cee1aec3b

SHA1
3769f0a0a27e0d6046470efe66cef4da3cde4ef3

SHA256
b0ddeeca49ea99f3fbe4a4ed2068b852dae6afee2d8bd98fb6b94c5962be158f

SHA512
095d64cda072f82ec9b585f22e62d33f1d7372c69ff9666397423f13e947bca20c1475e75bf92e6016197cdb1f38e130ba7fcaba97d173893dd8d9420fbc2768

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgYA.exe

Filesize
237KB

MD5
87a6d7cac9f8505b140085db8711d24b

SHA1
80a7ee7c7058e2f16eb2e82684a7e0a7b27bfe7e

SHA256
2034d400864b50ad4e4bc6def06391d22a5896ac54bfbd62297f03ca8a8b9e56

SHA512
2cbe8ef9c122f755a37407ed8794b0519d25cfa841d400d01aa376e482e7a1eb141f44443aa639140ca0993b4dc4a5bc6535395bf2e323be1d519c3c0eeac887

Download Submit
C:\Users\Admin\AppData\Local\Temp\pukEoQEU.bat

Filesize
4B

MD5
25ba8e30ced2159058ecc555dfdcdfb2

SHA1
c2ec88c8b61b7e1020593f4bf9519a2e234ab0a1

SHA256
8fc0f54be8722f1b118eb86b50a4f22112d83acc2320dac2c98a552ae64c6d02

SHA512
62aa216266f4a91b8c61bda914878f4b9b945098039e6320732a784e7c2fbdd1d75841556e4cd04b9ebef0b99a937878e5cb2188b7ba4b221bb94c1ae47bb1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwAIowoI.bat

Filesize
4B

MD5
4e6448d6f10ddfa7dd2818d4ac4fbbbc

SHA1
83ffade4557b9ecc09f752b2f6ebd49f2e3be7ec

SHA256
51ee317ad10b13f252033a9eeeb16015cc91e08b2959a48b97d770bd0a0ceb01

SHA512
2f6836ef38e7b51b38c387ce21203317f208f106ff08ff5e2bda4181c32be7a128b0154aa38d25514dc4d99f595d48c54118ef0ada814cbd37575b2554d7b898

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYAg.exe

Filesize
238KB

MD5
6267f68be075b645fe3e1cbd13f39655

SHA1
bff93f96afb02ab91dc5a29d363a98cffa96da6a

SHA256
5f335b4fab5324c652738ddd49501b44ab32af317bf128932fec0cfac6517409

SHA512
8c4ba51abda323919a6cbc0cafef4f0433fe3dada9c5bb3ce291f11801b85fe52932d14491c2d050d542e773eaa7adf908ad7a55cfee2ed546680d065e3e04a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcMQ.exe

Filesize
230KB

MD5
748afee922fb5d7489d1ea13d9b677c5

SHA1
1161862c4f5ab43bdfd7ab6ef987fa8a944ae6cc

SHA256
945ecca60aafcbe7fbf77c66f38a4f7034a4be0ed1e7f1e620426b5fbc34c980

SHA512
01acf5c04b35094c9249b28d750c72550258cdcac4fde0cd94158853c9bcb02dbd34eac20e05f8b27becb7ddd4e829441818f24641bbf72512138d085c4fcc48

Download Submit
C:\Users\Admin\AppData\Local\Temp\rEcM.exe

Filesize
247KB

MD5
3bf8b708476acec0843a5ba8d3e7ddd5

SHA1
7d1d64431b3f09d24a7776f6f07456bc395b7fef

SHA256
9644c637d535f1a61e827eb2cbacdf6c368569348fa8f7a9784417c0c74c8901

SHA512
9f584683a4f9fd14f9e50bbe8dd753a544a2daa4c9e8b6a9c3c1c8e2068cb3b64dbd37239a1c68d0f4dda6e48cee534d734b9af17dd0efa24e3c900211bd40c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQYQUkEY.bat

Filesize
4B

MD5
8c4cc12a5ebba644c2aa30e1e14b0bcb

SHA1
790b7a66a4817a50a9a32da18e76317d00f423f6

SHA256
62f28dbe4598c834a83daf0d738ed6df669bfc0f5869321063cb117840f59917

SHA512
63a6c58a80d9e16f0305b763e38419c38a98d05cf184980643abf755dccefa144cddccaa9961782820b26c51969ef7491462a0e357795fd80e711950bf43753a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQoC.exe

Filesize
235KB

MD5
5efef8f242a6564f007407e241f51f6a

SHA1
ce5a14670c319704165fa3ebfd3937e6a5ff9dd1

SHA256
462a55417998b7015663c879792483d37d525c718c28888c36f5f8661758b971

SHA512
cf53b24f16fbcd79c771eaa053a5b8ee1a01672d7f65f8fd3794613c585e8630efe479f1d494f7bf9a3429584a28afac807597c00d5d120169d17feb3af1313b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryEUYswc.bat

Filesize
4B

MD5
3995771670b257db3ae355bed98030b8

SHA1
3bc26275ae120873308a89bf0e9b1a1fbc49b398

SHA256
6275ee8b8100ffd32e4ce1e587b3718ee33e8c7c077f960097390275cef07532

SHA512
b96684baba1110afb60afa0719c469f14337e9d65a3822ca64b06c2bca19bb88fc452cd4dd532e4d8eb4594bf6e9320734b8f47d385a18e4f6a281fb13a1798a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEEm.exe

Filesize
245KB

MD5
dd38155f68f58f8640098bfbb0925466

SHA1
b2e39ac7f2fc0a824efecefbe393054e8fb2b16f

SHA256
e9f5af6146b4dce0c1a1e8edc86852d9172fc84571c26a08fde9cdb834856650

SHA512
4e8ebe5a830a432509071f2acdab3cce55f68f13ce16782bbd6c1b896f2a4f1462a28aa964965e2084bef267486eb6b4cd30b71947e162a10ef5cb001e024916

Download Submit
C:\Users\Admin\AppData\Local\Temp\sGoMgoos.bat

Filesize
4B

MD5
e00ab987ec34652d69742385e1e9c8eb

SHA1
88aa688c9c45c9223d885649706f04809bedfa62

SHA256
60af17e8a703117e19b576f40b8601ad0fdd6d81799654ab9159050b26c78996

SHA512
a134d53ca1b0c0756d100a835c057f0e80de5d25e663e34bfd425f24fa0d2c99d7277053d675f721b33278ca0d6652acf2c01fd6d3aa4704c60a18ca8e6adde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMYO.exe

Filesize
1.0MB

MD5
3ea865f55e848b4c1bab492fbeaeb057

SHA1
de413d4f72b3fd2506c97d50b52dbb56485c004c

SHA256
a76c86be8b5da84023d0af6776bed8284ee72a538db56d8f6fa316aeca012ba9

SHA512
01176ee4ee63bb77dc197b85550040952a1107d4b560285b5d8bd623b5f8e1d406e1f4e719a2ed4af81aae108f9993d73ca0e2312b7062aae8b6cf8c708a690e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sacQEUMs.bat

Filesize
4B

MD5
7640f0c7d1d2d81d957baffc89d338ac

SHA1
d29d303ab7ba60be783d2ab5fe60e319e24294ac

SHA256
3982a664020ec3bb0ebddcc2d63cdc0af3c7b4a1afcaba0ea43ce92019273112

SHA512
39044f6fef4613f23b4f9df3496063529ab8209db16e56dcac8be468d60df4e0b6c0d44e59868641bf0ce15fa164cfe47d006ec954f1b239cb708dc09e186501

Download Submit
C:\Users\Admin\AppData\Local\Temp\sggY.exe

Filesize
245KB

MD5
b39dc8db133fe326c858f35b359d95f9

SHA1
d92f7ce5c503236f2ea493a481bcaf42a8dc4b7d

SHA256
324806dae988c72a4488b382d895d6250256e4023ec2ed0e9b9586280c57bf2f

SHA512
f5e16602e058a1390ccd94b02b05ef6d98f038145be973513b1c988631d0ac1fd3b9befae3890d52ee10b10a3cbb4711765e4019411b9a1ceac40a7cdf57cede

Download Submit
C:\Users\Admin\AppData\Local\Temp\sockYAsY.bat

Filesize
4B

MD5
317d37b0edc7bd7cbd25d97f53a16ce5

SHA1
18c9667c2999cabf0f54d2a87d10ee9d15aef35d

SHA256
06efe37f5e983469e8609e7af8399f4bdc5a80d361247a3a732ce4bec4fdb826

SHA512
d47e006282580432edfca63eb7883fe28b304d7a51cf99a5b5dc85aad46963f2b0a514c3cc53983cc4a25a6a689adc85a20b81344677ec5ea66fe6af2dc9d95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqAMIwsc.bat

Filesize
4B

MD5
3d3a477b45b169838453a95be7b1454d

SHA1
93c2a76c2fbc807d22767d43ceecf9d72cf074c0

SHA256
4f65a6b8c63d330677f896e3ed99746d2bc61d99ea0635ea6ff18eb261d7134f

SHA512
1b5f387201871c27e6aa7c89e602f28384a2e51971bad85ef69e5e13307817dc1dcd63e13d3069635c13373999cf0d05a1eaccfb7ed79017e354539f8b1c09b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\suogEQkg.bat

Filesize
4B

MD5
e7f0a1bc83ffa9eb2a5a0dc001babf4f

SHA1
78dd30f03071ff27f21ef3b2eba9bfc0f7b992a2

SHA256
60cd3439a6e36bb31dc85c1ee51a8f98a87bccef3f8155e1e243404d139a0810

SHA512
186ab3f55ced38821fbb9dbce579a95b889b348942f79f2e5dcf920c5929baff190bef61b050f9db047ba29d8c5bb2bbd1e5a667289ab8862ccf61853f571ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\swca.exe

Filesize
209KB

MD5
e7f1a07eeb1d65cb5d775969ff59db65

SHA1
97d5df2ee8bfd0b99ea70c6c360cd71a80407882

SHA256
3eda2cd7d38746696d1daca860ce84524465fc20ed6bd5c99c4618c9620cbe58

SHA512
c9d4541a2f44f2f333f757e224c20e889bc8daa1060fe8ff894831d352ecbfec58d165cd41bfc9363c259f95fac00e8afc7ad1675f5c14ef6ec1e28000a12bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUga.exe

Filesize
1.2MB

MD5
5aeb06d5d2f6b1de6c035dfb27ba792a

SHA1
78531e0b0a96e756b33da260a8918cfcbdd1f93c

SHA256
2d08fb9e06128c8593e5e0543b6ba8411536743c95d3c47dfec2d514b96438ab

SHA512
6e7df60035c2836d5237cfeea5300233b4d29cdaa8e468cb23ad32e8ebc7a2391d36e2f509622cd7e89497f9c05a29d8840e76ff172ca923ca71efbbc5d7e02b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tackIYgY.bat

Filesize
4B

MD5
f22494ab05be5b9088d11399193ffaef

SHA1
5de37ce0dbdb405457d0afcf03a68fe1f62cf8c8

SHA256
a98a567fef8938db2755eaf8ebf93ea5318b58c6ccce684f03bd11a7cecc4020

SHA512
f02d162fd40c5a9cbbfba03f02cc357859e2d4a49f020a1332302ba9381ceb1eb7834ba5320f5892caab558b7c39c9d8523daa67d3e7f59c93c052edaedf637d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcMwAsso.bat

Filesize
4B

MD5
b161bc80041a5f8d9f8f2fe0e516b60e

SHA1
c079598a77dbd1e2f91f87e77c1d0de71fba34e0

SHA256
4407f4582b36b797bca17ad896ad134c7f7a739d7970651bb732a1cf690c3e5f

SHA512
0d653dd12709d108a2a33d200684b099db36902f93565547f248e7dc8c3931cc94849bfcd0b5ad7080a3ffc68430654a2f543bd49dc1ac553f9dd316a7233001

Download Submit
C:\Users\Admin\AppData\Local\Temp\toIMEsEs.bat

Filesize
4B

MD5
c7dced58a67dfa94b3f6c52e9529e52d

SHA1
ec07ee322ffdfdb9f0db200f9843266570f7bfa3

SHA256
f9c04dbb033ee60523f4e142f84f076869039b5cb2da96e0d044bd9e4fdd5a34

SHA512
b10e36c43b08c6b45489302dcc6456141c0dd63bd2f2e09eb7b1c1e9da5e63e3d5915f0e76aef54b8d0fe02c3e7df0ee5236cb71c2aa226f8eaa6fd7a63dacbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\towo.exe

Filesize
241KB

MD5
a74cf536018ad2adb18d4a25efeb4f6d

SHA1
73ca3460e2c85d083f71a4653145a90bf29fcefa

SHA256
99262e11b1d62d9b15cfa500d0501b2ec28bf26ed05e51a78db706722bb4b45c

SHA512
5a94e507ba6526fad033c365f9b50a953634e6fd1f06ce1ac15eeba250eab05cec7f155e3c792706086fcda9d6277cc176995cb1a0e5cf36dd9b6f717ebbd458

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucMs.exe

Filesize
940KB

MD5
9d3cdbc4bc66b58f84a311534151209e

SHA1
7ad96334f3503d6ff99487b19d85a6fd6f49e2fa

SHA256
2dfe3cbc60b19a18ab7087890c9530d01f297572770ea214189221540f2febca

SHA512
7cbc5c813a98a0ebd7b69763284f0f0efffe1428bdccc45bfa05d423432237232470be648f92d6c8820e745faf1be999afac998c4949f6473e0a4c56d209097f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugge.exe

Filesize
213KB

MD5
445f49149b359cd7c5cf7a2d1147bede

SHA1
06cb58f1ecda895b99a3079672dca735b44e6044

SHA256
7540bd3a6d61057d970dd7298cb9123cc598d808cc5903fe192c3975da860130

SHA512
7da00fb97b5e80004afd1578107b3b979ac30a4bfba86bfa5e760dc92826b9d21a337b70b29d0fe51f8d9ae0d3e6750f5156ab0a0ff975473f7bc34b48c1ae40

Download Submit
C:\Users\Admin\AppData\Local\Temp\uksA.exe

Filesize
236KB

MD5
b52d32d76efb591f25f286f81ddeaabe

SHA1
0df108fcdfbf884c5c3261fe81b3882c527f0761

SHA256
14963639a013ca948946199b4e18de3053e71b779d0d98bbb0045032bca41447

SHA512
d5ab957ae9ebcf24b98fe1655d72b41f767321fae06d5e628a9e0dfdc415a5000c3b7aed022d61886024054de42cbed123d80e5b0f74f0dcff1cc934449f8064

Download Submit
C:\Users\Admin\AppData\Local\Temp\usIE.exe

Filesize
644KB

MD5
d842f45c64d288a3d1e35d30716cbabb

SHA1
f21446b212cdfca6acc15fefb255dc7ffd22425a

SHA256
9a870c9e2c7121e72392d78fc6f1132173562b05733d35ac4939a2af148dd5c5

SHA512
23217707aee51be7e840e4fb9241c16bb823e106a62f80629bd68c83339b785ddb59541ce7d876a064a0c23d9f0012f4bb14ff6bf5d02e84cf3dbd41eae2d2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vOoogggo.bat

Filesize
4B

MD5
eec02e7bbe44e369ecf1818fd24268cf

SHA1
22422007d67f32264ce3050714d8d6a1b7f3340b

SHA256
345287c5a0bd86abf2a61dc7070da65f4d1f134da68b359de6d2cd1509e46743

SHA512
1099d7c80c5c628241692a06386b70c5e71c817561eb06b2aafced4dd8cde524e8a8386de941fa31d9a681b5d143c0bd6e9061d6bd742781092f2e6c29b3c4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAAy.exe

Filesize
229KB

MD5
69f8c8b75d18aae05a28e23854de04d0

SHA1
ce018ffb04cce04b420f930b261024a6fcbf3b94

SHA256
982b3fd7457e03c4b5cb035efab5bf973c791aedf704c0ab55452d1db1c389ac

SHA512
ddab741e39e0bfac48b26fa9efda29c562fd332cd784bf0ca36b67b95990f1f52a0b4a36e1dda80c786c4fa043030debbba38e58c8a3ab279eb9c702a61f07f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xawQooMA.bat

Filesize
4B

MD5
2a9ad15d83a727a9e5516f493c5c8113

SHA1
68b3a99ed2dfe5f3ca57daaa1b009c6dcb0cebd0

SHA256
452ae5208c5ad76e1c6e41847b2816c1760502b63899a250bd81068af311c2aa

SHA512
27908d1caaaf7e816236dd18832a72b69319d573fc33550f14d745843baa1fa95ef1859b10205b2270cc7461f45f48a1297f7f2cd63b6b72155cb2029280c3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcwAQYcM.bat

Filesize
4B

MD5
98c6ba8e1bd7e6c95aa9a19357cf314c

SHA1
058b47ac5a58edbf870032eba50714434382b28b

SHA256
37230399b8e7947732043a1303a036889213c79819dfbd5a3219a23d67a2ffb2

SHA512
6ccfdf665de3c1f728c8aca5ed56d65951b4bc582bbc2ea2f30981703c658ffdb73742b0a0ac27e418e7ec9f45e258eb6af83c1cbac647f25de6e63ed4a1d997

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwAMAYMQ.bat

Filesize
4B

MD5
d0380b8b83805b1b095b0334ab06707c

SHA1
d099da21c32a885004e49c93e2c0bf12e0357194

SHA256
18fce03440e3e4ca539a4c7f90fc06fff80b9e348fcbf9371800e8a871a6f1de

SHA512
5ac60737bb5518c2b47a6878b6ccd30440b0375050dc30f2c0ec192826b5e88b0baffbb9c30ae9dfddb9951ded751483bdd2b242a3c33a8f9efc8dcbfc799489

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMYW.exe

Filesize
230KB

MD5
1cab6ec330212419d312754685a22b77

SHA1
12dd3ad2693ab4776623bfefdc0d086ef825dc7e

SHA256
92fe2940cb1e4ce5f02fcb77aa1f377aa38a9021212ce0888c4d2cb1409c194e

SHA512
9c5ea4c255f3d5b585ae8614651078c25a95f1b4d3ae67d195952ed92a2ba697774d96caf7dc5f797c3d7b03bccf66bc80efb7ab9b257e7f280fe3c081f5846a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUge.exe

Filesize
477KB

MD5
932add24fac9cd36def4adb55faec445

SHA1
95a72d26c10c5f2dd525e5ca12549daaa538c135

SHA256
d812aa4b7cd48837f88f558f9b7796ad179e9122ba16768051b1a8c5a4c8ad54

SHA512
06ae88bce81fe5d3a0cbff355f23cb9a45906ee796b66a9cac80fa6b9c781096ccfc41d63a9bb66edd2a22aaa63e6b71e7feba5c1fb22d537416946dad6a1899

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoAUMQkU.bat

Filesize
4B

MD5
a907d274e13cb62ce25d73c5b11a1748

SHA1
65db8865411e0b9162658fb1fa0568889b0ea8d4

SHA256
ecc13c6726bb1953095d238cd5e8c8360ad378e9d696a0c1ac603ffba16f0333

SHA512
815c1191a9bf353c293059ab4680b7f20472641304d5c49d9b26906fdb280b99599aa957054d31e490b9dd6d44a694caf0dec19136f3780020535f4994e3173a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywUC.exe

Filesize
626KB

MD5
a446de35d598a2c061fa16d5eeffb32b

SHA1
22a28c598853a1f5b76b7786c82d866cd8198543

SHA256
914961f41536b355c0fdc09d586e7a9593bf4f096726d91d1d6f5f39e0f08f92

SHA512
b82b6fa2fdf41d74632919b90baa11e93a7c97bc32433b61433e5645e742b246aeaf4fe5ec7f190814214f9dcf58ff47a337173d8bb6a8718c4be1a16629dac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAoQUQEQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQks.exe

Filesize
315KB

MD5
8ef72451135fe130ccab7ba8572fc256

SHA1
63be4f2e776f2f37d60ab56349cfe04d60226bfe

SHA256
07d46f9b000b620fed5a29bc1e3a5ae9cef357ffd0e88755b0aec5cde1d39bde

SHA512
340ad7fbade91b07f744bb25ca792f81012e95885fa562f6fb50f9de0d615962b4b4b062e5ffa500b32f23cedaa2d9ffa8baca0f5a00a21bdf5ff7badd29d55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcky.exe

Filesize
246KB

MD5
282fef1b7722e109874cb1a6afe52a5c

SHA1
537e8be80157422f7c244dcb4d2d12f2662265d8

SHA256
acf76b81fc8933b491dec6272a0d494eddfbe94677123ceeb2f4fc9336b3dabf

SHA512
590aa2133132bc2e82f213a2e2ae1864657e7c73cfe1e728f93e40c47c23af601e665ba5af3070a9b7312d61e53c7a263bac3df738b14baf2c4b0cdb6dfa428a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkIe.exe

Filesize
229KB

MD5
82cec82008fa34e7f24d49446f3b2805

SHA1
9be47261164839f8e414f303b6a3b576c18e8aea

SHA256
3e13a8fc7dc1a5e368728dcf8bde312b266f9b67f50e6d84e9694649d551ce1f

SHA512
5cf06c60ca5acc50ed32be63f3936e498d9774c84f1d7d74ddad2a108ce6440dce9dffa655829c7a649d6318bf9bd14410d965cb03cd07ee76753660bbc649e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoAcgUoc.bat

Filesize
4B

MD5
ab4c67eced99e089ad385a34df3df407

SHA1
8c6c613adf12747c5265fff19802fbaf3d80b865

SHA256
b2b6b9c5553144b48d6c1660241162a860ae307880bf97016a1a5aa0295b57a0

SHA512
a7d2f4e640b714e89dfef12450727a7fea65e4792fe69b5bb78830d7c5b7544813f330c7dc335cf095e610e39729fbd518a3e68e14c3cb325d9d29f9365a52e7

Download Submit
C:\Users\Admin\bYEYkAUA\NgMccEAo.inf

Filesize
4B

MD5
4fecf058a94f1fd3adc93a4ac536da18

SHA1
bf1d4caa59980d37c46a7425147af2f0f6d8e686

SHA256
2b7376905ae6f4dbbd850845635607becbd38b11d860c1e736a111f2abc18a8a

SHA512
1fb25fd09628cbc5aa106ba6993c825f2f3a6e1729ebb2c3ece475b8647e1d325e1e7f162b1021048464e269ce5e4a164e061fee77819cc553cad456c4e95e38

Download Submit
\ProgramData\GUcYAwQs\DKoIAYIw.exe

Filesize
197KB

MD5
7fe4e3e87770078fd092160b8e92e836

SHA1
18437742994392f946144ad98b947b6f01fb1251

SHA256
bfd33dcaffd8d75a8937039542175437531aa493c50a3f3db3db50f94877c10c

SHA512
1e066c4cb9e7997a0c477e75e62466c0c891267f3e404b24acfb9ac7a3f41efce6947b24b2d2490fa21fc3ef50206e30233e33b8901e692f347498a3c162bc41

Download Submit
\Users\Admin\bYEYkAUA\NgMccEAo.exe

Filesize
187KB

MD5
c14aedeaf9b51e5e22e08447a5d7a7a6

SHA1
022cc5a431901257492926a53e8ef8685a60f739

SHA256
7a577124cc231a5a78ffd93a8215239d801e172a15db32373d1cd6a1335bd05e

SHA512
ca9f72f865f9f68035edced8b6b23a0e4ee39e4102c7f89169220e92e315437b7d6f1fb8a9527ef2d2e441a3dad8fe942689904670a970f6a05365f0bef7ca03

Download Submit
memory/300-404-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/796-380-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/796-381-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/968-188-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/968-156-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1036-427-0x00000000001A0000-0x00000000001D8000-memory.dmp

Filesize
224KB

Download
memory/1036-428-0x00000000001A0000-0x00000000001D8000-memory.dmp

Filesize
224KB

Download
memory/1304-133-0x0000000000320000-0x0000000000358000-memory.dmp

Filesize
224KB

Download
memory/1304-142-0x0000000000320000-0x0000000000358000-memory.dmp

Filesize
224KB

Download
memory/1464-250-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1464-281-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1484-117-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1484-85-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1600-307-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1600-330-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1684-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1684-236-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1692-237-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1692-259-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1912-355-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1912-346-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2012-249-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2024-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2180-308-0x0000000000160000-0x0000000000198000-memory.dmp

Filesize
224KB

Download
memory/2180-309-0x0000000000160000-0x0000000000198000-memory.dmp

Filesize
224KB

Download
memory/2232-379-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2232-356-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2244-141-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2244-118-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2304-212-0x0000000000160000-0x0000000000198000-memory.dmp

Filesize
224KB

Download
memory/2304-213-0x0000000000160000-0x0000000000198000-memory.dmp

Filesize
224KB

Download
memory/2320-179-0x00000000001F0000-0x0000000000228000-memory.dmp

Filesize
224KB

Download
memory/2328-403-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2328-382-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2344-108-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2344-106-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2348-284-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2348-306-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2396-83-0x00000000000F0000-0x0000000000128000-memory.dmp

Filesize
224KB

Download
memory/2412-283-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2436-32-0x00000000004A0000-0x00000000004D3000-memory.dmp

Filesize
204KB

Download
memory/2436-46-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2436-13-0x00000000004A0000-0x00000000004D0000-memory.dmp

Filesize
192KB

Download
memory/2436-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2436-29-0x00000000004A0000-0x00000000004D3000-memory.dmp

Filesize
204KB

Download
memory/2436-12-0x00000000004A0000-0x00000000004D0000-memory.dmp

Filesize
192KB

Download
memory/2472-405-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2624-37-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2624-66-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2684-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2684-45-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2724-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-189-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2748-211-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2764-165-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2764-143-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2828-354-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2828-332-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2880-331-0x0000000000180000-0x00000000001B8000-memory.dmp

Filesize
224KB

Download
memory/2884-93-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2884-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2908-69-0x0000000000160000-0x0000000000198000-memory.dmp

Filesize
224KB

Download
memory/2908-67-0x0000000000160000-0x0000000000198000-memory.dmp

Filesize
224KB

Download
memory/3036-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download