6406b02f172ab556401dee7d1274a3e78bf3478675b564168a9498f84f3bf27b

Analysis

max time kernel
8s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 17:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
Size

215KB
MD5

7acb66c3bb2c35f158d556b38105048c
SHA1

4d62201f7e83bd139b4218ef16badab466cffe08
SHA256

6406b02f172ab556401dee7d1274a3e78bf3478675b564168a9498f84f3bf27b
SHA512

434901cbf6b840e3ad88b0b97f8e3f303be991b9b751458d4e3d70567057a4daac87c3d62c7db3e7167dd312bfad94c476d282a6b58233e275927ed12c9c1ebc
SSDEEP

3072:DT7ayiGb1choJA2+YaZK8L7L1XCn2yI4VaIjt0iu7Buo9VWTF79H89GTnv+d:m2xciAPxZKl5VaIlu7AoifSS+d

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 24 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Executes dropped EXE 2 IoCs

pid	Process
2260	KkwwEMIY.exe
2724	niwMEYok.exe

Loads dropped DLL 4 IoCs

pid	Process
1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\niwMEYok.exe = "C:\\ProgramData\\KuIIIwcs\\niwMEYok.exe"	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\KkwwEMIY.exe = "C:\\Users\\Admin\\tkIAUQkU\\KkwwEMIY.exe"	KkwwEMIY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\niwMEYok.exe = "C:\\ProgramData\\KuIIIwcs\\niwMEYok.exe"	niwMEYok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\KkwwEMIY.exe = "C:\\Users\\Admin\\tkIAUQkU\\KkwwEMIY.exe"	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1660	reg.exe
2264	reg.exe
3000	reg.exe
1672	reg.exe
2760	reg.exe
888	reg.exe
2524	reg.exe
2824	reg.exe
2632	reg.exe
1568	reg.exe
624	reg.exe
2656	reg.exe
2644	reg.exe
2292	reg.exe
2248	reg.exe
2768	reg.exe
1976	reg.exe
2360	reg.exe
1228	reg.exe
980	reg.exe
1120	reg.exe
1716	reg.exe
2948	reg.exe
1100	reg.exe
2584	reg.exe
828	reg.exe
2716	reg.exe
2524	reg.exe
2968	reg.exe
2896	reg.exe
808	reg.exe
1096	reg.exe
1780	reg.exe
2960	reg.exe
2124	reg.exe
2132	reg.exe
2224	reg.exe
292	reg.exe
3016	reg.exe
1204	reg.exe
2000	reg.exe
2864	reg.exe
2952	reg.exe
2184	reg.exe
2328	reg.exe
2640	reg.exe
2788	reg.exe
740	reg.exe
624	reg.exe
1880	reg.exe
900	reg.exe
2380	reg.exe
788	reg.exe
2644	reg.exe
1416	reg.exe
1416	reg.exe
1440	reg.exe
1324	reg.exe
2092	reg.exe
1596	reg.exe
2740	reg.exe
2684	reg.exe
1788	reg.exe
2448	reg.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
760	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
760	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
1020	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
1020	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2328	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2328	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
1684	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
1684	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
1036	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
1036	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2768	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2768	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2856	conhost.exe
2856	conhost.exe
1552	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
1552	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2284	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2284	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
1736	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
1736	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
1992	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
1992	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2372	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2372	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2648	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2648	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
1072	conhost.exe
1072	conhost.exe
2340	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2340	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2312	reg.exe
2312	reg.exe
864	cscript.exe
864	cscript.exe
2200	conhost.exe
2200	conhost.exe
2608	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2608	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
1268	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
1268	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2716	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2716	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2256	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
2256	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
1136	reg.exe
1136	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2260	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	28
PID 1944 wrote to memory of 2260	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	28
PID 1944 wrote to memory of 2260	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	28
PID 1944 wrote to memory of 2260	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	28
PID 1944 wrote to memory of 2724	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	31
PID 1944 wrote to memory of 2724	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	31
PID 1944 wrote to memory of 2724	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	31
PID 1944 wrote to memory of 2724	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	31
PID 1944 wrote to memory of 2736	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	30
PID 1944 wrote to memory of 2736	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	30
PID 1944 wrote to memory of 2736	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	30
PID 1944 wrote to memory of 2736	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	30
PID 2736 wrote to memory of 2680	2736	cmd.exe	33
PID 2736 wrote to memory of 2680	2736	cmd.exe	33
PID 2736 wrote to memory of 2680	2736	cmd.exe	33
PID 2736 wrote to memory of 2680	2736	cmd.exe	33
PID 1944 wrote to memory of 2772	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	32
PID 1944 wrote to memory of 2772	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	32
PID 1944 wrote to memory of 2772	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	32
PID 1944 wrote to memory of 2772	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	32
PID 1944 wrote to memory of 2664	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	34
PID 1944 wrote to memory of 2664	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	34
PID 1944 wrote to memory of 2664	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	34
PID 1944 wrote to memory of 2664	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	34
PID 1944 wrote to memory of 2764	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	40
PID 1944 wrote to memory of 2764	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	40
PID 1944 wrote to memory of 2764	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	40
PID 1944 wrote to memory of 2764	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	40
PID 1944 wrote to memory of 2544	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	38
PID 1944 wrote to memory of 2544	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	38
PID 1944 wrote to memory of 2544	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	38
PID 1944 wrote to memory of 2544	1944	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	38
PID 2544 wrote to memory of 1844	2544	cmd.exe	41
PID 2544 wrote to memory of 1844	2544	cmd.exe	41
PID 2544 wrote to memory of 1844	2544	cmd.exe	41
PID 2544 wrote to memory of 1844	2544	cmd.exe	41
PID 2680 wrote to memory of 2144	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	42
PID 2680 wrote to memory of 2144	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	42
PID 2680 wrote to memory of 2144	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	42
PID 2680 wrote to memory of 2144	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	42
PID 2144 wrote to memory of 760	2144	cmd.exe	44
PID 2144 wrote to memory of 760	2144	cmd.exe	44
PID 2144 wrote to memory of 760	2144	cmd.exe	44
PID 2144 wrote to memory of 760	2144	cmd.exe	44
PID 2680 wrote to memory of 2784	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	45
PID 2680 wrote to memory of 2784	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	45
PID 2680 wrote to memory of 2784	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	45
PID 2680 wrote to memory of 2784	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	45
PID 2680 wrote to memory of 2820	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	46
PID 2680 wrote to memory of 2820	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	46
PID 2680 wrote to memory of 2820	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	46
PID 2680 wrote to memory of 2820	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	46
PID 2680 wrote to memory of 2708	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	48
PID 2680 wrote to memory of 2708	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	48
PID 2680 wrote to memory of 2708	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	48
PID 2680 wrote to memory of 2708	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	48
PID 2680 wrote to memory of 1676	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	51
PID 2680 wrote to memory of 1676	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	51
PID 2680 wrote to memory of 1676	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	51
PID 2680 wrote to memory of 1676	2680	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	51
PID 760 wrote to memory of 1852	760	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	53
PID 760 wrote to memory of 1852	760	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	53
PID 760 wrote to memory of 1852	760	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	53
PID 760 wrote to memory of 1852	760	2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe	53

System policy modification 1 TTPs 8 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\tkIAUQkU\KkwwEMIY.exe
  "C:\Users\Admin\tkIAUQkU\KkwwEMIY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:760
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        6⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        8⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        10⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        12⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        14⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        16⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        17⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        18⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        20⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        22⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        24⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        26⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        28⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        30⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        31⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        32⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        34⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        35⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        36⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        37⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        38⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        39⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        40⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        42⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        44⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        46⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        47⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        48⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        49⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        50⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        51⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        52⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        53⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        54⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        55⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        56⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        57⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        58⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        59⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        60⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        61⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        62⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        63⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        65⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        66⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        67⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        68⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        69⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        70⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        71⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        72⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        73⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        74⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        75⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        76⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        77⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        78⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        79⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        80⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        81⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        82⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        83⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        84⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        85⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        86⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        87⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        88⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        89⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        91⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        92⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        93⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        94⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        95⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        96⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        97⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        98⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        99⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        100⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        101⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        102⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        103⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        104⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        105⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        106⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        107⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        108⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        109⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        110⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        111⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        112⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        113⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        114⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        115⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        116⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        117⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        118⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        119⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        120⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        121⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        122⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        123⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        124⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        125⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        126⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        127⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        128⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        129⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        130⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        131⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        132⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        133⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        134⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        135⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        136⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        137⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        138⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        139⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AGMIEIUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        140⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        141⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        142⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        143⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        144⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        145⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        146⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        147⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        148⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        149⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        150⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        151⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        152⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        153⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        155⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        155⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        155⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        153⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cAQcUQMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        153⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        153⤵
        Modifies registry key
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        153⤵
        Modifies registry key
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ryMgkMAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        151⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        151⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        151⤵
        Modifies registry key
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        151⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bqssYscE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        149⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        150⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        149⤵
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        149⤵
        Modifies registry key
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        149⤵
        Modifies registry key
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lWwAcsEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        147⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        148⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YQAkYEcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        148⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        Modifies registry key
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        147⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        147⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        147⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KigAQIow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        145⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        146⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        145⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        145⤵
        Modifies registry key
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        145⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        143⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mOgEIEgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        143⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        144⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        143⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        143⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        140⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zsYkgQAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        138⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wUIsYoks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        136⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eecIEscg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        134⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SMokQsoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        132⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HCQgwQUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        130⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies registry key
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EwocUAEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        128⤵
        
        PID:296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kSwUIUUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        126⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yyEsAwog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        124⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        Modifies registry key
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yGQccAEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        122⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies registry key
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        Modifies registry key
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\seUAIcgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        120⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VcQwUcko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        118⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies registry key
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FEwMswYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        116⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jAMMscYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        114⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        Modifies registry key
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EiMAYIAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        112⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies registry key
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ECwsscMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        110⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FKcYcksc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        108⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        108⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies registry key
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vOsgUsgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        106⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        Modifies registry key
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies registry key
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\akEIYMwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        104⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        Modifies registry key
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOkQMEYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        102⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dIMIwgYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        100⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xoMMQkkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        98⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uSoYQsgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        96⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nWwMQwMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        94⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        UAC bypass
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies registry key
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vSgcMIMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        92⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UGcwMMoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        90⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        89⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        90⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        91⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        92⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        93⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        94⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        95⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        96⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        97⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        98⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        99⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        100⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        101⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        102⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        103⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        104⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        105⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        105⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lKUcEoAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        105⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        105⤵
        Modifies registry key
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        105⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RmgEQYAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        103⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        103⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        103⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        103⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        101⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        101⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        101⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eAQIskwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        101⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        102⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dkQUMQoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        99⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        100⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        99⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        99⤵
        Modifies registry key
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        99⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        97⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        97⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        97⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tooYAYss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        97⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        98⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dIsEYkEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        95⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        96⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        95⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        95⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        95⤵
        Modifies registry key
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        93⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IukkQIoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        93⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        93⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        93⤵
        Modifies registry key
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fucYkwYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        91⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        91⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        91⤵
        Modifies registry key
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        91⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        89⤵
        Modifies registry key
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GcsUIUMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        89⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        90⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        89⤵
        
        PID:656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        89⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lIkMcEEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        88⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwIcssQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        86⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HAYEIAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        84⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies registry key
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gkYQcYMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        82⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DsUYoAUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        80⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies registry key
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EyEQQYUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        78⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        Modifies registry key
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iOYssgIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        76⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cIIsocsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        74⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies registry key
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AsAAsMgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        72⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        Modifies registry key
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        UAC bypass
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        Modifies registry key
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HggQQYsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWAMEswk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        68⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IQgcsAYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        70⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        70⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        71⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        72⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        73⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        74⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        75⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        76⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        77⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iywkksMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        76⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        Modifies registry key
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hskoYgAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        74⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies registry key
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sqQosYQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        72⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TmAowMQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        66⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rCQwwocw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        64⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HKkksowE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        62⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gaYAwgsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        60⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies registry key
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OuoQsYcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        58⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cmcsswgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        56⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lMsYUokw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        54⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OIIUQQsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        52⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bkYwAkAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        50⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XsgoUUEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        48⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        49⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        50⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        51⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        52⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        53⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        54⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        55⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        56⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        57⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bIAEMQww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        57⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        58⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        57⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        57⤵
        Modifies registry key
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        57⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hggYQMAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        55⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        55⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        56⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        55⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        55⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ziMoskkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        53⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        53⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        53⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        53⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        51⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgccscUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        51⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        52⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        51⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        51⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TyUUkwsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        49⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        50⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        49⤵
        Modifies registry key
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        50⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        51⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        52⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        53⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        54⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        55⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        56⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IgMogUIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        55⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        56⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        55⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        55⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        55⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RKQwccIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        53⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        53⤵
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        53⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        53⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ykQYEoMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        51⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        51⤵
        Modifies registry key
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        51⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        51⤵
        Modifies registry key
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        49⤵
        Modifies registry key
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        49⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cUcggAwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        46⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\guAgAogM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        44⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sgwQgYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        42⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bIgIgkYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        40⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BiwkMAcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        38⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        Modifies registry key
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IwYMgUsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        36⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mMwAYUso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        34⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UqIMkIgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        32⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uqIkcQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        30⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VqYEgYIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        28⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MksIoUwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        26⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iAYAUcME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        24⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xwQEIEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        22⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mukMMsEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        20⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SkkwoQow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        18⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EygMkUgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        16⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies registry key
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SosMIMwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        14⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\suwgcooQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        12⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AwQkIAoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        10⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DEEEMgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        8⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1100
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:484
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1248
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1360
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zUkMAwYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        6⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2412
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2784
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2820
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\YwkcwsIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
      4⤵
      PID:1676
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:112
- C:\ProgramData\KuIIIwcs\niwMEYok.exe
  "C:\ProgramData\KuIIIwcs\niwMEYok.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2724
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2772
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\NyckEEgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1844
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8112737631869863673586148329-18856408821139750447-229280793-1636872312-286788639"
1⤵
PID:2824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7037346341715419032-868150551-3602272122081959997282996021-1783715034335705360"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1571625301287577561884041635-44114327717813388462133421789825323064415747213"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "192154875019665897110995801242114522062611814443-784311073-1990863973748729443"
1⤵
- UAC bypass
PID:1480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "674657114-317856194-899926321489626609-580025779-198432113512707059001941077735"
1⤵
PID:1640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1806983750353959863-18965247802133183637-367950006-1560772750-19549821741551935192"
1⤵
PID:2948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "176496738126846898017509950407711907114212207411711379721-12759521991757780230"
1⤵
PID:860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-46303887697830949719549206011828045154-1657709791-911317079-15423034051045787333"
1⤵
PID:2592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1021208166183950913613843632312026320083-975951604-8526974491555988979-39189134"
1⤵
PID:3048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-147693198554050936619440851391804836604-999159750-72027041-17975857911692153067"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1072

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12265922532025867991810686523-4377031121471743254142921583-19366894811002612662"
1⤵
- Modifies visibility of file extensions in Explorer
PID:808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5821323431589610886683836393-309660267-1202840960-103291028119015421281462243854"
1⤵
PID:2300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1610376339-5992687720211599411596694318-10681332751095414789-19389367601837601811"
1⤵
PID:556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "889367100647263709859529901-1887619097889380830111995018820089988011833667164"
1⤵
PID:2108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "839908554441493768637166856636213761874448124-2081225130-1517944710-1503950694"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12423911091276754555-1527090020215825402004538935395272011188072235-397853871"
1⤵
PID:2960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2594488165042392731937523640-20763845717382520841473595803-1548756501-1486382725"
1⤵
PID:2804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1982799239185776077-581314050-1321377723-494931493483461393-858594391-213171161"
1⤵
- UAC bypass
PID:876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6932855751879885267-2138197474-198615741210775541562101297152-19236223331116873816"
1⤵
PID:2344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1600482477-1313752259-19281088671766051309-21146888149345079342136855196-874250215"
1⤵
PID:1796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "923159912-1856721336558836858-932482508-18192116001061020142-1656790863-1237505879"
1⤵
- UAC bypass
PID:1484
- C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
  2⤵
  PID:2276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1020398083-285813059-1731516890-1661684137521052781-14106404771431039803-980073934"
1⤵
- UAC bypass
PID:2788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1265560729-4391158032131106989438161999155948508-9748095916072584811484854517"
1⤵
PID:320
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14954520568678309161301193188-2039964672-1167316171-78179936396567648-433310920"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7692381671619626757-19640570681788144142838837515-1543840952-132944340-907279472"
1⤵
PID:1296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-437933551853076857638837764-9811765211503394694-654147503-579694133-11189355"
1⤵
PID:2656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-768209979-93862139-511669336-912505553403262674490617241791484548322736500"
1⤵
PID:1640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7880465589877314862132482723-9626142581960997774-1034705440860585124192901984"
1⤵
PID:1852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-243533492-1560837428-2622644671532283572-1924498086-439542168145430246113520901"
1⤵
PID:2948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2944

C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
1⤵
PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
  2⤵
  PID:1780
- - C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
    3⤵
    PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
      4⤵
      PID:2340
    - - C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        5⤵
        
        PID:1680
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        6⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        7⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock"
        8⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock
        9⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QwUYQsAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        10⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\neYIcQEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        8⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1944
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1912
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZEIYsIMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
        6⤵
        
        PID:2512
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1484
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2316
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1220
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\JGMIMkMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock.exe""
  2⤵
  PID:2740
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1783336367687579477-1787998075-203627108519597503199387150741602088701-633541479"
1⤵
PID:1176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KuIIIwcs\niwMEYok.inf

Filesize
4B

MD5
78d3b78c2d4205b1fa07b11351f54cd2

SHA1
b3a39d897cf5da0a33ad3af2f1312457a667f7ea

SHA256
5949f66bc2d1f2a10da0abc7448d0360ea586380e95c6607f85371b8d0a79556

SHA512
5f77bab85e0fadf9a51784ab94fc8ca41ad42bb6565c475296ed5852fa3e23326cf059abd42809d496fb81778a0725e85c504e2f682d448ef0811160fe25c739

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

Filesize
242KB

MD5
e8266f52a4c5c54d8e5e1f9b72936548

SHA1
b236494a19a9e4a6b27ffbe37b139835e64769fc

SHA256
5b8cc7fc8ce9e2d90b4ba96660a11e37595017c7629db72003f208880e1d81b3

SHA512
f39f0b0906801275cb168be0dfd639a09e1209f0ccf84b97805b105586e550354b27a64af95b97bc72c52497a43171bacf27905159e42e9bba7d0d7f26116976

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
649KB

MD5
59fe3c81d8bcf0d3a6a8fc681e904ba5

SHA1
20e464cb1764d3bd770e767aaeea8f0f876844a6

SHA256
a43dfcd9241ac681d5a897617e1e65125b53a1bd539a7304a46a99e615fe8ce7

SHA512
90fe178cc60036193cd7b8c0947ac0e6316ee1002718d7dcbebfc550e7a096962bf63e94053c1888a4c97399eaf1a3b06742e121ae5b92e3bbbb672dd562f52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-01-26_7acb66c3bb2c35f158d556b38105048c_virlock

Filesize
20KB

MD5
10a0cc45bd41277a57ed483d9d9ee5e5

SHA1
eae0e74b2171e25e093f68de2efe2cb00f18dfab

SHA256
2ffb6ab734b4aaffb072f529336ab78dc20dc77fddeb76fb2901b355c40a1f7e

SHA512
a34f0020ccee3771195abe81e291b68f5483eec8561827e739dc2355eea70aa4bd9500b726380609c66c9f5ce1804d92ec6e328063a68adbb96e50fd53a1f899

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMkkoYUA.bat

Filesize
4B

MD5
a1ff41cce62919158f722cb17e2828ef

SHA1
40e0b1ca7bfb4cff86e228ff09c371f924b2eba2

SHA256
9fc9357bdb8627557d2e2ce51c092f10526f02890e40accbb288abdc5e95a267

SHA512
7676e89b379ff58045905b8f0316ef95bac003341d1202d05d1cd63b160db507a3ccc4810a6ef266a756b770d203fe841d93328048b590e791380387657d0af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQgU.exe

Filesize
751KB

MD5
59b8f500bff19b0b926f2b65de1048ea

SHA1
452db99b4154c26f785708892c60dc36ebd414f7

SHA256
5c9c109b531bda48cca2475e03edf0acc393993539b845698dcda80d8bc532f4

SHA512
67d1389587652a180acb00a4084d88176c71dbdd2e89a1818b7da0ac33f1b48f0b602d2e5342871ffb2f76c62346a5fa6175282b840d486eafb0ca4d63af11b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQos.exe

Filesize
230KB

MD5
b4f3c51a39f61ae88c12460e00530c54

SHA1
7880cb289a47448d5f8a13d5522a9522a4ca7b39

SHA256
bdbeb2512339bcb6cf73b0186c1f5de5250ffcf898a35954bbfdc666861e35bb

SHA512
cf18cd822f56a59ebb5ca0fd596c678a240090666349ffb92b9664fc8c409728420403cc6b2ca4f1f6595dc555fd4f878509fe6e522af2f2e3136f393c1d6c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYcg.exe

Filesize
206KB

MD5
bc45848790ce41ba92160b219413d73d

SHA1
0a12290bbadfa824c83b5237c24ddadfa728ed82

SHA256
22a307b0823ecac06692c4842e17fd62a3671d1b5d926fdae8f712771bf22645

SHA512
217b60eeff810888232e312acce44296b2b079a565163a2cf29604587074c4e23ae79dcca3e45720e76be5738d1a7ca117c2733d0cfd6b7be7a5fd9547c18aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awgm.exe

Filesize
243KB

MD5
ab7697e22ff6565d185fe36bda555d2b

SHA1
6171560a72ccecbb2346d781871ee14a798b6d65

SHA256
8240d251c3c702b6b4ef7bb09c78382e782106e8500b3b40fb665111ecdd4eae

SHA512
918e30a1872606ef9c143e2be091f09729ab5e474f1b7a99509700c8e7ec665cd81e05d592382fc97a5a27ce95adb9ade4e1eba8a8540825cef8c1b467a1c42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUUYoIkQ.bat

Filesize
4B

MD5
823f5031a14db923abf58741d22396d2

SHA1
0279d26176bb88da05c77de6e6011aa40c2f565a

SHA256
8466ab4a2f6fbc31d79745050ccff526e878000022b2b9ffaed37ff495b8f9fc

SHA512
f231507acf3e56963272f00e876716ce141c0c7b2f9ddb4d9e066176c3bfddf0522601b24d4a31b5d0d7529b0205643714a6333de92ac6530323b1d3169de736

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUsM.exe

Filesize
248KB

MD5
f724a9bd8431184193c00e9b7de24b58

SHA1
5ce6dfb3cc1843d521ae3fa751921fbf22b7fd3d

SHA256
0f8b8ea5dcfb504885458c0533cf75c1ddf405985a8c67f8a4f4eff3d91269ff

SHA512
9f7c68a554c6b209e8ecfdfc55b9ad82b7afadcf21d662c97b7f24c5a038af8942542d7af01fa2632e7e6ca99fb79475126d39bca3c656359ee24d23309d5ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bccs.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BqMEAAks.bat

Filesize
4B

MD5
59ca597a7687eb39aaed51ffa3eb4f76

SHA1
05500a21b65b8bddbcbd679401d04d106554ab39

SHA256
d63b8e78bf582695fc856db9268f2d9acc004ee13d0562d9a3e6952a82acd46f

SHA512
e00cc6e6cb1afa0e65d5861f035290bef93b32349633d4917279c0ee81f6e8640ba6b1ac8985843766f42ec3e3beb4c410f2865122eec51fa69e60001749f6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIoo.exe

Filesize
232KB

MD5
3f22ee1ac775266fc433b1278ad7312a

SHA1
9296a40f8d97d1cc74ec7c152a0016dc4f86a6f4

SHA256
d8c6335e7b156f8925b9b193567750321a246b6c2fb1054f3b66429bd66606e6

SHA512
d752470a58b02e7c8d47b37ce202e5955effa222e2eeb60d7d3ddcd5287c97959398f87e725b566bb62eaa1fcb2f1e08d1ee2b966b831c0ccdd54608ce874d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkAS.exe

Filesize
1.2MB

MD5
e7e1d801230f3c5c69e996d996ac7c87

SHA1
98c27a21b5c1fe84768c460de2609062a5a9d19c

SHA256
64d352773ee2868efb68d74c7ff97fa30c9e10fa36e9e5a34698ce15f2de2955

SHA512
7e092fba3d264baa648fe97daf75cf3cacba1d76dbe10929d789ed56630b8e4b7aa16d7b7c3e968e2604d4f4c09a78b33a162936070f43cf7cae31d3c1cd6177

Download Submit
C:\Users\Admin\AppData\Local\Temp\CogYYEUY.bat

Filesize
4B

MD5
c74342af9f4d4b1c0022ce1498390c1a

SHA1
399265029504672cff752c36eb651f04ec1fccb6

SHA256
79f50fec6ad62330d07fdd973d0cd169405201bc35aad39b70ab5ac6808af2f8

SHA512
5429560d0a250c190b82b47c68438f6995f645751dd4d478fe674bd5ec624a5b6fbcdd7846be869852c7324632c9ab249343bfdde6dc8759afe15d81b7f4b72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CooK.exe

Filesize
235KB

MD5
3062bf8dac7a532156d0c88529b381f8

SHA1
b5f62acc477df8049ea0267bcf307a7478b144ef

SHA256
ff479131b459cefcf71bb07d13a25c381cb2d8bda289fe2976c5e136927d617d

SHA512
51563b3512fa490d6913febd75d02edeaa84d981a84d282042138f1424fc58f11746fccc47e7db742ee1cfaa9ad02fe269a97682018e1666f0b5bd7dc36ddaf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAgQ.exe

Filesize
242KB

MD5
78bb122902b4401ec6589a27e945bb0e

SHA1
024ac092a566f7a76869dcb5f3c82d7732c733e2

SHA256
171d98d1d6b3a71301f49bcd9344eedf18ceb10741498af8f6b39ca0d873e22a

SHA512
0c461cdc64e11b3b973355570118207740263d192e7637ec43fde07101d3ec11b4e6c8552dbfb552d6b642b476df6af016a13c537103132d9d683192a397c3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMoMggsM.bat

Filesize
4B

MD5
d127b86d567caad029bc1db45ac88cb4

SHA1
71c17f2e56f28b188834cd9c0023ab88ea50464a

SHA256
4335a78591036a07cec986ce95a4ce23c2c5c0f265826e40ba362bd53a73c39a

SHA512
a071a781eab08ab9273169c2aa08c6d76be32cb425e1e2e39afb072b13f443670485155d9aed54f05b36fbbbfc44cca6be9cf90ae400491a421389537c9e4f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQgsIgIw.bat

Filesize
4B

MD5
3ecf2c120e2d586e295078b007d78e5a

SHA1
d7cd3e5318f81190c81207679aed8371fb299056

SHA256
fbd8cfbbe75191ae3e87de5f2b5b29171d651f9ca8dd29c262b3500357655f1b

SHA512
126eded58b52aa3b6374863f9a6e3f815d7a1a107e41a25171bd731ca31ad6c74fa95d0f6d56531edb620da46d2ec9e6d3d64dc86c2f97c6c32bf9c1c13390d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DmcAwMkA.bat

Filesize
4B

MD5
a6a54dc5c873aecaebe4f18419dedbbf

SHA1
ac916fa23e1c549424fa7f0314329b0d38c46ce0

SHA256
762f7e7072abc30dfefe2fe5b54b878064d06cea84eddfeaad62e3b7d620cf6b

SHA512
2d00b945849cfed54c31858d282e4a08d97e43056892cde80d17cde56432bea8633890c333fcc267f0d3fe539ca8576c05e899e7d390523b0ce0988e6539f2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dsws.exe

Filesize
427KB

MD5
305c4e70d1772120efe85f646ec879c0

SHA1
6f0a973be2474ebe9a5788e3a785a1a6c717e715

SHA256
099e6f028423be75929d8ba5ccd92108978e47daf96e143b739a5b5dc2a03f38

SHA512
41c368de2fafb59bcd96325d2949b8a34b8d4ada1cc6b73129d816fb90894613e54f384621b1db49488eff532a386970d3efd3df8e82b54c5b30919dd3fa1a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\DwIC.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMAQ.exe

Filesize
233KB

MD5
88f29f487632f109bba51f7e724c01ad

SHA1
189d2f38b9348ec9e8fe5aa4cfef17e253b60f29

SHA256
05d0c1420b841462026d3682c0cc659dd56229876a34cc14718d9697f4a24f9d

SHA512
43a79c8e7c112ea047e6945ec02e9deae005db8bba99a7929f901fe0620028ccb0ae1fae43393c9ddd8c18373137e4e86b54eaeed16d3765f1bcf181f8ad1f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAAo.exe

Filesize
250KB

MD5
9b64d6de1d3c792ca937f5936565fd8c

SHA1
c4c0ea8119abc8defe42ec5247062caed0503a4c

SHA256
cd799e67d2f98bdbba029132654f2ed333658b562a94337b5a1b5d5e02b66346

SHA512
a1b77ddb4effd938b696fc04a92dbf716e43576a0ac4c82ee6c7cb023f2cb90346ede6a9de8c758b3c3ed4fa1d5cca19318afb3973553ef532101ab99ed952c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIcG.exe

Filesize
807KB

MD5
139f3c068d44fb40364c53bf997469fa

SHA1
d337a448c919d2c9f7f3d8688d31a940ef109d9f

SHA256
028f00a4c113dc671a233f8c395e86946bb49edcae6502f6e013a2406a093857

SHA512
c22aa017b4206d8ca929a31246826a27614541f10c81dead4f4395d25b311c2d5fc94eb026dbbd7e540246d8d85b64acdaff1e97d7d824c3a593618cbcd1aebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIgo.exe

Filesize
1.2MB

MD5
915827b4634a68df71b928fd60f1bf41

SHA1
09c457c06099168e60dc4e7c06949c9b32c8d4fd

SHA256
4019a8e7fda7be917569274e55e88cb909e71bcca1ec8c2b7f8a2572303fc41c

SHA512
ca3a3d9e8777425ed121bc76c5ed5133ce0161078adb56dad80424eb921a49269822a4943bb4a87e1d26a6368533e1cee5816b77775c4d80f2163b5990b7045c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQYwoIAE.bat

Filesize
4B

MD5
321178fccf26fe9fb1e1ff8021b11f98

SHA1
57eec10aac88b9b8e09e887beff0fecfc715835a

SHA256
f835952fead78608155f636665b80d83c292323ddb41e9566b1d6e1dff44aa39

SHA512
dd831fa0286394d26841ae013fcab3a4ed098e47303039d6fde8ab014a56e04a104f92d4157b625c6ae875e86486f478fd6468f49b79cf8c9937d34afc3e5712

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUkw.exe

Filesize
246KB

MD5
8522c618bba7dd1ddba43a091874b128

SHA1
10041fae62e8876208e3cf59a27bcde96d0cbb00

SHA256
496cee290c8c69d3b4a1026da6225a419a55844dd541d20a36bba29f2bf9da31

SHA512
9c10bc42583597c7c207b068add6e4e1c19248ca183386517f6cdcd5d18034a5d0a10ad12a628e786e8a17ab5b74c3875a22779e4174c2b77cf69b8f7f3d17a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIYi.exe

Filesize
235KB

MD5
d952ed287d3da09d3e787b86edb9510f

SHA1
ee2d7adbc2cd130456b8a5f1b66be916cf4b65fd

SHA256
bbd3d20653a29768e716e52ec8fbef32473097def4e990d2e9270a8e1a667fd9

SHA512
6240dcd6c0b5b0c829926cc33f2f8c69983a7dfb58b177f34236747c96cd8de65bbebc665ee98bbf270faabc42ba373997e6b33d4add45fde4c9412f947ee54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUUG.exe

Filesize
241KB

MD5
9333b1ad4b42dd1b536606adf4a10a53

SHA1
961b494deff7a6409579b4d8af842a12f8d3a9f8

SHA256
df8061162dc61642f70ea86392785d40f78b69c6fb4a56ffd70817fd3e7946b6

SHA512
6465ff5049091c89d6c3a948a19d61c904fbe5215c133012d642059edc7da185ac48b4ec435e3a1dea0cdd26d4c21fa58e3b6707661a4e45e86ee77373b7c91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYQW.exe

Filesize
245KB

MD5
b5fca50a5e481e0e3f0175f7ed0341e8

SHA1
5770771c89ee16ebb825751d4e3dd191b4469e65

SHA256
98baef8604b7e9af9b06b3ab09bbc4739e5e01c7db6a45eeb17cb1f6d340f5a9

SHA512
4622f98e1663a27ef559142b74fea4115917387286adb75eccdbe2612e35c7b993d2856100ce5f61c2c77e035ccf5df1a512c1df7445726fac3c31ecad13f1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcUoYgwI.bat

Filesize
4B

MD5
8111897e2d91af57b1464ae45d6f2593

SHA1
dd7c8910b5e044554c1d30f405e1eca3c5977c6d

SHA256
6bf8060a999f89ca33dd2daf58517c7b2614f6e819e521f41c673487bdefef06

SHA512
3dddb9e304dd130e113c5872c0c12c4c79344c6473bab6019f5ac0c4cdc289fb5148a752ccc510fdfd61ef85bd689ffb9d548882e064ccbe2f0f5c2cb2f1cd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\GscY.exe

Filesize
237KB

MD5
7a05113fca586306f2495533fdd0c731

SHA1
e55048c76bf0dc5552cdef48790c3579651c0172

SHA256
97c0c8a66b1a7c8f493675dbe148fc69ad107c616169020efd9b150298e2f798

SHA512
881aaa8179aced020b7f70bd4b24ff3cfcbc9bedd198d2ebdb8cea241052152c4af4f2f7cdfda34411f7764df92b7fcaaef971f4604ecbb896492d1f44a80ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwIkYAco.bat

Filesize
4B

MD5
962225665f40141f25e9027ae57f38e4

SHA1
e8ad245f6b358d868d7c18fcbb8aa46cae506a61

SHA256
6eebb1a66cc1b75cf9563e7ae3939a9e57da35ac6fc6e183445475cf77a24995

SHA512
01f04778fe10413041d009459b1a2a0144fe637d180aefb0c41fc9149c3f7cacc89a0bd5dff6ddf9e9434f0625609a2e8efa05aeb55bc27c6bf1d74557065461

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAEG.exe

Filesize
976KB

MD5
b717c8904bef84acb333023231b97338

SHA1
07e71987661315d7c9d67e962e4058338e2d9fbe

SHA256
882c8709e877994bb4780157dc4a81a2df4e5e78318b39df3479f9e059183d3f

SHA512
4da2f9d6c1cb9d93525f33586537c6ee36d1e9fc71102b9ef225d2bf07d1a9a09d0fed2e2f71a09de476e9f77e2b6790cff52c9bf3b000d2050b9b305ff06f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIIm.exe

Filesize
244KB

MD5
f6cb2c955e16eb9d0f7dcc9e5c4f2675

SHA1
87e50dcb59ee23026caf431dfd6c383b3dac3970

SHA256
4ecb76df7ea02859f416747bf2bb8bb7d6943e7782c1a8abc9a2a2799ebde3eb

SHA512
770ed08b3e4912e435c9adbbfbe4f902882c6b0de27ce657bfa663cb73bcf35c220e6972a2c8177d510ef0e598943387c2b0074058bda8bed28d0506d2989a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMMg.exe

Filesize
956KB

MD5
693282b17675d38a584b31ed715fdc6a

SHA1
41de5f4ad86f831a4fa3416cb1c1f205ca69262f

SHA256
498ae57973c6c7d5209e1165c7aad2c786a69667ab1cadc16b2293927902e65f

SHA512
c19eebf7491ce7b9a88e4ad6fcccb2c16d44e072e85d45db3fb176750e5076e0a4879e3e9dd8c909fbf4e961bc5a23ff2d76e1ceb540fe23bcbd11d227892f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMQUwYUs.bat

Filesize
4B

MD5
57178e07c1defa3806846a39e7324f89

SHA1
0ad3901712781450088890442fece69d732678fd

SHA256
d94e8b078ac6c17c2f2a086a14d69249497e63ee8e13db9467ed0c71cb439be4

SHA512
d14f585d110e81eb129f32f1fddf0959be8a700d6886ca2aa0bb628cceed938f56464b735df12b4207bfbdd4434b92a99b42384afc11f49ca8c8ba1dc73ecc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgUm.exe

Filesize
947KB

MD5
64115aa023daf96bfa66e5f2103543c4

SHA1
1ca1de1dfbcc1215b6f905192b5245b07f454451

SHA256
9504f17db97a6d597761516a4e99556376faf0cb4fe97db649adbefe2c62ad22

SHA512
b1c097bc5294d6c9c6cd4da7f457bc90e077d969fcf470a3126318e86e5c77095205343fad79c01394b1cff43c855eaa2b66156564ba78388bb1b520226d47b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HswUwEkQ.bat

Filesize
4B

MD5
b2483d49e07e0dc857dc315e59948b3c

SHA1
5b58602bf78db8f74120c50c0eecd886eb97bd9c

SHA256
95aca15a50c7fa8474198766d8184c4f3dbf166c1d6ed68dd16257d3ce3fc0f0

SHA512
a11fbece4bf8239186ce4104532671efa162190e4832aca5139e3c8dc395be71cd9c144599c03b278cb5cdc6c4c69c5ede8114711fa7c078930965e8a6637b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMIwkoIU.bat

Filesize
4B

MD5
196fe113f60a945a75758b08c2c3b02d

SHA1
960036e4dc3dcc30f131aa757cb61db567022f08

SHA256
0b61b262a444b5afa14f7fa426d9a35eab0b26f6f68d3ce98fff2198ab2e0295

SHA512
d2befc8d88ecf7220ae3ff40ceaabcd26193aae2e3d6bad66c49f765baefc5ca99b848c7c55f5ee5e3f11477e14c08e7baa9f1f09ec1563c0c2ee805006629e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMgYoUEs.bat

Filesize
4B

MD5
3d9e917561cc1b65aadeed2243f11ffb

SHA1
40464fc28ae3e3b014e10ec224ab5d762324ba42

SHA256
896b4e3121f8743c60fa239ed7a9728e5c5b3b4eedd9087373e70250ef05652d

SHA512
39dc152c01e758e0a3e5d3fb86bb44376ad72576f99eed73b6319f98f7c321d23ce8bf3a247a60ae0b0a546c941eadd09ecb26b0e0d689eb1eabefc414005a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IikAsgIM.bat

Filesize
4B

MD5
670b5a186873633071849bcc2ae625f0

SHA1
4d2909531c4d386d06a75eef3433e23f0bca360a

SHA256
1efc613fff783691422fe5595f06acde8ba0cf44c2925004eba9e540a751d804

SHA512
2d96bb285b81350da443f03f1e33e1c1da8ef83eeda127a0d1b9c7f92ccab520ea8d5ca6cc9653f8e8ff8832abacab574c9be72aed2f66d3dafeb4e764135588

Download Submit
C:\Users\Admin\AppData\Local\Temp\IqooswsY.bat

Filesize
4B

MD5
ac8d8096b001559a8c717332e6f47351

SHA1
f19f80d8d35742f64a60e67de91e35889f769e93

SHA256
b372711c41cbd13a889d761b41b167ae8d47beeab3ce4ff58d4a7228ecda911e

SHA512
61e9a4ca14796bef22afc44c383f9ac18bd345e57c00f5a1832df536f975f4b9b55e0692577ace3fc0b5a72427b2052fae5f2e97813db65cc8d397c0130b2d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwskQgcs.bat

Filesize
4B

MD5
face93179df1aef2dae292f646aaaf90

SHA1
c41d91b189d1c27dabc9d62fd708981b68c6d45a

SHA256
881977242ac809912536b5a926a63e4aca17ca1470b2b74eec54d5857c5dfe9d

SHA512
6c1ccafd1d68c29f59c5cf361892387435337c5c81d9316f36f9e49eed23b36a2e9e6d33a3f346441572a2c69141d7882e6769868d548e1ccaff326211d144b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMkq.exe

Filesize
1.8MB

MD5
dbbe4b06abeb65c9bfa1100ba1331f32

SHA1
4e5a7aad16b7b88a29a00f48402c8c902255e947

SHA256
2d1ba098701257d1ce506358fe296d0dcebb2cc6ef8997b844eb311fbe513364

SHA512
b83f0a347526f1f48dc466602be1b201947262907b636470da4151bb0bac2ac0cf08660288b79363a2b23c92cd77116a4ceb974711bfc6765ca9b75802468428

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQswMcoc.bat

Filesize
4B

MD5
035fc90f06ffe548e1c18dfe40112085

SHA1
523c6cc02cd92ad2f7d773ef2f2b9a21bd2709f1

SHA256
c100dd12e8be914ddd241c8a59512fcd07c4224937378a91c93364a97c724b88

SHA512
4c9afb9b55eb314e41af51c42a301669f47b3cfafe694cfd595f0de08ea2ebc6e304e59fc23641b570ec8ce3c75741029c630215a556c4bd42b1edee78d6d7a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYki.exe

Filesize
243KB

MD5
13d86a6f21012d9c0dc36efcc1d9b4f3

SHA1
65fb5dc4087bc434c951bdc2660b7698b19ddb73

SHA256
c87eae80a0fbdcae080697c25ce2ec118752212bbadda26745b0d2483b8de441

SHA512
bbd1d47774e55fe8b35501da8057d3efb14da98b81ded37dc211fcf079550f6d76d9a71d078566d35aaa52a1de17d750411f48b52de9cc4a4cfc18ab8a0f4d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LcYw.exe

Filesize
227KB

MD5
a86bc2307dddec70a35b995441ff26d4

SHA1
ced95cc5af64a011f8261bf9b108fa83360adbb0

SHA256
cbd781da3287cfbbb54bb44a01bca9333aa7e77a72c319139fcbf17df05bb46b

SHA512
5106f70f3ebe53b008e316acfc71e17f4e537286ab28658d88449cfea4552e537cece69181ef12a8e21e07391079d985271c65eca4bffff19240cd4ba8b50e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\LqQskkAw.bat

Filesize
4B

MD5
17c19c07a1e016f4a19ce12e75e19751

SHA1
a0fe7ad3682767d75a6146750f8981a66ceeb356

SHA256
d346d7c5a6584ab9dfb602fecfc685ddd6305009f4b3b919155ac00ada28e6cd

SHA512
970e1f3cf7da0af6e88c14ee70f73a351a07b4ec821f2bba6a0885f229a604299f14519cbd23a04d04bb5c8cd6a6e824e5f9d460a34465797a4ad16f20c8db3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LwgE.exe

Filesize
234KB

MD5
4c58505f2b941f78e44f57ba61d48042

SHA1
36a76d8fd7b192dd832ec77bce6fa03a3687bb64

SHA256
85efaeedbbf03728b0db7e924df17e246c1d848a49a45e624461cf9b01918a90

SHA512
4e1b2fac136ca28e34cc4b25359814495f821255634186552910be1104c1375a28939fbd62f95a5f9fbd604c01339fa4b8d89bfbaae855d292172e0e2fc880db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAMw.exe

Filesize
228KB

MD5
004a51eab0d506b5ff5931ca3a492ce7

SHA1
214d00a6de893ea7cfd710acc46a072a81ae33e8

SHA256
7dd8112050db704af02b5b04208e05624f8da468757ee2a74b8fdba84ea942cd

SHA512
32f9971f14575da6a0ef6bb2d0941e7cd1f3141554c34106e8b48722c99f9db171404faa7ce64b405381189c81d5d66660175a2981e92d7b1db0789d4617984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MCUYAUYk.bat

Filesize
4B

MD5
c0020fd33dd5b7862eb9279fe4bcf094

SHA1
47c8466a4936a590792556927bfeaa9b0d2db248

SHA256
f336583d4fbb2c43906f56e9c048bede79b8cc900a45798fb9f8f60288220f45

SHA512
b4c36cb844e10efcb2cdf9efc2bb0cba71a8a5aeaa0715200237f3a6e0a81571773a868a007fbe91ef175aa686aca4817228584e2f75e5dfcb6a33f24713e942

Download Submit
C:\Users\Admin\AppData\Local\Temp\MGYkgEEQ.bat

Filesize
4B

MD5
46098c80cc7278ec741f949b42356ca2

SHA1
21a0f6853daefe9132abfeb529a8f20abc7c7152

SHA256
732dc45e05fdab1fbb86b80e9cbec4f259c47a180732d70943b92fbc3db3f66b

SHA512
e55f15a9e8fd0a27faca0acb282e785771f80b3d93083fdf363955352455befec786e9f381752d71632f5ddc6017de5c01ab574ae74973223ff28ae8032b206b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MggUIIYk.bat

Filesize
4B

MD5
8b2805222efe1932849393c45331de5e

SHA1
c76c0cd9a79d22d90258e00059f9e96066fe23f2

SHA256
32a515023d0f87f195dad6fc23d4488bda70ded811f5052c8d3716f4d1052209

SHA512
7827308a7b812eb59511523a7f76f9f4ce25d944364a7fc55ba4d44705ceb3fc6d1ed9a69151bca9b7e00314e95d62913f1fbc9dce12cd7032d814e2283daae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAoS.exe

Filesize
4.1MB

MD5
7328d7645e2224d6b28af70397d19681

SHA1
7dc93d47927f5bad6b8e51d60e71fcdfa78d61d3

SHA256
96bfc7533c64cd8392992da3a0a0d095e9e908a4bc1fb91ea5e73ad9f8d6f5c5

SHA512
93d24cc804edf8bb0add9576489ecf333a835f2149f8be8284cffc5aebce0e47b4e102e918366dd62a405d4ffbb4c2242a94e8328cafcff101dbe1ec729fd713

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMQE.exe

Filesize
833KB

MD5
788d7da8429c36bc064b6d5cd3aa2368

SHA1
809db18694354dfd12078bdf0915c4794c079a8d

SHA256
a178af32b36d6040a275ba2423ede8a851750e1925053938d7675b746759bcb7

SHA512
3fc32dc53103cff9c3684af891746f8fba48e08ee0142a1f684a5435ab8a7980f738a7e304bf8c6ab9e8e24afd3fdb93401700f058904959308d9c36c003e28c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQUE.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkUi.exe

Filesize
235KB

MD5
868e0e1f6ac8fdce8ea6a824395d515d

SHA1
9116dcf55c40023333d4ae32ce27729887002e3a

SHA256
f00413be3f4ae5b0c9e509a668ade1b164068126e46a3f50b2894dd2a6421621

SHA512
08ce818969047cdb361293996ab07212a9efabc0a7d3d18d4cb5e842ac3fd33db5fddbe3d5b6fd57fc41a53116b88f53ce87c193947275d881fee022bd5cd8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NmowIkcM.bat

Filesize
4B

MD5
8553675d57a88b187565ed512d77fd42

SHA1
be091ec79528c9006d91b82895ac8b904c20925e

SHA256
3e1bc9337c147ffa50e5884aea6a2704d4f0130646d9b01b25ee800bec4e4542

SHA512
9d774c410e0a09dfec30f899b1a132cfcf2bbfaa14646f9591ab95c853cc515966e5ac279f61a957ac3d3b12c1e9f17a76fca72de61119c5131f4646be091b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\NuEIoAIE.bat

Filesize
4B

MD5
957d19151076c55e406e6929c867bb5b

SHA1
b6da07b033de7443fe490628501b1bc257bb0209

SHA256
0a8f940a07f1b5b96a1bc971f2a477de0565cdc45237dcabd35b92e393d32ffc

SHA512
bb24a929f85dee984f390ec1c9c5c869f0450b1e87f43345522632b4ae912fd4778bcd05c99fd2d642fbaa244d89206677e4ef379ad04864d3a5396cbea4bbd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\NyckEEgA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAIm.exe

Filesize
822KB

MD5
bdb65817d50a57f79d11722b33d3ef73

SHA1
3af87bce47ae49c1b594d1bc9ec85d883a2010b1

SHA256
6266340191836988d660d1b159323126291ad7b9e3fe7e611474e84e665ac397

SHA512
8fdbc4f687c08a40de3ce0f77074b32ff81b00974681e132a32ff385e85b17466561ca8114befd9872fa4cb47a2f7400f8111b6dae15f348fb5c4ce68033d51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAgs.exe

Filesize
241KB

MD5
e6ed6b2b49e9e0ca6cdcd4b01f745a54

SHA1
53698ddb0bf91c918547b8fc190169042affde86

SHA256
fe9e25b4f6bc1c462f745522eeb4cd6bac04d366c39b131710eff816962ba2b8

SHA512
fa550d2d96855780078496a75d8145349b06001e59de44cb25464886f8edcf820f08ef0e10e43d926e66e7c8674ac5b242784293e7fbe3c3fd7132e3a291df4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIMg.exe

Filesize
238KB

MD5
69c9ce6771dd914ffdc80fc05e3242b7

SHA1
a08a3409a00d70eafe9345e2806fd6a53cc6fea8

SHA256
fe5acea5be48d9dc7fbcd519ea5771280877bf0296230fcb5dea1bb4073b576a

SHA512
5aac9907f78cd341a1f0760adeeaeaea7716cb1f8f1597e0af3eb51c7ed3394fa78b76db52010579002407eb5e1eab8126c4c44b4be688deed758853bc8ba382

Download Submit
C:\Users\Admin\AppData\Local\Temp\OewIgYgM.bat

Filesize
4B

MD5
77b375a5897b1aa69126b18f199b0aad

SHA1
3856ad3c61d82eab1a95135df3b42b9481f674a0

SHA256
8b110628dac97b243f0a40f6cfadb4d18a290231a52c307a5c5f2adafa01f8ee

SHA512
6adea79501425d09ba7a846e02a6a078c121ce7f6431e69a91acebc592b0a2b696b5a50d5fb8e618a9da4ecd7a99d7ffad40cca7dc9005f58653d16243b323cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsQE.exe

Filesize
814KB

MD5
54917b30587d78e9dd23e920a05df433

SHA1
adb4c9ca2c74ee56d6cc1030967b3171633759b4

SHA256
3ea4d3988f489e6bfb4c3f3bd00b5ad30dfd97c017129a52f5912cc60fab700e

SHA512
56d89a88d7aa85ba504fc86343d6d8cab56e38e16e2d6f3893b39c64ba4d3ee3cded0d9531e373d92c5387544cb2366c8d7a47c120192fbc9e57be10f0bd0271

Download Submit
C:\Users\Admin\AppData\Local\Temp\PEIY.exe

Filesize
235KB

MD5
c50d1f572df2c02aff402fd7da5292f3

SHA1
835eb3c2151f18d14c6666410c6b2b84c35e79b7

SHA256
6810d9e723d49e7b991c42e50b5b829c3abef6f0d426f702bb1e443baccc3cd8

SHA512
acb22b1b1063cace5ded990cf8b30bbb8d450cdecb1bf62ceb5539274a60711cbe6a151ad42c4a412fba0bea6510350510855d3d6908c5d1f2e8344af6dbd49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PEYg.exe

Filesize
304KB

MD5
d32c738d9b910eb2b3c242e0ae935a4d

SHA1
1b843ead7d3e83b29165614f7c8bb3eb1cb79f13

SHA256
cccff9e348b96fe5de84c465052e7a1362da821d5588d2f477a5b818e7bd2905

SHA512
2d8d50e236c1216531ada85a8d5fa1a249c0901ec056df705d6ca7bb4fd0012fe09dca7ae0e72a6e57648d6b6716965da79892523a4e4664bba4ec243cfae11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PgQK.exe

Filesize
219KB

MD5
60d3b30291fd4fe243da198ce26a7e83

SHA1
0fc271c95d3a87054032157bc4932f0d9cb296c5

SHA256
2af92240c115ced77b4d9908da10e68d001b98d88777ca806f52ca9c9f32351e

SHA512
0ca8c4c76ae0b5da0addd7e2006d64f32e71b9c741f782c3ba05b15ba9f06958ac09ac8d91915ef6822d068a0490d0c1f9fcafe83119c94d666f51a3a65b8cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\PkAYEwEc.bat

Filesize
4B

MD5
b56a3a320f014b655aab3e8b600f8b4b

SHA1
4981232e27adbfda9161970c83c914c70791f73a

SHA256
b1b6ecabcc13ed89344312c2215b2ebf53f9cc7d51c72e6d5f3b101fad6b4f9e

SHA512
a30aabd06cf36e0aff8ff410bee67adc1e3044082a152561a2e17f4b1adfe04d5324a3d8d06de54ec99e92d651a92fbe4e65b61687fa166fd3bc81240131bfa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\PkMU.exe

Filesize
233KB

MD5
6e56f4b17f62d6f2107af305fc00932a

SHA1
711d2bb416b78520f1d05d499e88b420faa71ab1

SHA256
00ca7d443b627dd8266c0b72a1ad441b6d0da92e5a0578d2189a7bf12f8786f6

SHA512
df37e725d61e039437f85d66bab021b4413fc706fcfa1319431046a6b6a442cf90a3b0f5b49e79bd530c4c88b6572d96954694bc3676ce07a975115d92c2ea38

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWMMoskI.bat

Filesize
4B

MD5
f1e47b55b82d6a3d337d92685227e49d

SHA1
185203b18fc9dec25d782dacaaafeadeb21f4584

SHA256
d0839fbf84f8a0b44d161138013107844be9cb8f2cd45a77eba5b99256b15200

SHA512
5155a0a71775555857b7e23628f4596f9b666bf223ae9e442c332cc22eca83108e3690c175143c42656a2b7b7896ad8079daf3d647e50d439376bcf049c571a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYoo.exe

Filesize
235KB

MD5
afe890d4f2ff12dd44643cd671ce470e

SHA1
1265224b921fabee28dc890462d11abcc8b6aa7c

SHA256
ecc5a404e4b2c01fe02b177f9ea7dc66f85f463db4129366d86484cafed7a829

SHA512
a79ef09ecf9f82594148a9cd9456529df772a1b9809459001cc8fc4579ad4af17b6a31ee4d1b0cfc9035d240f41d32f0f89056c3618e93dde048e5210ebc4860

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoIo.exe

Filesize
234KB

MD5
c09ac13e055bb7a2a81f2b664f1c228f

SHA1
5425c6ed6256ad0e7d8a031a14fe56a74f6cf76b

SHA256
8ad9df959a7dd5fac4b0136a9023685e4e93535081b4f02a3444e80b5e7d96e8

SHA512
a41e7ba50b3d029a1504ecf6c2474d0877544a7fdc84f8a8a594aa818998ee9eabb2127a463556e4f115980ab264b0e8edb384b5fd85989f9c9fe257745d13a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsIa.exe

Filesize
248KB

MD5
18e3d0fc85339051e66a2a9a7ee3f2b8

SHA1
4f84d8df25d16f2a613fa7ccfbbf5bbc4d3cf1f7

SHA256
7049c6c0be2600173448534b920312792a5244e91680f54c4ce636fa74a959db

SHA512
e99920c6b7dcc22511ea9ef93836e4be01dc22460b5bfe34656abb63f22144ccefd6a3b75a9f7696a68b65762b10a4e3364fde0f6e333723023278e70ff672fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwQK.exe

Filesize
233KB

MD5
963e57fc99532ddf133f7bce35105172

SHA1
942ca361c628804a393f1a7aa3b155f16b78fc9d

SHA256
fa9497be9f0ea10b72a9be0344700bafe1783fced2aa29d86fa25ed9227c62c2

SHA512
39e2c694e55a3b773faea60655b250955c1a158873430f100c2c66c6d7142f4facf84d74f7dd3a60322d3a68eeaf5b07deb13759b1cf37b112bd7c3a2eedd166

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwwEwIAY.bat

Filesize
4B

MD5
a55b0ee8c1623130f6b43cf40249ae0a

SHA1
06930c039cb0e8ddef1d3d702aeefe91ca6c1d4e

SHA256
7de6642fcf541d2bf33ecca52b08d1841a9fdeac07be77755afdddc3d0022374

SHA512
752082ef8894536ee825ba9a291cc357b0373d6719b1bcbb23bc5ad1b9e2cae4c21ecd7218d379fea153e503e8285866e503e565954e6f14f1ca766652af4959

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMYS.exe

Filesize
245KB

MD5
546263baff714d8dbce74cc7ea91a14c

SHA1
2096f06b393c790dc0fa4ab373f4d87ed89db333

SHA256
e92496386aa0395982cb42a8cd09e7eb6a283055f7d72a629c573cb88511a8f5

SHA512
8a95f8985ca4b421394b2811d4494539fc7a5a32aaa3b6bc3c251fa11791091fe272b0315f437b2fbe062b11ab9a4602dc37e196c37a21cf087b530d9a2b91be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQci.exe

Filesize
233KB

MD5
0ae5d236c087decba178e437800c5c85

SHA1
07a2db61853d2892dcefcc2a95887fd873bae18d

SHA256
3e337922c762e0ad3a0a35e1b450857e466fa58fe9852275cd198ebcc6767f1f

SHA512
57bd7bc870f0d7b780e775f230680c5827766ea26161c0b489e9759c6e74c80970814272676beca981f2dc745c33b0a0fea5d7f15c9a4a0189341991315fa9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RsQQ.exe

Filesize
780KB

MD5
d5e19ad32cb5fd7c6d2f6443662bf237

SHA1
08bca8889df2f415053a2f8d416dad58c254a9ab

SHA256
87dafeca6e24d64d70e26d436755b80b52839d50a4b7039319f8609e12a2b595

SHA512
6d1c8910da0be7d674b60fe75f5b0a871be53558923f6ac5b0e799a5d24d5be9dd19004722c7eb6462b382cdf059d049635e5c2ca0d9ccd82ee1658ad84413eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rsci.exe

Filesize
243KB

MD5
ebebb1ee3cb399db9a65d897e534d0ac

SHA1
72dacbc3364fab2ddcb1eb21f07d8e6f9b95d651

SHA256
bb2a6014960a148b9ff7da9d3fc4ba82de66c239b0bcea9e36163b380b1ae693

SHA512
cd341ca8e00fa1ce903953569aa19d9516929fcd9d7238aeb672ff7af35dc9d860ce7d7fb04d9ec59013a4184d2ee5183c3ee8d9ab998117c51cb9c03f4e490a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RygIMQsM.bat

Filesize
4B

MD5
140fbf063693daee0bfa0f043ec8cc44

SHA1
f9f63238d7a49323a18dbe502c62b2f7bb0f1b88

SHA256
1e16be06145ebb4f7ba6b2a406a7b263855b7df4920f581b280c18ab0b7f93e0

SHA512
2f5242f2c164e60b216b4dffa12910297e7caf3e82acadf5a844345fdd91c6acf5f59838f43be43a4096e6ade34202516d845e782ca508cf7e2a614cb77cfd6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsYQ.exe

Filesize
904KB

MD5
cb24003893097532dbd4e83bd79ad602

SHA1
750ddf3e63c757d4fafd211c5ff6826a5823d6de

SHA256
42bd5c5f49f6ec019d7bd32f0330bd277eafe82f8b85ea52ba61ce79cea1123e

SHA512
214c74abcf8ae02de5bf7f346907ecf3258bdf097a7712f93d901c3f46b71c14af855a35b4deded9fc57e136ba17dc99e63898f259d5e839724c4dde705b8435

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwYw.exe

Filesize
237KB

MD5
3146e0d7b77955fad91535cf7ae9fbd8

SHA1
f63cdd6f7287ab1b83acbd0d5173e38ab1c47c02

SHA256
647ef104f85d7c0eac3fc9ff698acb58e9f816760a0206c8267833effaf8bf52

SHA512
b703e7606821aa7a38e08623735d459d633d3ac01f5fdc13b1780ed4493ec4399c5bda6b9dee0b31661c69717a5ec727db25f7aa5d57d0bba90dde7628ece1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TuYIAoEA.bat

Filesize
4B

MD5
f3cc31997bd6c95cae77dbb0ac455042

SHA1
fc4d5cc78b34c357d13b2a879566f827267bebaf

SHA256
d21d0f766e2834cc3e81c8c01c57760dd6c928b84cf6138f45225e136568cb52

SHA512
52bb9c4da7a325c1d8a6efe32b2da253d17d1a5f14bb2e44b7dcd1a3e89af764c88c9c8bbc2f7686c4a9840a9b136ba1e8efedb8639d2bae119e96b9cc560cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAAa.exe

Filesize
229KB

MD5
df2deb67e416c604e18758250720bdbd

SHA1
aad1f082f1afb3ff59aa2eac938b25df51ffd8b2

SHA256
25a128e081957c9ca38674950420d5b4b9f64b19dc68fecc72e8a4260b4eefe0

SHA512
e3e4375c24250101683d51a155fa7c27b6f25ecc60dfbb575fbf38a8849fc28c3419319662f8e9b55f784ad68e5524ea9690a47373ad466136ee4a31985c02aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQQsYkoo.bat

Filesize
4B

MD5
e659ef10c6d682cd7c991c6d04e63376

SHA1
f6b04de3384b3f0dd22df41b0923c7a219a3eb65

SHA256
fce53aaffe985b926537b59643ea669c68ee81985fb2e1d4d69520f0a12f39b7

SHA512
0fb38e69a844d3b639cd1ddacc42d5cf5a3c43395bb7c84ebd9afb5475dbffdb1e71c948ee071e73903191a8ba9fe647d26f30669cbe13574f219429cb10aeeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcEY.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsgEwcIo.bat

Filesize
4B

MD5
fc8d2366bfdd0aa2c0f9a7d1175360db

SHA1
fc6b6cc53b37455c4a5e172eb1ade768deece285

SHA256
0ae761e9e2fd247c162c664ac888e08bc452bbcbaa7b1289969c9c9fb325ff3c

SHA512
a5a628ef77d2f3efbca8f2ea2306478049e49edb9de20f9dfaeb632d1d114ee46f31d4cccdee236c91076b1926758856690f525aa06687d2c2e7bc98daa61cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAky.exe

Filesize
244KB

MD5
6f501d8337b76153a6e0d6d04d5353c7

SHA1
911188dd6e3d1a94a71ee9c33ecc18606d9f8672

SHA256
a01c0f3679702b451589ba56e9076c161ab5d02478f1dbd0584ef9669c24aad3

SHA512
7ab243388731071000e8e998f3dce2adf9c33913fe205af4a6b16f899e09180985f43b8b4470ca509abd303b7e54bb5a6abae529806d73b742cfd66546120434

Download Submit
C:\Users\Admin\AppData\Local\Temp\VEsK.exe

Filesize
606KB

MD5
e5e7d854ded35955ce40d9b00c6cbac6

SHA1
ea255babb5823996934ff8523874398c7f7f91f4

SHA256
bad4bbd6c107e580db0637b168e210fbea704d4ec6e371ad8fc574776ac0ac45

SHA512
2992f2a6ad7dd7f2f4b104a8311ce8dfa230450d7e35915dd68925c6c840e07de15cf329b345f576443728d8d65cba8472ba071de731458a92cd0a009a44a8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\VgUG.exe

Filesize
241KB

MD5
b65aff2a8a810aea500c00b769b16766

SHA1
dcd2dc1e71226e58584d4d711b660052c3fdea9d

SHA256
b7b56bdb37fff8f863542663c66f28fb70e7ad407716f283e57e5bf898a926ac

SHA512
8013204a5e77e4acb83a6d8ed018b15f6311d564ad522f0d18aecfe64e020fe343fb78bde97760477a7595d1e3f095a934aa7ab2967e70d2f5fdac2487c53c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\VwYI.exe

Filesize
631KB

MD5
fba0b5a165e772f454443f631d156992

SHA1
d9c08fac11226afeddfe21e20222c2538b54a644

SHA256
414e396fb7768b8497c06b0196169714579d18fe4def7f00c0f2a4b5253fcb91

SHA512
049c0437059827b10a5eb1ea1e9f49fbbe63ea69cd5605ea540484a9e5076175f25e39931b799a0d7b0e34f90ebdd389f3e182ace45ef7c6dd8eb9b252e771e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCAAYIAA.bat

Filesize
4B

MD5
a5cb703598680f4bf9e1f4e3889bed09

SHA1
d68ca3ea0ce1a2fc4cb64f11b023272c931a4508

SHA256
136a7c6c0bb44f6288df1a271f45559bad6ad4a5371daa54760d23c06e8383f1

SHA512
c58b2fa1b2ec161f8c366229b19adfa7002b53bd18320b00d4f3424268cf6eff6dbbee505a87a5d329a664fd16908e3f5aee9755e839886c568ece1c9fec746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCgUswcc.bat

Filesize
4B

MD5
c451c4d2616a0eb573c5da806d81d22d

SHA1
c93db27baf0259417af357411815aba8b3dc84b6

SHA256
00c9a2b8d7f3b98c56789baa5962b93c05806a08780d335047fe0a66bdf293f8

SHA512
3c87898f8973dca52f23e46c0b34d28415c1e474abcbf8b6b10ddfe678f1dadb8edee5265dc7c5b59e9fd4052c58b9b543d865aa1fa0ef7ca701f757fb2525bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQIc.exe

Filesize
240KB

MD5
934618eff8ed59ee189d9599c994bbf7

SHA1
991da8822f4e92655c5fa006fb9616bdae3fca74

SHA256
f4cf5c08d0325822dd463f9cbe6b89cc9764a822270f89ecf13142e0ad4a2f0a

SHA512
1aad8e7ad1795fc244a6a9cb1cefccea66ad319c93009a098ac879b2d2f18287f04cbc46ccf07950c7e49e43fc98875016df5da7c59261e3378a9b50bf2d24ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUcUQkgM.bat

Filesize
4B

MD5
66b630d26670750b66e5091cb733992d

SHA1
1387aaa6da1622b8c1d8947ccf57579aa5188d18

SHA256
a2b129ebc174bbc47e4a094f37f913baff0a777e92f0b66ca7dbac89349a279b

SHA512
df4e7807fedb77e362e6fed37e9d4d2d63059578d2d52f0e5fed4d822d956f885861570c8d19507888dda469c0b652a2721db2e012544dd016d2611395a8ea5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WaEYMwkE.bat

Filesize
4B

MD5
457f3828c990d32ac5468b219f637548

SHA1
10e0f3b5bcb4fe3119f62f518e231ba153a690b3

SHA256
fa16af24bcc40424eda8b74d28c2162904ce15b88a511a8c609cf959ca7145d9

SHA512
ee328527f7fe7d9ac461d5a9cdfbd09319e13ef4682cb4edc5c0db3844703e4b7abc421e9b24d07d65d861407bc4335a3b18e4928f3da4befda5f2a982146d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\XAYwQYUg.bat

Filesize
4B

MD5
ab9d9908baea4d483555b80490fefe51

SHA1
3d45669683c824dbdff4442b908fc1ebdc9914c7

SHA256
4197335df146ab7b1c0ba97f71b7452d56376b486cf916da1f1ed5ea5fb1a2b1

SHA512
7af849d66d90942ee0a87e76121d20381cbfcd093ce5967c433b1299a0ad5b9c5b10349bc1671ff25a46516f5fafe840033b6082a812aab812ce09cff12494fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XCUEAAAw.bat

Filesize
4B

MD5
830922cdb175c625cfb91ae1ad8c7354

SHA1
df10a4ab2a071be413aa5b073e05abe8afbf294b

SHA256
90c2d1548c48fcb890bd94576f7db3476ef64c5b24123302577a1ee1d836f173

SHA512
73227789212df9cf7057411d3eeb745a1a07734c0d3db96cabdea772c94d7cb322cdbf2510f291fd1635ad09305f57eb21d19d1367a60bbe09c3dda24902b6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XSYUYwAI.bat

Filesize
4B

MD5
511f1d4959b0a4dd8976fe9ad307d136

SHA1
0831e56e9512ae2e5300e8bfe36a7f6b7381f5f8

SHA256
78d69283e5323a3d1f2115d74d3c792a61a3a8b10bedab85327900b84ab6b8e3

SHA512
1bb285d447d6389b65fa5f527fdba4d17879ce3e72a25daab47510f235890e95fbf083964581652b6d1c6b64dc5d2f69f873ba7cb5c7589afe644ba4e27b37f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XeoogYEM.bat

Filesize
4B

MD5
1a2354d3536288a8cbca7c34d4544756

SHA1
a20cc677a5c7ac34f9fe523590c955921e6f69a1

SHA256
05be351574d487ec82cfa795df107393cc3e75ecac629921ad87115610f083fb

SHA512
c36e033c49cbb92595ae1af286aa8acc230de1de136eda6a7c3cfb2917e1adc2355dea41f1024cc3aada8038b6ac3c08083b1f70fdee26a3b6a8bed211b4f550

Download Submit
C:\Users\Admin\AppData\Local\Temp\XiAYscMs.bat

Filesize
4B

MD5
285032f7be4aef6b3342e4de0b150e75

SHA1
0e0117a9a2b0d44648294452072f1076c7ff5e69

SHA256
e935c6ccf347e089cb990ffee87a4c1aa012a3a60700da5ee98040d5a1ac2bcd

SHA512
cf3117915306dceb47b5d789e46367f4747a98e36c84eb2bc06f90d89abedd3188030eec70d4c0103273a091573dd87301e95c16aed0112f4fbde7bd3bee8bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XocUowEQ.bat

Filesize
4B

MD5
44347f7f01e6fae3afcf37bd58fd62c3

SHA1
e72d5f684e2efc2b798aec5fd9dad3bf149f37d3

SHA256
8696736b2704cd7944b169681e24212a03c80807955dd5c7bbf4e63f7342a4e1

SHA512
e3515104d8bd4f5ee8b010a73bff298749ef77bee9cc398ad16c51504922c8171b1a13c0aca25aebc43a810f284c1c17a6fc81ebacb505471fa6912d7d486dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\XuIskggc.bat

Filesize
4B

MD5
8affc5abd80af410e61ba4bda0bd72b7

SHA1
70c833195586c8240768da9a154a01a563946ef2

SHA256
66648573db38771f985f2b9bfe28e98da4f85ac17c7a66e2409def3f513b148e

SHA512
9cecd7066be18096c23edb22a9d5f99f49d0e97cce717f28a0c00e611055777ae825e883d21468aae38c6e586946049940d8ff2940b7a7180e4b90fcd9f9f897

Download Submit
C:\Users\Admin\AppData\Local\Temp\XwIw.exe

Filesize
249KB

MD5
3a3a1f90bcc1e5af82eab9d4a1ce16ad

SHA1
8829fbec7d6dec525d761e6935ec52e357ee5358

SHA256
26f606a8f1d7fa951031889a94997da609d03ccc60453282f07834f49b940a0d

SHA512
0e7db2a3ea17bab4aea63f19cdda23334dd35886ff43654905ed445aef33171f7fc80524df1e6ceb334260e4baaea35e85ff802fc1503367efd94a064279b806

Download Submit
C:\Users\Admin\AppData\Local\Temp\XyUAYgow.bat

Filesize
4B

MD5
708ebf1b4dea8b08ac73f08bc51f5069

SHA1
540655bb9e253bef141587ffd6395e16c9e83785

SHA256
14a02ab6c41ae16a77c55cea38d04097eb87a4091e6325eb40d51b3a2aa9c8bc

SHA512
3da47427ab9e4ee7b53f6db7bc9705934bc8cb22b17d532490469b34afd39e25130e9f132ddbdc5a91af34d553a76229e54d50842f740a74f7ee25d5552c29db

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAIIYsIk.bat

Filesize
4B

MD5
39803b6446dd1247226d9171d7ae9a45

SHA1
e24917bccdca86caf761c278edc19dd98eb01a28

SHA256
5d97f6d175e3940721f3a3d1e382837ba0c674a2d696c02d61e35ecc14270f6e

SHA512
000be2b8064b42f0ef06bc956f68637d4dde5135b15af3ecb273a095f189c6940da9204804ed8c67b0db6fcd455f8390d57a3f08ff621e30d8ea5445b73a2bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgYIUwwk.bat

Filesize
4B

MD5
d5bd5d5c97d923826990b140eaeb0fc6

SHA1
0db7feeacf730f0b24aa350180dd131ec3968629

SHA256
1985dee30e4c0d63f4ded647a93059e47096ebe96bd2cbfe821a80e4a8ff7dd5

SHA512
5ef6ba3edb3c79e0266bf847847e1536860f5e7f237466e6f99220ae8e7d109d73d5d02e80ed7afb9eec44fee6bf89916bf3ddc0118a0a102c62888d732281df

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsQw.exe

Filesize
741KB

MD5
c00e78f44e26d014f9a862ab6f711d3b

SHA1
3b0c5e6dbf15411e1d6340dffb491cfb49c986c5

SHA256
05578d4ce2b32e12ea89190eb224a343aba4b60836557d9a56dd81f2ad5aecdc

SHA512
b8f6b5b7b039e85266980afd380318c6d5e7a7f1745e9ed40dd03aa8204d1b3a47fb3cb75434ad2f517509bf3f239b5559cc008ec3126c50c822a231aa4c8007

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwsW.exe

Filesize
959KB

MD5
b578e6e9eb344f29bc91d008948bce79

SHA1
10182e7418a6408374f15991a6b336796297d1c2

SHA256
b3e3eff22bc46f5bbe0c5c3240b797f86c197dbb60563a5e84f0d1a70f021c9f

SHA512
b56535448beb63eac70f08b620c7657b347756ff3355e10159ea2559094c571ef4e8eb79aa7ff90dda95124d2453a1f9ba9ac11269b47cfade2a61d96c224478

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAQswkgE.bat

Filesize
4B

MD5
20c8234f77defdd7774b120aac294223

SHA1
c9bc22aff88e41c62f597859f20a376c31411005

SHA256
757adc2529903047b8264ddd722aff389e1bbc05c8a7cdb64b3bc637348433bb

SHA512
c175848b5871f9dc2fbb29541330c36f824b9bfb962fdb4dd1c3b5ee0b44f58d9bc3746739a8cb7984ccf4a81a034f63a330314da3366b9bdafbb9a7aa912d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMYI.exe

Filesize
229KB

MD5
5fb1ac18a604bc356a9ba2e8d049cdc5

SHA1
ee0465d0f8b8e5b8e0347b46178019ce024ef2c7

SHA256
c8af6f1bfdc2c3b09a1fcbe1205ac65973943226e8fcb723c2a08783e842c48c

SHA512
eacefdf2bc9f55528012bff2632a34982cc3a578ca5fa77956ef6a40817bac0c37f1401853ac215f44554e0ceb497e8b552d985abbec7b4ff48e6351acc48711

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQMM.exe

Filesize
249KB

MD5
9af1472be64be23ac6d093a0f613419a

SHA1
3719b42e82e02246f882095195c9d656f47833d9

SHA256
37edc64d6a9d9ec93cc7e1b6011ea672b3226036bc848d1b587a3966062ea9ab

SHA512
b97cdd95117d153f8af0aee2d466dbfbe342217e96da1508d30ae212a7524bd4cfce4704056eeb3bb99f7fbcc6c55b5203acf7112afbaf760758fbb6024ac217

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZUwk.exe

Filesize
227KB

MD5
ac453c6d1e1fa6da7c871d10d373ac56

SHA1
fd3a292ac2c999bb632229ce40caa8cac65073f6

SHA256
9d6f117c4cb8e93e762f6dae2117433d4c51fe4356d646144f5c47b34e08fa5a

SHA512
9865f58f2bf61e27485c60fe2db0ec6742c0ce980ad5f4b544cf6b1f656096029ae92200a5c4a2221e674d0cf464b60067c4f1b415590dc65683dae3c87d4051

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZYwM.exe

Filesize
549KB

MD5
b992d1a2f9af0f63d9112d9259ff1c3a

SHA1
c4482e3d9d9b611ac5871b6b0495c7b4f34f1f80

SHA256
8d596f1a3349f57eba209706b8e74edf6c4b619990dcfff93dd590f03bf40bdd

SHA512
814ef13125e1a3a9666f571603e2757ea702de3aded7b046bc9f60524639984f7d99bb9c85e85641e398e5a0a5a24ce6a4a0fb6bb79e24d104edbd38c8ba68c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZcIA.exe

Filesize
228KB

MD5
75ed711669c42c0e843ebfc31c30c07e

SHA1
c484b96d96ba326833144390873f8ffe36ff5e18

SHA256
1e548c7ece6e72888855c540756968db317f82f051328a406a66f3f9a0cb8396

SHA512
3004c9647d807ad32a6d749962e6ff4a1fcb77886470e14189af3a46f4c9d9a67a6791b0faab90da2c875894f94231824e8e7aaec499fdcf97a57e9c16c71ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEsY.exe

Filesize
658KB

MD5
f3b09c72b279e72b9f0c09887a7c6398

SHA1
801893cb3d7f2e3f18f8c26a99559ca6e0a90408

SHA256
8c95ea4432720726f09bb600319aa8eef26059ea291cfe8aa7c518389889176e

SHA512
b7c863af44db596ba52abe7ebc4b95496e2e3d34d20154cb53273a787d3f8ff76625014509d72c1f994cee71e26f4fcec4d7adc94913e39dbba31b51bcb946f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUAa.exe

Filesize
327KB

MD5
06bf5a5d8f18a14472f04bde689fd1e2

SHA1
a89e858e90a8b01ac81562ee4d317398c1bed6cb

SHA256
71ed98de67533daab2942d0f0d47b8b3a8d58e9969937bd06a0d9da5de1a62e3

SHA512
06d68143463ce88a401b031384980eb2ad6200d0af575e41c34e7c77712481240855d02fa46d7f201ebfd40e9ea5347cd4df93d1f45ab1510c6dcf5f6bf99e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQAw.exe

Filesize
234KB

MD5
20b89c13e3a351bd4c5d9e7f796518b3

SHA1
8331bc36792ec03438c77a16b03ec5ef5e1a3281

SHA256
f7eaa9ba8d95a1b3fe82047190cc55db2fa23e7ce83d9fc7045fc9981cc8cafd

SHA512
6247595f3a318ae8bfd41f60b198123c12b1bb21d33f82a8e4ec4c0b216069279ceeb57aafc5fc47efd5b37a13b3da98006933a2c440d927524053cb5a1194d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bUgcYMwY.bat

Filesize
4B

MD5
2b48d5be015c77537e130ac2e038ce59

SHA1
23ef5f7bd162283d9966c86c793f7c1e4289b92c

SHA256
2f72c7f011f37009d8254c9e5ad3bc6fbbeb44a32748916ac2abb7990b42f15f

SHA512
575b593aba93468072fb25a9e63cca244aeebd6f821dd70f307eb0f6c44d41e11d3c023b2992ca889c6668f373f74f18cf9fe63f2f808d690d53907bcb4275ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmkwUAIw.bat

Filesize
4B

MD5
5b44fe396907e9c39c60f3ea1247c5ca

SHA1
5f7a39a7fdb36e04467526786182bab0d5d5ed2e

SHA256
2c9b0b956cf0d59e847e9e1a917a092042c915a063680456316cb07c7c6998e7

SHA512
4089119792d801513a9e5a29dc04b2a75b26584ede01eec261db48265bbc38790b2a2efc358e2859524217e86f499af574b22917a7d41b5b33c3efd95be17468

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQYMsgoI.bat

Filesize
4B

MD5
f269491ce3643d3ddb5348f5b68df632

SHA1
100a59e55be1a38aa80e46bfb1a6f3f8282abc32

SHA256
6d51f4db3f19b126f345f65f828868a124f718d945bc550c214ad96f4c6c46f0

SHA512
cb25a26df4623acf0f6bca206c6e7a4ef259ed095cbfff166d6e08d1411c1cb837034fa9dc2852e2c28ba7500c16c17343725b075729e22f302d6905920c0f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\cWAkMQcA.bat

Filesize
4B

MD5
746d56cb4a7f33d81aa0ac2476c1a43c

SHA1
6909227121a1c6ed69aac86756e3b2f2f7e144ab

SHA256
e371a04d6279d8f4139f448f66c73a104ff6af55f0d509ed99df21669f09a5ff

SHA512
e3a655957c8a01d228562a145e1945b2f87fb23b0ee40cc87920c4778cfa947448624a6e6eff7f5777466b919edecf3225323d3ec207bab06984444f6ae9400e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciYIwMUU.bat

Filesize
4B

MD5
c57545b7ff1bee014ae15e00c48a5d6c

SHA1
831747f185c0810be5c9634be12f5db374a20177

SHA256
df79f9f49aa2aabe9496a2931220ebf258b90aee18f3f446b73015c067500764

SHA512
70de86f4c247959dcc780c437bd58b2b2e0efda5da0ac26e1de6493ba2cc641bb081483f63a9ed37a7221858a9a4d016ffee32f80012f8d60f43cc2251179d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckIC.exe

Filesize
249KB

MD5
20aad80c35b43d67f793992225cb4f5c

SHA1
e11515ebdd086990649333594fc284396747cc09

SHA256
2618529d7e8f54890a54f9a0efc4a83c1f7e55dc662e6d26b51f15d87317a11e

SHA512
b30c28349a401545217d58c010331cde3632d6f17d8f57092c698e6f1115c2c8f3ac2d8efb5a75d74242f5fc97311015275ea7bc5c6085085463dc3495e9dcda

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckUcUgUE.bat

Filesize
4B

MD5
f1e4bcfeff39ea0636be2b6d0a254449

SHA1
69473a654ca5b3da24c9a79286ee681ae880e64f

SHA256
87db2efabad446c6a8846f583d896cddacbfb8db4d7a3bd0bb6e09128270006c

SHA512
b42a1413d54493a0bb45110f4ca52746b04a0867a8df505ecd7be483db36b13e90dacf6164a4c839f64cc2f31a80c4e9545b408343d76af505b4c419047a2b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dEoIIwoA.bat

Filesize
4B

MD5
2b07d2de2b8abc28e55bbd867e4a8933

SHA1
7b5036306c56fd05557b72972a67718c1c1d2bc6

SHA256
0adef603499048243ccd1533f0d3b77bfe65f38422571286406632d4249b41cd

SHA512
b958251ded0748b8bd38f9a45d98a3fdde276321455a6c569c9f4dd4f5e023d0da25ffcbac6e2471d9da28406c6e9dd857f8f34059831bd6f3937e84df2c4430

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgMw.exe

Filesize
727KB

MD5
41b3dc98ae06039b1cfa08a6aaadff38

SHA1
17ddf2716ee97a02f87f2daf6abc6bb38ca7ea09

SHA256
712267f797acb7b40c5793d6379323b621d8327bc73302b573744a44b8016cd1

SHA512
14d6db53c5d8abd031ea6485d9fab0b9e6cdda97653cf0d3de8a3db3596748e6414263e34b61454f2cde790b4beea1b8420d8a22a07e965cb921b15927f1f629

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgwO.exe

Filesize
1005KB

MD5
1bf65783f8dbf0e750c98e3349635aea

SHA1
1985152fe0ffc0a97cb711b985a5c45e26c3993f

SHA256
2991abd883027b3ca3f8d232221a337075810c2664f6a9d4022caf0e3e28ed97

SHA512
44ace8d44d99d08b612bbf545a456ab14c591e586de8d4bba798e5da194634748546caf37f78587b509b71da7dfc174cecfa2d6d6f8c6341f396ac7b6d8b7693

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkEwcAQc.bat

Filesize
4B

MD5
79effba54579a3a2f6de88a25be25066

SHA1
8d17d61079b478b3fd087af5dfe92caf3a432f52

SHA256
63f75e4d181725add52868bdac1f28366a7794e3605fc7bca6cd77e282bf0c10

SHA512
724d0ed2b2e2c3725c4d23baa36f8cbcb7f735b766feff58c9add5d3bbef514e824f7a0be535e108be88c3e51a549d8245940aeaf2421e86301fa96e512530ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYES.exe

Filesize
310KB

MD5
a058e2edc3ca3a6ff0b62232ca3e48ee

SHA1
3ef5a4589db1c1df99e58040bf53c614560ace4e

SHA256
3578d19593dabc700bf4823e59bb28f3b1a870b258791db8a91d427738786335

SHA512
8469d1e5c5fe0a9ce66dcbcbfe5602d9aaa44e8e61c19caee19dce216a8cdf77673fa815a0b96454e458bab204c9a533ea923d035d9d5f52c40b3c78c77fdc17

Download Submit
C:\Users\Admin\AppData\Local\Temp\fEgIkgIU.bat

Filesize
4B

MD5
a6d6ffb51259d201594ebede740bd5d7

SHA1
2e5253dd969874106b39bd12804047972fd85380

SHA256
2afd2eaa36b5c7047da5980be5ef558eb76f63e40657683ebc7b862611de70d7

SHA512
30ffaf10d50e93fb2273cb78cac2b0759998d7257556e6e5e529778d98b3cef6032b01519d41f7450c4a2cb715b3ae377731a8b3107db42ec63044acde4586af

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMgs.exe

Filesize
238KB

MD5
7784a742ba17e4bc66b2a47da4622b7b

SHA1
9a45c5572dba5735b87377b9a4eb57dc674cb7ac

SHA256
e900e1a24f81bb1fe1aa77c4d3426483fbac8e522471273521dcd9c65fa19012

SHA512
3387b05d732ebeafdc32ea43b39827e5cb9cc8e8d2674ade9b4bbe0a4a7b383e244868886f1bfb8d1970ac57118c85de30f5cbe7cc5e2230849bad8121d63a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUUkggsQ.bat

Filesize
4B

MD5
65c20d7cb9cfc70c292f3e9d14875d5c

SHA1
08bc8cc5d295db1a4cc02e1114d29ffa25aa9926

SHA256
b0f47367330b6de20615553a56d9b2e78ada6206351a753a297c6e4da7ac4cd8

SHA512
bf3bf11deb164e297eee1db24266bbcab0740dd580ee3b9bf1aaf838e5189e080986705b5e915d7b9e64f01b03b706e2c2ae772b8dee0c8043367836efb6994f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYQUAIkc.bat

Filesize
4B

MD5
889139051281260f14654026e637c639

SHA1
4e03f2804ac40aa9c96d7d73d62093c1b2748c49

SHA256
37d6f85f8d58ac888637016bc17193ea39d54899a12ccacc59be81c48e6abc18

SHA512
ed9db2a17e5de5dab6436f2a8dee01a1136b42221676e1805d5709168802d8a9d0725fc83604c13c166516119cc793a25c2145590cc8e327cb805e32f1577d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYckMIQc.bat

Filesize
4B

MD5
2b112f2513f4e452fa1db893920b745d

SHA1
a6b16aea0e410f55b1196198072b0d104babcea7

SHA256
89ce504ab6ce1b457141e6da43c9acf171c7a23cf8cbe9c2ebc3971bb32216d8

SHA512
81a7b4cd4e9405a0b13d05f1170341fc9a46e46e6431b8e82bac86e936f1b53719eaffd23489cb4e5f60cb14255f0dabf2b60758d9faf125d5c32036ef598f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcgU.exe

Filesize
235KB

MD5
3948dcb4c3caab948990a3012992d545

SHA1
49e953d9da758fa29661af75be62be92b10c61a4

SHA256
7ab71876b9e0ea1a23191a7ae0129dea220c6f3cb5e6dda08aef85926a1080f1

SHA512
d9fa6801bb52da3b2bad39321c01cf760a404eb087cefd5fdcd210a567b055df24f53284cbc56ba28bdd3ae816dc9afc0def36127db04bc0e39e0cf73104d27b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAks.exe

Filesize
249KB

MD5
669c872651931279c859a9b87d0c2139

SHA1
6104e243340f63e80f454accc139ead93f8705e3

SHA256
d24f0c27fea03ad5fd31932483584c58589b902122faa2efd372aab32f791f68

SHA512
cc3ab6aba2b6acf8e8197c93aa0dbe3287a6ecbfe380210d955d0fac0ee57ec846ad3c2c569a149284424334397d1e14cc917165cd72329f81ea2046729b85b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEQcYIYg.bat

Filesize
4B

MD5
6a0aa6fa573e3bdd9220824a98677f39

SHA1
99492ca1c59dde3730c784099a5afbc3ce26ab63

SHA256
a3da21e579edda00d0ce3d082bf5e0f2702c80f57f637447d92cd1de104d71e2

SHA512
b6a0d8900f1a79d05414e777036ed98fa28e59cf923fd8498e225aadb7b6b56a92b03de2f545cf03b958e6d8a60e44699f820b8b0f4296813cf273921fe1b494

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYgUEsUc.bat

Filesize
4B

MD5
820170583ddd11510d08f226a8e306a6

SHA1
a8e8989267303ed7f289c81d227c3ed095d3d20f

SHA256
d443d8f3a77af175cc1eeaaec8fdd0514c7581d7325acc2349dd0e1ffe0e15e2

SHA512
846568d279621575d1abb5c665cee35c17dda7fcd32d5d2cbdd1966e08dfb2af06de2f5bba8e35f33a29a10b20915a44fe7e9a03e26e8213aa86e7bb6e6611e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\giAsQYMU.bat

Filesize
4B

MD5
a4e47f3ada459f78928b9015a87a67f7

SHA1
e061eb2a0097300f2b900d6a42e3f60493f69b99

SHA256
bd2cd8e9fd777d6e57f9b6b39936132752280e98b74cca4c485202de45e69d71

SHA512
61d2bd7aa5d7ebfcbf13559cf23c7b99b7545eabc2dc13a7ab0a2f83d4b7ac3ac46cd0afc3511886ecb59826dab950a8da810fcb1573b68550111d154a767209

Download Submit
C:\Users\Admin\AppData\Local\Temp\goQm.exe

Filesize
230KB

MD5
9794a042d03dda94c76de04ad4f93046

SHA1
b47ea3ba4d9989db0f50823f2d7c9ea787b7a73b

SHA256
163234550ed003e4ba51e4e41ae3a1c44b3975a3ff719235eb52705f065d41bc

SHA512
4415b1df2f6e4ee5c0178ae0c1eb635a5583b93fe05b03faf460c88ac28c7dce6a47e00bf31ab24a19a7977376b817676bb7a989901fe21aa3980581f2e0cbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\gscgkAQs.bat

Filesize
4B

MD5
66995af8819033c75ca10a1062a56759

SHA1
6c398fc82cd129f169be9d98613793c7be06f7c6

SHA256
b7eb061a5d58a6830a2a204dfa377dae32ab4c94acb055073acd5a881a0d9ee0

SHA512
4be17afd23e8ae749149e893fb6e53f9ed2b472febee9a9931331ef1a6df95a0e83e75529dd14807f8f0103e8791ed272d451110969be16bfbf5f096a61145a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAAq.exe

Filesize
226KB

MD5
a53155d502ab8e113e511d0121b51872

SHA1
32049ed086a78a8a9fcafb233cf534835140373d

SHA256
3da885bd2c5ac904dc60978cb513abc569c72fe6311a45092e4c253d050bf8ce

SHA512
00c21a581852a8ed12dafd3309177b4cbdfe91b3da4365958562070016f11c581bd3bf228c877b5e971b988f006ad151aadf038d203fb373a50492dfc93c4f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcMc.exe

Filesize
227KB

MD5
987ca6b589119cdbd0650c972b3e23a8

SHA1
51fa27b06222d6ca553e7cb51b89ac42429ec5c5

SHA256
285223b920105fc68452113d38a27e7b82e145a30585923a7fa68b974b1b962a

SHA512
76264f6ea0410867d7daebaf702dd56a216a29ca8f69f01ad6888892f0c423b5463706d9cc8d67fd50924b12ef34a151228f80abe69e650bd03952a7ab080dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\iWMQUwYk.bat

Filesize
4B

MD5
64293d7cbf8002d79d2a714ed65e38d6

SHA1
372ebc90113faa435887615f70771d9c445c97c3

SHA256
d00254095f50ee6ffa2c437851bf32a4aaed9e944402381c052025e1a069e192

SHA512
9604059771cab75cfb0341f7fa3b36a211440b7ecd86b20fa09871aa69cb61b220170f91a7eeabe54092acbf4a1e18a6c9416d7441e2a270361cc3e5ee9cd2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\iakoUEAA.bat

Filesize
4B

MD5
d4e18a908237c13f75f48b40bf2572bf

SHA1
81b82ffc6a57201eff27a0fadf54043d055a4eb7

SHA256
2e6c11e613e9e6ed8b23b63f9ae730ef4ac1f1909e5cb65101c5fe668d603eeb

SHA512
ba2032945bfaef31fd6514de12e52ed75f42d1ebc7a5edb35abba0d5e8f523c13828cc1db6b73859cd6f135fe26851b86d98cf1d10c0bca7eb45d26b2c43b0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\iaoYcAgw.bat

Filesize
4B

MD5
a3acd4533e07d3d043815a45f0cc016e

SHA1
31eb475ad95b66b2f2e080235f40d74f5a650805

SHA256
a0c3e6dbf07bd0d78cc4f015145dfc66968c4c7fa77095b064d9b16010fdca16

SHA512
153f5cbed8e6e28eaa170d5c22c96070a117f0317507202fe1bc60bd79fcf172eb6a4fb1bc0ce75e2c8828af06df54a526c97fe8b78fce07f4941e357e9d0dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\iowk.exe

Filesize
233KB

MD5
5943475bdad0146d7d09a81993678686

SHA1
0a343178cc161f4b7e60d8d97924c474f64016a5

SHA256
05be66257ea62a4aa9fcd693c615872a3d58be566966af3846e6781eab127c01

SHA512
91f64e9141fee2421a736a0acf5bf8f2e13c97c04733e132ec844e4b5a2f23e0756aec5048591b6aeecfa9a0de7c5cb1f7298ed3adf63d94bf06febbaad4b48b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqwgQsIE.bat

Filesize
4B

MD5
fee8e93376575541146e8b9e1bf451f1

SHA1
352c6450f83bb827347dc9c256d0d28a28209d90

SHA256
0cc90198f94ab11b5c08eaf37140ba8ef256d17587a8c4f4f2723536f3e56057

SHA512
ca6b8c90b7276d6573a69709f5c18e101fcd98d4f24f9a593b9c51346f6f4fe84a981fea24466ce1b3a825fae6f37aa3208e576615cb88a99d18d03b63e9c0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIUm.exe

Filesize
241KB

MD5
2935b187415ac4af65538b1adb6e4598

SHA1
535666f7c16b022e2b64f8cfa6350b78b88cae3c

SHA256
a23a32e0ff756cd56d3a4e99d1c3c3379c30a54f5560815ccea731059fee3d03

SHA512
3ecd08ed590bf0a82344076d665868f47b791c26f155dfcfb7396e341df6ad804486472e72a72cdc3dca061cfd706a850fbe6d990f462ead3171da5704661759

Download Submit
C:\Users\Admin\AppData\Local\Temp\jUAS.exe

Filesize
228KB

MD5
043dec6b5b0b15c8378bf19ee2e89569

SHA1
0fe2a9728249b53b7c4c77c969bb9bdc06c7c4a9

SHA256
623840df029fd04be7da075eca0a549240ce6bcc667519458ec7f1c93295b30b

SHA512
739f9ec4a82c89df43e640fc1c5fe38bd636e926770544bf03fcd3f6131d74674f30e752d34e9ae176c4201e89518de77194c9604284a6d573ab321413fb3276

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgwE.exe

Filesize
231KB

MD5
760096c033d611ac462be38b8c794d49

SHA1
5ebc227853bcdb2dd36cc7c1d16135d81b33fb78

SHA256
4c9011d3ac6bf9236037ba37f78f8552f3ad4da72f09110c1d29c61981e83d8e

SHA512
307f185b8264895011933e8f43dcfe1aef1c9daf9429c3910a45c944ed09309a8372c351fec073bb927f98b23d0b16d262816142d17a5ea1f3a7276df7984381

Download Submit
C:\Users\Admin\AppData\Local\Temp\jigUcEQA.bat

Filesize
4B

MD5
407c1d847615b695b134fdcc9a0b95a3

SHA1
0eff5483fe0548ab6175c2691967050c60396181

SHA256
7d1cbb11fdbe467654b711360c8a3dfe2651869e1a17b9f6986afef1e037c399

SHA512
0b10f6d3867271bbf713eab4b9a9f0ffba945eecb62e90431fa416d0e57605ad39b213c3bd0df7b6ec2a161179c45afddb4989ec1f768a4a352b99f048f2ebbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jykMwgkI.bat

Filesize
4B

MD5
bd3438b91622023b3bca1d82671173b3

SHA1
f52e5923f400f8730851c350f31773e6f8d78798

SHA256
993b4d29424e69d2ab1539b65d3dadcf73a58b9bba084fc90c08ef1d52b80774

SHA512
4cb30764d800f30c3585274337fed4f226051e89ea3a18c2629fdceb12e17071aa7b49955b00b6c713cfd1e6fce9f5d980086159f59e6f66eb876de04c9a4a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAIc.exe

Filesize
237KB

MD5
92d182a039855196e9d94cb2e4f06d2e

SHA1
7a2d3e0f71b5cabf14d57392c6db9d6d023b867f

SHA256
225a7e49f293aab4620c7e15a0f879f3bac1927fe3e6181f0d9f6e2bfce72bc5

SHA512
65df2ccb972ef207617fee6e68bf0bf39b95e95ff4f4ea3e975905b96bf412a84cc67ff932e017e8e1f12908c1e7f7c8e97303c12c3bc0e319ee0a2ec751bafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAIw.exe

Filesize
314KB

MD5
51453dd157c333468d4e89f34db9f304

SHA1
1aeae71f43e89b639ebf0be2188d833d8c075b6f

SHA256
7f016eee6d8e33830bee248127f9baa68b86572144a46b285389c29361d65edc

SHA512
3fd3a9bf0c9d41b634fb8bdd78bf6b96ef00fbc3f64597f2b1df9e638e8ffc92ef2dd7219c78655ab78a598b05c42d30cdc4d1618cc217e1b0edf8787f97f506

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAsY.exe

Filesize
233KB

MD5
8cee03f03174db418f4d104c6747a8f6

SHA1
267db31967ece026dc13540efce6d8bc026b7294

SHA256
f0974bb9ad3dce93f351508dda596a0aa95c930083c2a78d2c7df9936c94dbfb

SHA512
dce78f500bfedc2d892968ff12af0d8b3c97bc3254f638f52661963dc5b6cf53b507f97b6f54c28a02feb2a5f6ed8ff7541f80026f118bac5684ccf81feea6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kGAsMwYI.bat

Filesize
4B

MD5
cda998c7a698020138799358ba09716a

SHA1
5d64749fbb9f5a407ff39f0d48d113e33748d77a

SHA256
b7b4d605f25e2e65dc67deb1e8e0b340e2106b6c88763adccf9e09ece6e60000

SHA512
888e1f68643f402ce418142c891064c9d0e690122e763877b7b56d964a7e1bb1b4a661b43a4729f30641d00ff3020b8404f3da3a32118ef73f787494adf040fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMoU.exe

Filesize
1.0MB

MD5
87747beaaac119f5d53314d7e04dc101

SHA1
17e8285cdad35594573ac6bf2f5de966573de8e8

SHA256
ba30e6c59767d335497cccbcc23c310a7b24c523d3406502c7cd717378e976a0

SHA512
c575a8ceb47f37bb2a5bb3e519e9c0c48c87078ffd6257f9e661c15f4dbf0573a0969804d47bd9da0e3e9364f9101b853e9e395a3827a856697ef5ac951d8d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkcc.exe

Filesize
677KB

MD5
7bbec729dfb3f4ce90cc65d213b0560d

SHA1
d2f5edc5bf25de9687e8f14f9f94d39e4e08dc97

SHA256
5ae0014f08bcb97faada66913a1ea4ab9d941dae1e53bd21fc24f97c9e2929da

SHA512
7a565124239c8f3ef15ad805e4cadb4ff0eb0fd191b6d54feeb3d38e9747f4ece9c14bb00ee1f02eb2e93905b09279cbed5c2a9a676978cfc76cb54331799a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyEkEYok.bat

Filesize
4B

MD5
88462ed5ecda82e8a0ee3ed4f815970d

SHA1
75a1204066e98fe82a6d6fb0465eeccd862b630c

SHA256
860707a8551996d56471438eb3082a4d2256cf1f37ee2d9117975828b5f638a1

SHA512
3df4e8db56a82cd946320cf74d861c06982911ca94a85619570f5b04c66f4ca1484829b799dbf8b4d36cd3a93a0739c2b1dbc089b2a43c7c57974e563b305f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcAS.exe

Filesize
1.1MB

MD5
6563937c2580d95037a9cadbde7bd27a

SHA1
6be00ad051d565c4051fed463a83290d4757c46a

SHA256
943f616c547e555d1b87a91f0e777dcf1485ecee0b549e2678bd6d394316c633

SHA512
d01f0dbc674fcb51fe97085e0369b7d2f04fb875e7a1902308222d0b90fa95e5c07ac57218c387b03ce709552e19f02a7e9e45dc427dcefbcc224604e7bb3f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\liMcgAwU.bat

Filesize
4B

MD5
eeba301be1cde5235d058870ec9b58c5

SHA1
3966e40c40ab9857347b897ac53fb7c6e5320b7c

SHA256
8e50bc9d323cf7314f7c16fdfc3ed321aa310b700b2c94e195bdfeaf84865ba2

SHA512
22d1b4d41be50125c76801bc0dc4f913b8b26b903be3f7cd6b13a673481c579277454c60219c952e532b05d01bf01703135d61dded97b594e5cccc8383b6213a

Download Submit
C:\Users\Admin\AppData\Local\Temp\loIg.exe

Filesize
242KB

MD5
fbc2df12899186f25f2c584ffb9b3948

SHA1
4376bba9cea5c27524e8f24e788166aefd854b7a

SHA256
928a0b031e1029c48c1423f70e641ded63f03eba043f0c49f562703f33992a2d

SHA512
18827ac11a6ccf064b028d46a6368e97cd13e76b592d4480cebc8f5b72c6a6e4f9155b95fa303b641b77f7dafc4874532c8dee793864a5dd55e6b35954c335c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEMM.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIQIgAUg.bat

Filesize
4B

MD5
e6aad8755a16d7b913033f0cd32d93e3

SHA1
e45daab7f9417405eaefe967f748ed621bfcaf0c

SHA256
220a83570f75f41d09fc2bc7c0a21030f753ac8f00833767050e45fdf979249a

SHA512
ede930f94f2595664c53e07256dc13d9abcfec8aa60d75dead52706b0914e01478931bdc57c1e4400f46af697e557bf15fe85e9dd4de270e35b645e8cae77999

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQMg.exe

Filesize
217KB

MD5
b91ee2c5baa0513de0231b5330c145bc

SHA1
bc784ce5f322755cc15fe0b61e8f04dad117c7b3

SHA256
1bda620b8c8a6c36e1e5f0eabf232947aa7f2dd143191e97b668c0bc986d9499

SHA512
5cfb4e77976a98b3665e0a8921baf893c5c8816aa130e2fc1f95f789360bf297738a16325450858786412988eff64889b0acbed085d70245d8687a1f031d4cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYUy.exe

Filesize
248KB

MD5
a7dd8462db1514007382bdcb51fc3ddc

SHA1
3797a6b60450411ef7093d554e51f7905e7c3004

SHA256
58937e94eab1c9d1e83e2421d904833578589c428274198ebc6a223661b35270

SHA512
cf0d3af322fd22cda3146c5a04359b510b837fcc153a60728784ce40005ca88a5c26f5b6b082ab813688406bc522b1e396e1ecea7261eae8d482c5f6e77af63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\meEMIQgM.bat

Filesize
4B

MD5
69a92790b7b24e13eb379fd2cd4c3577

SHA1
4ad6ca167bbeac5cc5fb9cd2d97d84867025eb12

SHA256
f209704fc02a580a1dcdb0178d72cf78f1241520437600ff736245f9d8d5482d

SHA512
a63468774350b9470b9f42f1696ff080560bf3c47ac193806f1aaaeab4e5e761a9b1bec802427808cf54b072ebc0e7ad35805cc2b99c02dc762fd6c31267e912

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIMA.exe

Filesize
238KB

MD5
9f7c4ed3767b7c843ff35674e9ae5014

SHA1
f5ec753f13a47f97253245d3b268418afa032714

SHA256
02cafd106074616f20e5664a233fce7a70afb76efd6a73ea5d2c26747194eccd

SHA512
9ff4e1d9867c8e479bc488aaee28ddb37f047648bab0dd5b92e23dae1514c74b4032ab96ef2a3c098ed6c291bbdc0527f88210b92ab74e8e2ae67f6b9bfcceb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIsu.exe

Filesize
232KB

MD5
b9b438784166632be3521ba4723f39d2

SHA1
beeb199149dce98cc79f3be6dfd69f7026f18b02

SHA256
63ba4001c9aa1e9d551fa8fc4eda730d571cab49200bc6bcd68725ac174d59e5

SHA512
d448e62ca32c6be60572d874aec73ec2e14c8262b1bf5f07ebd8008510a089d288445c73e26cdb953318e58fd383bb65de8c617fb1c80227342909530d1debb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKMEscQY.bat

Filesize
4B

MD5
4c4ec118bd990fe2b64c038f6c0cb69c

SHA1
196f8d0171ee3ea22fbc2ab491714bcdb049f618

SHA256
3e59cfb3791121fbddde6ef62e040108da6d382743479b1d47db77436e5d94cd

SHA512
72f8a3b0e64b39bf148d98591219cf1198cc1afda5aeead96719d2a8bd480547301813c97418f5023f3ef03871c5acc6ead16af3a80faf659f660231b5efe1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAsK.exe

Filesize
1.0MB

MD5
0e32e6624913d941950b49f44f375d2e

SHA1
bbdc2784325e12d46ee422b12f2444971414995d

SHA256
d9b0f6c4cd4f281685ec80a9d4a3d2bdd5b50e94402dd0b9ad23531a79ecc35c

SHA512
94ecd3ac37ecb24a0c20a8023b8fa68c094ab865998888801a3264613e24a8f6e8cde64ec0fb1b7963f406e8b7d9353f49f6872f512074cf56251a59a1ee1510

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYQEQUQE.bat

Filesize
4B

MD5
ac5fb2fa92244a8edc8cced8c50c3893

SHA1
b6d81193f3307dff571d1c4376b3b1531b71908f

SHA256
a30bb92eb527637273fd30f0556359c452d51aaad9e35cd95aec378a18847995

SHA512
070e444933a3becf1d23a4246df6073f3c7dd6d97a9d6f82902af1e391a5876db9708af67ee3f94ae8e267b3bae775431c5e59883abe444d831c752e6e486eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\okYQ.exe

Filesize
3.0MB

MD5
183f2a24b5a175839d3f46f6606d7226

SHA1
7efc4c41d082b172a3540f528311c797f7ce2e72

SHA256
9a8afcaa1285b225f974dd98f550332512b13d994d42df5e0f802b95d892e65f

SHA512
f84132ee49c5eaf6e7e3e6f7e36e29c48d2a368474bbac3589d60500acf74f578be58a9498c7ed7319fad78cfa198c40fa53e08297c5348a16f9b8d95b3739d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\osUm.exe

Filesize
624KB

MD5
db5fae4414120456e2d7fa60289b5e88

SHA1
57f5943f57f0152453072604fa7389ac9dd5a035

SHA256
449579a01abc18f954d9dab5a07a27a34d179760ec8d527befb4ea4916596264

SHA512
04a65ba97beb817dbd552870e0956d6cce782b4f2f4c2cb58c715d31d10720edd92477185ab637d0092d5d5d54103ab0fc9ad22d6bd31168ac2b7fabc8b2c301

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEQY.exe

Filesize
242KB

MD5
868a5a2c05d719bd9fb9ee12130fcc71

SHA1
8f6fa2b8b167d1d1c0e2fda33bfc3a31b20beaff

SHA256
b3953ba8e8016bbb7eb5103ca311f2396f4e7ae852b6c69dd812d8e783edea6e

SHA512
11d4bb9e2023713dbf16e746401b4d2020063bf20205ac2a95ed258bcbdd549c6bb0881bff7e2dbc210b62f96aebc6e63a5830af9c3e3b1bf9be07aa31e0c648

Download Submit
C:\Users\Admin\AppData\Local\Temp\puIAEAsM.bat

Filesize
4B

MD5
7bad8a4237a840c9b8a375715ff49a35

SHA1
0ca65e8e52b4bb798cfbf93e0942a8dfdd98147d

SHA256
bdf1cc3381be6469cfe3b69fdedde1a4da28e6680ae55d4e5cc974950427625a

SHA512
a56603c6ea6829dfefe9234959b00726a9759dbd8ddd9d0ac97003c33889a8536a237d510a4c48ecf60e345d009967f4a82d79d67c3e460374ba6f14f8a8e146

Download Submit
C:\Users\Admin\AppData\Local\Temp\qGcwMksE.bat

Filesize
4B

MD5
c923f90f46500a9aeec85ad2a150c362

SHA1
6f0c69314eb6b4acd456120ad9e4bba8366a09a6

SHA256
f4682dee6d889e0fac27591adfbd28a3bbeda4e812ac1586ca68c90ce912e464

SHA512
938a1c36a3374e3fb89593f4a878a545cdf99358025c329a3bc33d2eb3ad1f079c24063184fef1ad0690ae414ee40ec26fefa0c361c4da324c66c9ec8b058c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIYIwQAo.bat

Filesize
4B

MD5
dff6b10665e8c34147ff8f99ac03e392

SHA1
9595dbf3b77a0fab31584e726ca09077812ae81e

SHA256
a3739d3f2afe8c1451fcdd69f27853d6c0b39a3eb3f2f2d540605d8e2da55dd6

SHA512
59bf4df41dd8fc2868da04c74b619b8ace1fce3077bd7b42481742c412093eeff5d1cc705c67a74c2a92a12b9a6d6af755ff5b3e2b3826e244e0a517b9eb8d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYAQMAow.bat

Filesize
4B

MD5
d7d8cc58a675b2bf7baa8c124f2f4ebd

SHA1
621c9917fccf72a3ad7936ec30dd19f5c78c00e8

SHA256
ceddb3a2f24e5da91544ddb7dc5897b4d0ba0f5c09f8fc6c4f7e466ba8ee6a68

SHA512
ed275782f51e3dcb64885aeb950a9af5e137e4ac108bdccfd49734bb310b8b9423df528cb6bd41511c070fc0d884b5f435d39b3d53336be793faa9ea0799803a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaQEgQAU.bat

Filesize
4B

MD5
86c35774636765a4c96b4691ac80d729

SHA1
13eadec4f897d0470f312ec460e414e95a910adf

SHA256
320482dab12613389f29ba51dc86499b2ead0da89e19947548ec5432367fafe8

SHA512
2c42910c9b5e4b562a2cbb7e26f4f13be84ba5b3b29e5c9c0f906693065d529d6acacbc4880d205bb7fad40dc964285e5faeb9cb9bbfe2eb084977bf340b6f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\rEwS.exe

Filesize
240KB

MD5
e8340f94246cb374d6f954e19bb6c260

SHA1
a5a32c89038b8a93d6794103c174b725903c717c

SHA256
ea5d47f267e8db2bc128a53534b5f88935925d0b4fe8de5f8c029d1db1571312

SHA512
4a4e783c3840da892352bc8448d6bebe43a3485c5925778944296614efff8bce1d691014c3f76ee93c37009ef27b81c5bfceb59255951c2e528050a4b5abd0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\rMcw.exe

Filesize
955KB

MD5
ab4d38044dd8ad4a7c97d616c38877d4

SHA1
eedb5d086f1659ae5b66a7394928732ba74dc5a2

SHA256
9eced31ccec0893dfd45b9e5cc5c9f927ebdfd4533a0c73d6c8760721f7acd26

SHA512
cb496a36781984128164e0bd072825a3cf52816c849ab37c6f52083b99252499a02aafeae72de5620764d84a509fdc35394ae07c6749537ebc7f31b7ecf3fa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\rUQEgkAs.bat

Filesize
4B

MD5
c8140b8d088756f36a3f1f675c850663

SHA1
e02c85aa2414633d7be1b08f99f92e51867291aa

SHA256
0e51d4494578f3a4e9c716f8fa3eafe054d44cad0a9c1d8bde9f10c46fd4a6b0

SHA512
687d05aea91a534353571a4f9b7b23190a3694cd599c98b104a6e80f1a54fd19c360c74b0445910412bc574cd5e6289fe30705bad6378abf82f39c3a8192dec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rakcMUAs.bat

Filesize
4B

MD5
0fb2fe7aa0b3d1f78f6e8ffe23d15838

SHA1
477e5e1674a7e1cf207fbe39a2fe64aeeab9902e

SHA256
4da3c79af2676220beac182bcba24c0d85700d88b5cc91098f5aa5c17a751d25

SHA512
a863c953e7928710afde9d19be9f0db36fe09648b7f3db2f93c551d8ea5b351186f9889c986201f4078fc3eb8290137ac0286632f49cafa2c5b5436d766d84e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgUs.exe

Filesize
230KB

MD5
4fb2c96d71485e938e95c5695dee46c4

SHA1
19831e234ba24486f13e64215dfb271652273fbb

SHA256
d620b20b64f94426ee2aaf80285ff3e9759d6e96aa0374b6b0bd6cf3c5517a43

SHA512
2016218e24541453ad03678282dbcb30d3d74767b439169503a52b633cd21c881fac6efcca78a00c65e56297f2d8cb07feec21b40b4269241f59fd2fcd731792

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsgm.exe

Filesize
227KB

MD5
fd067c5882e505565fd8ad1e482f23a8

SHA1
f4ce2cea6c1a2a27d40138b9094aa4493573bc3d

SHA256
92aefd3e46021f8e887b93d6555568699093347066dbba9009a6d49968289fd3

SHA512
f7547cc172b6763b5174ada5b8789bdcebe569cec43274d0a5138494cdff0643fb305c1b66d4a3f05e22c999038d2b24c1062283018cf8087de78a2816d1920e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMUs.exe

Filesize
252KB

MD5
144b80231234df3a76b920c21f911388

SHA1
f90cdef9335b8fe5d46a520a1db43dd0aeedfde0

SHA256
becd9268ac86b85631994cc5b3f696a95eaf980938ce5b7767376bf3ab568303

SHA512
611b039e1735cc337ab8537e93b8573daee1c1197df845734b51fe5165fce36091e2f10a1a6f3c91697513b4e1d15763a6838164d7d35c9b3a298507a63c99ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQUA.exe

Filesize
245KB

MD5
26edf347288b5fb5117a39656bc01834

SHA1
df787b277d2623c2551e2edba6f0e0093a0b245e

SHA256
f91922a2e9bca06280e5a264bf16e7158a9771be476e918c37c063bc745b0e5b

SHA512
d6e7f79ceae9d8e27519b906e4c7d62bffad5b0b9e0f8645b8576487d9831c80a42390d352d34df69a8594d90fb96c20cfa6f254502274c7fa9da7e5e8326b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWEQwAkc.bat

Filesize
4B

MD5
0ab9095d691941416112d3648a3b067d

SHA1
b7b8d3401bc4a2a40a6f702609d21b24516cdbd7

SHA256
21fc4f83633816f21f882175769149eacba5d900668c66fde1f448ec9ad83bb6

SHA512
03bee34d8de5be223cf2c888dffc8a3429884f9b23633e61aae351e57cec57aaaa215ffd22dfbcb575758d3ecea69040454d79afb650fc752d8b8424b77cdce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYIw.exe

Filesize
233KB

MD5
6aefa0d2adaec0d65635a9be5f914c02

SHA1
983bcaf88a20ef9f7fbb823e1b95b42d8ee08655

SHA256
7843b18a079c975ed817b42d0521e53a44e6a82c5a05e4e201cc50a7d9a2de34

SHA512
1bda244dc2ac3ea6c1afabf42659269230c7e88df43bedb81cafbb3331770d5c6e17e9f29ca83c86b30be3e9a7eaf822b14d145e4a5d0cf919be23b64684ad72

Download Submit
C:\Users\Admin\AppData\Local\Temp\smQcscUk.bat

Filesize
4B

MD5
6215c188b9f8e7db9f6e0d07408d8dda

SHA1
aa4eceefee0dde5c560e26ead77fb6be68c8e0e3

SHA256
d9eab05fe1c12056e340e9cf80802481fc04e02fd942c64ffc9b0ab0a06dc03a

SHA512
d4f29cab4cbab0964036b53c8ea21602174b074afbcc1b3ef02b2c776e7e842cb112bdeb1342a2318f487c2caa61aba9dbc2f48d26985b74543deaef5c461c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\soEw.exe

Filesize
230KB

MD5
b361917b45b73e06474d72ea594b9f08

SHA1
35d3d5de8eab037278978eaad046c6d6229c5a30

SHA256
d51442cd9b9668dc1dac148a002ef1c322f7fb587eaceb85724de1e58686b5f0

SHA512
5adf0c5c1b1436ec690258b4d3a0be8ba269d1ea45e55dc2c2a48ab4f26cbbb6fea4f559b40326eae69101c9ec0f234834c24b3139b3f8393f95ae71d03d5cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMYW.exe

Filesize
234KB

MD5
8acca27adb6183061bb4c0d4a076a7f9

SHA1
36a9386c3df12039df5d2e9ca716bbb1c401fadc

SHA256
cfe91de402d92ff3b162da9256d85cd7f56ba15821a6670437d1321255b9c9cb

SHA512
ed235a8d4039127cfc315f55146028c6d5a7ae26634995c55332b3594f1c26cba4f37b65142de63ba15f812d23e58fa51ee3d6143918469f82baa08dbf1a02c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tQwA.exe

Filesize
231KB

MD5
8cdcd332943f8dc165ed34e25246a1e4

SHA1
d412ceb468fd515992c954c4576ac1c51b9050d2

SHA256
62c03b907b3c0e43a003fdfb93e80f73d54d9cc55545d33c1ec768998173a531

SHA512
127efa47cdb9b9380c81b11f3d4ece6a2f55cc0cdd3e59dfe6c5e17610aa777880406d9d29a4c72e0d2867ce9fbabc68ec7eb9b37ea943626e6cb49603047547

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUIQsQMs.bat

Filesize
4B

MD5
4dcc3152fb76ee2202b520ccd4aeabc5

SHA1
717c53d386f43354611159272fab1978102fd4f2

SHA256
002afcf5fb710368c10636603c607e710149c973e5b7d21ccde076045594a9c5

SHA512
b8012869da52c5ee9e8d29a4ce59c58a26b1ba625ce2814d842091061281e95ad45f28b140f1d83b68cc65b71d5ed1afca8f83c2739c79c24f2bc5d19246f2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgok.exe

Filesize
734KB

MD5
22968bb8533637e41b0d5f8246a01aea

SHA1
d89196bc75c38072a37a9d42ed8086010f6d0544

SHA256
96e0da8f106a49051faaa78b872f097c744474c9c0cd19c52544e21a403def88

SHA512
0b95d946fe24c6e38e8c72dcd63624387c95915fd41edaeb058be159ee3c29360c4c89b02246f647b2b198207668d103423d401e534601b657cc20095fbac001

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIAG.exe

Filesize
242KB

MD5
03d6709e090a88a8f239e70bc7218875

SHA1
fa924018c1a705ee7aa7e8cc0606caf55a67731d

SHA256
19c1bef85cd6490d0d9a49a678d79476001a1896c1102747d174108b95b582f2

SHA512
8a5102a4fa1d9d244dd0f2492125992a94b8d6cdb52e8e555ebe9a1b9c1a1a83d2bce4a598ed9ead45443d66f414c20de30ef6cff5a7267776a08beb1b89f99e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukkQYYEQ.bat

Filesize
4B

MD5
2643d027088aad0bf4ebcc9fd5e88f0b

SHA1
e2888ef7e0b7688a8746895473296edbdfb87d28

SHA256
3669f8b5e42ffbf8c95359adb6d01c241e88ec96a9681311d4c152a4d65cac6f

SHA512
764abdd5204a3c13d30090aa053da04cd9ad8b9871dc4420f0245bec6bb1984ff5b0d671f782d9923987630d5d4c01c4028b9f4124217e43f1d417e47dcb7e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqkQUIIQ.bat

Filesize
4B

MD5
1b204c0e53cb7dbb9b6590ee294d44ee

SHA1
7f17998d458d9435574113645288a57c2b80be2a

SHA256
95e07f3a91951b0ca96558cc8cd360fa0a9d95e9f90dad6d00b575f3c072fb8f

SHA512
fe3c327804883cb3f08ea8220c4dc0b88affe012962d637040a32f7b838d0389ed043222755f90fabc01874f92d785f44818e248c6e7875ddbdf0cc3be3a0f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\usko.exe

Filesize
227KB

MD5
702055cd2cdbf26c0495e7c0a764149a

SHA1
ae962697487fbd769272197dd96f8f893841682a

SHA256
4c8fba7a97786c3603119d97eab87743b4e1dcc05b2790c4a6babc426728c28e

SHA512
1d3d18e4b82c477e66fc9b5cffdde938fbb25bb356a766646b5960e174411d3e04522a4a36f0b3a9ec8c427669ad39f067e5a8ee980ec5b95a08692bbe27f0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyUYQQEE.bat

Filesize
4B

MD5
e1d051ca30a54fac2a269331eac50acb

SHA1
71ae64b6314e6faa6e3bad95e880efc87a6e1a38

SHA256
ec2804122af7b58e15fe9595149dc8f58114dce475bec77c807a77b72e854500

SHA512
fdbe06cacedcff7660783c75a8676c466304179f661ce79f722234911592dd24bb6335c9da00aa42e353234fd128a93346e0966396afccf67575da30ab87e48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vAoo.exe

Filesize
230KB

MD5
1fc8fb45bcc634c9cbf2f979f7faa7a1

SHA1
94f550bdc39fe2b8c10d3c625a503f6d695a9a25

SHA256
f81739873b826c630574a9d6146a79b1d11f6c49898e2667892f6825182efb57

SHA512
52d5597eae4f6d878c5e1e021cd529bc8e1b848f21916e62d17a20b163b3cb526c6a06ae2101cae660429d2d60dd9765c5f47d81ea1fd2661aab90a86dd6233a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCoYIcgI.bat

Filesize
4B

MD5
b749043bf23e66dffd58f7a0e44654ee

SHA1
beab8ac9456fbabb929814cb8a83632686d035b2

SHA256
74d33147c379808107a8076f7949a50e40f4212d92192b59533b66c44f527209

SHA512
9215e7ab7ebea867e39dbf2103cb7c4188effa79f49d932f2cf33bb03ab8537e34ad682489c9668cb994b3eff6a7788b575d6e953dd7ef249f8775532eee6661

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEke.exe

Filesize
533KB

MD5
8a63fb0d5cb57fe8d480be1e55269819

SHA1
928cb5e367f943b3d2f7b46ad8d0eecd37e37052

SHA256
b6c29491b0836e7c4d69284d7b9ecf2256dd4b607317b0448b1d13dcfbd829bb

SHA512
32e99596f1dd5081af266ef498503d281a8e9e0a0768c4eae3647c0621b87dadb4680574383054a22a5b9570cd5bbe7ea4f38cd6caf7412e04c6d379a79350a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUUw.exe

Filesize
236KB

MD5
3c335f853c9877cb3aee09c568f55e5f

SHA1
4d2f33188c40099487b29e6a8d5ad5b1de5b67d8

SHA256
950159fe6cf3ae26f0bf42a0855419e0362c4082e642245eb28c21a899a953f7

SHA512
3b5c8fe6e39112a0729e637e1580464b54eb8e964b145d75c046ea55d5c1d56f30e9dc596aec647c14304272fe1f1de58181c2870689ebf9603598b2dcc5dbbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vWoYUMMk.bat

Filesize
4B

MD5
639860f16d10196f158980ac037a7443

SHA1
10901bc8d0faaea30e056d71289c1812ba055e70

SHA256
b15ccdcd74bc2e489856617ac6fdd6e6a5ab85c5dfa58f14bfae7d16bc6dcce1

SHA512
c3a0d5a0933a9f331277e984d5884903d9bb4e8d7ebe992f774c866f003aefdd10532ab6798f632028a33c019763513a730d59c40cdd0ef5c6efa46e07d18c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgQC.exe

Filesize
232KB

MD5
0e4cb2a4261764df445a26b73194f36d

SHA1
0b6b70eabb44c05cf89cd62291f12f9498c208ed

SHA256
1871b037ebb9553f39ccc97af317188cd197c7b83a4aa62930f3d34ca867ef8e

SHA512
8a269d6bdd23b234970c31516608a15c8ac1f5d0dd724dd60e7aed9bea605de48ed804859ceeba6d891ff60918aa2ff5b547f28adf00c8c797503b170d113a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmcoQYgI.bat

Filesize
4B

MD5
c5c351bca5d4d7a09101ae0777167454

SHA1
3771077de93a8e5680264e689dd0d1f0dc920aa5

SHA256
9a925a397ff7094f62f62f523ebcde3440be3bc27e895fd67ed3b2f179365383

SHA512
1326f1c67fd4e4d0fad0d535d81c2513e2f7a7e7565b4609474dd8e416f5648677090731759b333b337feee32fe6b51bf6cdf97437b45a79e4b923091f702966

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMUu.exe

Filesize
233KB

MD5
85e496406d5d3d26975de7bf85c74811

SHA1
973fa60b822592e1963520a2efe0b4444157e262

SHA256
e06ef12247094ce5d4bd2e7fd726c41877ba3192091de9b6797d998c877ad190

SHA512
99dcf8f2a8559fa448b30a5ef8ce68f354ae620ba4d6b348a5c3691eb15a58dac1164c41f2226d754daf8af08ba6dafc8d34477e809fcd97b1b7fbcf8f728702

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMcs.exe

Filesize
245KB

MD5
1b82405cf1c1ee1dd4ce1b4c36a2fbea

SHA1
c9ffa25c77b51f3a5dc35d06a81b5e5b46a1b978

SHA256
2f90248853ab27ed73d887b681df4aa57a35fe97cc5f94daf702cb734993f037

SHA512
338ae07a27e121db9c49c139f3983abf8b851c0aa812911e789ba386e2dac119021ebc5f6f9fafa49bb461242e487ea4225ce135344d44390da560010e268281

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQoS.exe

Filesize
490KB

MD5
8fdc61e20fe2154553775a379bcf309a

SHA1
dbcd82776cd4509e3396a5b9f7f23ff8f004f21c

SHA256
eec05535359770460b16197195147db573ea6732b997eb2e6f436841a509396c

SHA512
4583fea98e5570ea2f1b19f8896e952353357ff96caf7e07ff955f8237fb7bc772127a7c3c5760056664edfcd6377cd1b127237c51f9dbe31329d11a5ee65631

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkkcEgsM.bat

Filesize
4B

MD5
9702baa9bd38f25692fa95cb528dea7b

SHA1
391b6ef5a7b2b6ad9c456c24da8aced0569ec7f3

SHA256
6387491ab6bdc96189a069515a21949d0d24f8e635e93fc2f6ed7e0844cbb6a9

SHA512
0df07017c1a35766fbdd56cf406bf0d84efff85276d44a4e61bc6a216c6e4ef22b20a847c1c93a8c09c9375bcd01cfd68a77247dc886d7594873415c5717fe3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwQEYIYA.bat

Filesize
4B

MD5
1d5e84b4cab0f4b83d40c8ef99d556e5

SHA1
3f97d5dc788f53d7936a804f663b6d838bc6c5ee

SHA256
89e20959e767bff71b89512836e0dc4b5c750dc0c333b74c83d1e10a10b626ad

SHA512
780433bae767d6130cccd212ee5036fff2bb4e37bfac9f46d06bac9330eceaae2118ff755441f91468ccc8826f6d7797ccb6a758cc0bb4680295006c05f97a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAUI.exe

Filesize
227KB

MD5
dff6cb3043760862cf171f30c1afc8a0

SHA1
1e3d2eaad0f61d0716e3566b1ffaf9093b079a55

SHA256
67183eaab85e17b149481cbf10079f7fe75c4d17e9e1af0f85d1ab50ad8899e3

SHA512
51edbaf9618bff76da4a75173d535d55eb4a83f6e3a9c2ae705fe13bc82572c05ff2e4bd0ffd38697065fa18b73ced61b878c77a10ca4a0c06e4f8e899ca6417

Download Submit
C:\Users\Admin\AppData\Local\Temp\xGYUEswA.bat

Filesize
4B

MD5
9e14f6964ed147784c6d8fb85c8ba765

SHA1
2330ef87106dbca59015aa2728e1feb7bd981b21

SHA256
77770741575fad8fc0f4508f24e33ba2698a273bf474e0d61b79925e381d38ac

SHA512
d98988f683d09b8361d3cbfe8d9067abba4a9173e40003547bea8a9880262463be8e8ee4676c7fcca03aeef345991838604c7bbcf7f81b0d46240c543318e7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\xIQQ.exe

Filesize
4.8MB

MD5
845309718dad44ee78469dd3ed017de4

SHA1
cfff7ff159d6eadb83251012f988f9bf067ef6d0

SHA256
98ab5f1656a73a62ee027e091a7c9aab97ea6a9820563cfd096838dcec86b96a

SHA512
f2fc2511670064eab1e93d86f2ac5b771dded3d8b66ea37ae3d43fe19a9a6e11334d172b9a8b81a96dfdb22e382bb7d0bc2801cf594970184cf388c3e3b916d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xSUUMcwk.bat

Filesize
4B

MD5
880d672d38e56f64b2d78ace98ccf362

SHA1
551a68f555e59ccf2a78d440a89cce693a9e478f

SHA256
f6c47905f54b1131f49cc790560cb384ef3c1d595628d86b42ba107bcdb58c85

SHA512
3e58edc3cab8d45416dcda9a1654af6c352538484eb4baaca2728af3ca3f8cf47909a2fd69f08c6cfefaaa72489cf0c2723186c627def4812947dbcd48e39729

Download Submit
C:\Users\Admin\AppData\Local\Temp\xagMkkcc.bat

Filesize
4B

MD5
b7d0f5cead05fb7049857e4b169b275c

SHA1
dba18e3520d6a63aeb476d25fb77e8ffb5fb92de

SHA256
c6855d4402528e860987747d4369342fa1956ab4bfbddbfe188d0a6befc3ba2d

SHA512
49f40c40a8f60e5f40baf95e9ff6c2d1b3972e0b74ac6f03bbd4c85be7e9b198c824cb49f595cd123a13d1133b28a1b2de77ba2261eac12483ab468dca4f2078

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqQMEgoE.bat

Filesize
4B

MD5
c129bfc5f4a3d3302d9acc233ac1e12a

SHA1
1f5a99884b21486fd8df0d0603f4afaa7b08e0cb

SHA256
52cc71cfef4f6db684bf69458afb33a46908d6dac039fb98f15a39801203941f

SHA512
4c1be3b02302dd5494d7335e0a53846bfbf9c3c4f6569f4486403202e63cc650faccb72f29b49ae8edb3dceed21130840c4b9cd5bf24f731e8e5e3ddd280499d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xskwkMcI.bat

Filesize
4B

MD5
674b806315ffa600695d1421105ce42b

SHA1
5c8400ea64df737ef882646ee56e9e97f48f99cb

SHA256
651a6b17712b53ca01e17549bc733d17dc123699c8d628b0d50c270048314432

SHA512
3a918028165292cb3c8a53374f5f70603e5468d36ff6c9978886b794f2e57d84dd2c257cd5e2eaa46eef32c452722e40d4113410b268f7cfa9a1ff763c236774

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyIkEIcE.bat

Filesize
4B

MD5
8e39ba82153e39975027da0592f4b7d6

SHA1
606e42e7ce5ee00d7d7d343c6f2c075c6c61b234

SHA256
0e831da80f2b7aab77ddb68de4e916cde244f96f0a45b7ba0b17fdff8539dad7

SHA512
2b6de2344cddc775c66c852265327771c716e4d34eab9e3db8b9b5640019efc57d17cdfc799c8b754068a91cb0eec7e83f63ce677acea550cdbe980bc02d2977

Download Submit
C:\Users\Admin\AppData\Local\Temp\yWMcsQIQ.bat

Filesize
4B

MD5
108d5f644a4050b398b30b4ec970eda4

SHA1
fe577818be9265aa270b2f7181fdf0b246535cb6

SHA256
46d4dd0baae670fd1147c57862be8c5741377f601fff76abe97c4b6a68b20962

SHA512
7729b7410c64178bf4475ffb506d8cb055e4efaa9c266e024789416b624ad1815c5a70ab4918f9c55dd23e958d856033bb33a3c9a07cd87352251c641cb3dc7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoEe.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysgS.exe

Filesize
635KB

MD5
9ea59afa881d46e4294b191d1e183d9b

SHA1
6d3a533822d58b949cea06696b1a4e734ad811f8

SHA256
d5e5ab54a272b402fe43f8bde425ca0f8abd881a97fa535765430958418226c8

SHA512
45040708df4f7f447517a6b32f04b7d84240206925aed5b1765b5978b0879025f6db3345b70d1582bb52cc086ebec9122e5a8a36a4345dc8ac8dc132bc199b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zMcM.exe

Filesize
232KB

MD5
96fdf3a63daae73001eeff8b8961df3a

SHA1
daeeb5976f25966a752c08c7f501056606788042

SHA256
2e49ec687c1699e2bc1f79081da87fccb2b32fb1eea4df5959fbd01761a3feee

SHA512
86235e3ff3bbf1fb2e619257c725c220c5c42a0873c1b1c1f3b5c06b20ce2b9a69c5e5ceea17a8c354b1c91bd59233a11379d6e6643351348669081bf9c5673f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcgw.exe

Filesize
460KB

MD5
ad66be40d0ea26bf3970ff4943e187dc

SHA1
31ebe75e2b85ca050d9951ddf274011067d9f2be

SHA256
2cb7055e7dd0e5d89be4910be59ef7844f00c40a0cd159be159145049eeae62c

SHA512
5983ce1891aab4bbe325910a75d4fcdf217b9afb8e436c2a78a6050bc5c9be267a492f881fdb8d8ea8486cd5e247cba7ac1825d987ce297c4417f03ae3204294

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmcUYckE.bat

Filesize
4B

MD5
dff7a3d2ea4dfabbd713016a9fe7bf7c

SHA1
05aa97504a3cd677a4eb8136636879b6fb0d1586

SHA256
f2a56a02275bfcb386b7a37ef58200f7ff0103498ee09b807d86eae2ed565eb6

SHA512
8cf56b9b02e01933315917c60d30cd386c355993c055ba3737ba5f0ced74ac77133547402f9604508541b53b154f3b14b10ea67b46e35f7b2abebfaabd736d95

Download Submit
\ProgramData\KuIIIwcs\niwMEYok.exe

Filesize
201KB

MD5
df8722aacefc88d78f6b3415bd944414

SHA1
13aac184c3684c93bfc750678a383599e5d2579d

SHA256
c98feb87325d17f2be9805337db3736083087b15715c3608b4b99f9d10e249fb

SHA512
8db11efaa53fac970947a2dfa3011e5e6500bc9a2cd8c66f65b2dcf29881546dcf16d6f93e40348cae24fcb8fe5244c01948d08d3b548c6ff07a5798083f6622

Download Submit
\Users\Admin\tkIAUQkU\KkwwEMIY.exe

Filesize
197KB

MD5
9f15a29baf5321690df82168df047b61

SHA1
82f6be983332fedbef7f7c513b04a81781d77b19

SHA256
3308d2cf6eb676f64eb55f944c5620b0688848f82ccae1b6a7362cb0244e0039

SHA512
9ee999530ec8b32a002942719215bb8aa77073a4e386bfb6cab533a3a6500405cc2ffa8e1777c67fd48c62a77fe8ae6ce2c2067fea94c289fbd625c1526fabd0

Download Submit
memory/268-197-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/288-322-0x00000000002A0000-0x00000000002D8000-memory.dmp

Filesize
224KB

Download
memory/760-90-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/760-58-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/864-441-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/864-466-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1020-114-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1036-161-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1036-183-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1072-393-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1072-363-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1552-251-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1684-141-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1684-160-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1736-276-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1736-299-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1852-81-0x0000000000160000-0x0000000000198000-memory.dmp

Filesize
224KB

Download
memory/1900-361-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/1944-44-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1944-5-0x00000000004A0000-0x00000000004D3000-memory.dmp

Filesize
204KB

Download
memory/1944-27-0x00000000004A0000-0x00000000004D4000-memory.dmp

Filesize
208KB

Download
memory/1944-14-0x00000000004A0000-0x00000000004D4000-memory.dmp

Filesize
208KB

Download
memory/1944-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1992-300-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1992-321-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2064-174-0x0000000000440000-0x0000000000478000-memory.dmp

Filesize
224KB

Download
memory/2144-56-0x0000000000260000-0x0000000000298000-memory.dmp

Filesize
224KB

Download
memory/2144-57-0x0000000000260000-0x0000000000298000-memory.dmp

Filesize
224KB

Download
memory/2200-468-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2200-489-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2244-137-0x0000000000180000-0x00000000001B8000-memory.dmp

Filesize
224KB

Download
memory/2284-274-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2284-255-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2300-254-0x0000000000550000-0x0000000000588000-memory.dmp

Filesize
224KB

Download
memory/2312-442-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2312-415-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2328-105-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2328-135-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2340-416-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2360-406-0x0000000001F10000-0x0000000001F48000-memory.dmp

Filesize
224KB

Download
memory/2372-323-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2372-347-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2600-339-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2600-336-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2648-372-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2648-337-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2680-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2680-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2700-458-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2700-467-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2724-30-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-33-0x0000000000110000-0x0000000000148000-memory.dmp

Filesize
224KB

Download
memory/2736-32-0x0000000000110000-0x0000000000148000-memory.dmp

Filesize
224KB

Download
memory/2768-207-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2768-184-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2848-275-0x0000000000120000-0x0000000000158000-memory.dmp

Filesize
224KB

Download
memory/2856-230-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2856-198-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2960-431-0x00000000001A0000-0x00000000001D8000-memory.dmp

Filesize
224KB

Download
memory/2960-432-0x00000000001A0000-0x00000000001D8000-memory.dmp

Filesize
224KB

Download
memory/2980-103-0x0000000000410000-0x0000000000448000-memory.dmp

Filesize
224KB

Download
memory/2980-104-0x0000000000410000-0x0000000000448000-memory.dmp

Filesize
224KB

Download
memory/3012-481-0x0000000000160000-0x0000000000198000-memory.dmp

Filesize
224KB

Download
memory/3012-490-0x0000000000160000-0x0000000000198000-memory.dmp

Filesize
224KB

Download