c176a8bbc51f2017fd854d77d3030199af42c64e992947460eab70c1235e6a11

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
Size

238KB
MD5

f93a8f4bc08f934f0e8675bbfd58645b
SHA1

3329ec7354e970f5d587d444e9ecebe097882733
SHA256

c176a8bbc51f2017fd854d77d3030199af42c64e992947460eab70c1235e6a11
SHA512

244abdb14c3fa00e6dfd87e11c036878eb219cb4c9850a13941b2535d02baec9fd1bb775b29cb1a2b7dc620f4d9ac8249b7ddc3b1a489b7ddcb88420f3e432ee
SSDEEP

3072:+hkt5XFIwUkqh4u2UxZarhPHOx/PGEnLfuFil4x2feHF5TTsax8rLk+J52YOA2sK:+hkridkqhndxZaMr+iJfeDTr9a5iA2

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 55 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe

UAC bypass 3 TTPs 58 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Control Panel\International\Geo\Nation	dqEYIkws.exe

Deletes itself 1 IoCs

pid	Process
1056	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2764	dqEYIkws.exe
2724	HIYMIkEc.exe

Loads dropped DLL 20 IoCs

pid	Process
2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HIYMIkEc.exe = "C:\\ProgramData\\ngIYwgcc\\HIYMIkEc.exe"	HIYMIkEc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\FCUQskoM.exe = "C:\\Users\\Admin\\acYMAgAQ\\FCUQskoM.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ZWMYgYUE.exe = "C:\\ProgramData\\iUoQMcAE\\ZWMYgYUE.exe"	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\dqEYIkws.exe = "C:\\Users\\Admin\\HuoIwgME\\dqEYIkws.exe"	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HIYMIkEc.exe = "C:\\ProgramData\\ngIYwgcc\\HIYMIkEc.exe"	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\dqEYIkws.exe = "C:\\Users\\Admin\\HuoIwgME\\dqEYIkws.exe"	dqEYIkws.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	dqEYIkws.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2552	2832	WerFault.exe	246
3024	2632	WerFault.exe	248

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2500	reg.exe
2036	reg.exe
1992	reg.exe
1868	reg.exe
3060	reg.exe
2192	reg.exe
2788	reg.exe
2580	reg.exe
2576	reg.exe
2196	reg.exe
1064	reg.exe
3016	reg.exe
2736	reg.exe
2604	reg.exe
696	reg.exe
3048	reg.exe
1972	reg.exe
2672	reg.exe
1088	reg.exe
608	reg.exe
1180	reg.exe
2396	reg.exe
1304	reg.exe
2060	reg.exe
3044	reg.exe
1728	reg.exe
2896	reg.exe
2916	reg.exe
2244	reg.exe
912	reg.exe
1136	reg.exe
2488	reg.exe
1228	reg.exe
948	reg.exe
2760	reg.exe
2976	reg.exe
2720	reg.exe
1216	reg.exe
2720	reg.exe
2820	reg.exe
2736	reg.exe
532	reg.exe
1960	reg.exe
1448	reg.exe
2468	reg.exe
2224	reg.exe
2460	reg.exe
2892	reg.exe
1040	reg.exe
1872	reg.exe
932	reg.exe
2292	reg.exe
1076	reg.exe
456	reg.exe
2704	reg.exe
2316	reg.exe
1824	reg.exe
1960	reg.exe
268	reg.exe
2376	reg.exe
1420	reg.exe
1496	reg.exe
2484	reg.exe
1088	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2876	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2876	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
948	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
948	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
1448	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
1448	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2020	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2020	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2184	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2184	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
1952	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
1952	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2396	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2396	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2860	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2860	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2972	reg.exe
2972	reg.exe
1416	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
1416	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
1532	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
1532	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2708	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2708	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
1684	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
1684	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
268	conhost.exe
268	conhost.exe
764	conhost.exe
764	conhost.exe
900	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
900	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
520	conhost.exe
520	conhost.exe
2100	cscript.exe
2100	cscript.exe
2076	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2076	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
3028	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
3028	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
1940	conhost.exe
1940	conhost.exe
768	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
768	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2708	conhost.exe
2708	conhost.exe
2640	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2640	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2100	cscript.exe
2100	cscript.exe
1772	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
1772	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
684	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
684	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2348	conhost.exe
2348	conhost.exe
2300	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2300	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
2872	cmd.exe
2872	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2764	dqEYIkws.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe
2764	dqEYIkws.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2764	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	28
PID 2324 wrote to memory of 2764	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	28
PID 2324 wrote to memory of 2764	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	28
PID 2324 wrote to memory of 2764	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	28
PID 2324 wrote to memory of 2724	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	29
PID 2324 wrote to memory of 2724	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	29
PID 2324 wrote to memory of 2724	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	29
PID 2324 wrote to memory of 2724	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	29
PID 2324 wrote to memory of 2824	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	30
PID 2324 wrote to memory of 2824	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	30
PID 2324 wrote to memory of 2824	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	30
PID 2324 wrote to memory of 2824	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	30
PID 2824 wrote to memory of 2944	2824	cmd.exe	33
PID 2824 wrote to memory of 2944	2824	cmd.exe	33
PID 2824 wrote to memory of 2944	2824	cmd.exe	33
PID 2824 wrote to memory of 2944	2824	cmd.exe	33
PID 2324 wrote to memory of 840	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	32
PID 2324 wrote to memory of 840	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	32
PID 2324 wrote to memory of 840	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	32
PID 2324 wrote to memory of 840	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	32
PID 2324 wrote to memory of 2608	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	34
PID 2324 wrote to memory of 2608	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	34
PID 2324 wrote to memory of 2608	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	34
PID 2324 wrote to memory of 2608	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	34
PID 2324 wrote to memory of 3016	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	37
PID 2324 wrote to memory of 3016	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	37
PID 2324 wrote to memory of 3016	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	37
PID 2324 wrote to memory of 3016	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	37
PID 2324 wrote to memory of 2568	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	39
PID 2324 wrote to memory of 2568	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	39
PID 2324 wrote to memory of 2568	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	39
PID 2324 wrote to memory of 2568	2324	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	39
PID 2568 wrote to memory of 3032	2568	cmd.exe	41
PID 2568 wrote to memory of 3032	2568	cmd.exe	41
PID 2568 wrote to memory of 3032	2568	cmd.exe	41
PID 2568 wrote to memory of 3032	2568	cmd.exe	41
PID 2944 wrote to memory of 1976	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	42
PID 2944 wrote to memory of 1976	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	42
PID 2944 wrote to memory of 1976	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	42
PID 2944 wrote to memory of 1976	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	42
PID 1976 wrote to memory of 2876	1976	cmd.exe	44
PID 1976 wrote to memory of 2876	1976	cmd.exe	44
PID 1976 wrote to memory of 2876	1976	cmd.exe	44
PID 1976 wrote to memory of 2876	1976	cmd.exe	44
PID 2944 wrote to memory of 3048	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	52
PID 2944 wrote to memory of 3048	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	52
PID 2944 wrote to memory of 3048	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	52
PID 2944 wrote to memory of 3048	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	52
PID 2944 wrote to memory of 3060	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	45
PID 2944 wrote to memory of 3060	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	45
PID 2944 wrote to memory of 3060	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	45
PID 2944 wrote to memory of 3060	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	45
PID 2944 wrote to memory of 2380	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	51
PID 2944 wrote to memory of 2380	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	51
PID 2944 wrote to memory of 2380	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	51
PID 2944 wrote to memory of 2380	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	51
PID 2944 wrote to memory of 1580	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	47
PID 2944 wrote to memory of 1580	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	47
PID 2944 wrote to memory of 1580	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	47
PID 2944 wrote to memory of 1580	2944	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe	47
PID 1580 wrote to memory of 1272	1580	cmd.exe	53
PID 1580 wrote to memory of 1272	1580	cmd.exe	53
PID 1580 wrote to memory of 1272	1580	cmd.exe	53
PID 1580 wrote to memory of 1272	1580	cmd.exe	53

System policy modification 1 TTPs 14 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\HuoIwgME\dqEYIkws.exe
  "C:\Users\Admin\HuoIwgME\dqEYIkws.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2764
- C:\ProgramData\ngIYwgcc\HIYMIkEc.exe
  "C:\ProgramData\ngIYwgcc\HIYMIkEc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2876
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        6⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        8⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        10⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        12⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        14⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        16⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        18⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        20⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        21⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        22⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        24⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        26⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        27⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        28⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        30⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        31⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        32⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        33⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        34⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        36⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        37⤵
        
        PID:2216
        
        C:\Users\Admin\acYMAgAQ\FCUQskoM.exe
        
        "C:\Users\Admin\acYMAgAQ\FCUQskoM.exe"
        38⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 36
        39⤵
        Program crash
        
        PID:2552
        
        C:\ProgramData\iUoQMcAE\ZWMYgYUE.exe
        
        "C:\ProgramData\iUoQMcAE\ZWMYgYUE.exe"
        38⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 36
        39⤵
        Program crash
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        38⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        39⤵
        
        PID:520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        40⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        41⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        42⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        44⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        46⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        47⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        48⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        50⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        52⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        54⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        55⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        56⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        58⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        59⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        60⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        61⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        62⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        63⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        64⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        65⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        66⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        67⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        68⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        69⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        70⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        71⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        73⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        74⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        75⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        76⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        77⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        78⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        79⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        80⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        81⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        82⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        83⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        84⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        85⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        86⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        87⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        88⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        89⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        90⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        91⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        92⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        93⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xSAwMgIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        94⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vssAUsEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        92⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TYgYQYIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        90⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\miAwYYsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        88⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KAMMokgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        86⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies registry key
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lEIEEwck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        UAC bypass
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VQoogUQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        82⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies registry key
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        81⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        82⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        83⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        84⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        85⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        86⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        87⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        88⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        89⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        90⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\quoMckIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        89⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        89⤵
        UAC bypass
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        89⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        89⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        87⤵
        UAC bypass
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YwoUUUEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        87⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        87⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        87⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        85⤵
        Modifies registry key
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        85⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        85⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        86⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\leAEIckc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        85⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        86⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AYQIkckU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        83⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        83⤵
        UAC bypass
        Modifies registry key
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        83⤵
        UAC bypass
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        83⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        81⤵
        UAC bypass
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AksgccQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        81⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        81⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        81⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GwUUIgYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        80⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        81⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        83⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        85⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        86⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        87⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        88⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock"
        89⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
        90⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        91⤵
        UAC bypass
        Modifies registry key
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        91⤵
        Modifies registry key
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        91⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RKAoUEwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        89⤵
        Deletes itself
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        89⤵
        UAC bypass
        Modifies registry key
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        89⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        89⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        87⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YGoQAEEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        87⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        87⤵
        UAC bypass
        Modifies registry key
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        87⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LkwQEYQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        85⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        85⤵
        UAC bypass
        Modifies registry key
        
        PID:268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        85⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        85⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ueIIcUQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        83⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        83⤵
        UAC bypass
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        83⤵
        Modifies registry key
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        83⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AmAYAAcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        81⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        81⤵
        UAC bypass
        Modifies registry key
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        81⤵
        Modifies registry key
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        81⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOQQgUAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        78⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RSccwkoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        76⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        Modifies visibility of file extensions in Explorer
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies registry key
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QMYYQEQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        74⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rKAQoYMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        72⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QUEIcQUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        70⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        72⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WWYsksYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        68⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies registry key
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BsgskEgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        66⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        66⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gKckUAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        64⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xisQsswM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        62⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZuEQkYgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        60⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies registry key
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GYYwQgEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        58⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UoMcEYYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        56⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies registry key
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oQosccow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        54⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tUUoIIwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        52⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AmMwYsMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        50⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies registry key
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OUAgksAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        48⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kagUcwsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        46⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ugkwssws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        44⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        Modifies registry key
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MuUAoogk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        42⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        Modifies registry key
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xCwAgYog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        40⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OgcIEsUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        38⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NEMkEcAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        36⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HwwwUwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        34⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SEUocQoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        32⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\huIcMwkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        30⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NKQsUIUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        28⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\geYcIMAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        26⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\liIIgEok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        24⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UiYgkkIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        22⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dyYUUsgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        20⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UukMkcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        18⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WCMsowko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        16⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nCkAgYwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        14⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nIkQUIEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        12⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oesIEIYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        10⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NAowMAYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        8⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2072
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xikkMsUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
        6⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2096
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2836
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2768
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1744
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3060
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\VaEMYkoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1272
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2380
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:3048
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:840
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2608
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lYYAUYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6009593383084595272389268975021576-1776829516-20460810015473937582039916790"
1⤵
- UAC bypass
PID:1304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "871687774-779775359139924850655181810762995287380109308511512116812115892183"
1⤵
PID:2224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "390428406-2125836346-1829198402290264781-13600102321443497557-10805988021098396121"
1⤵
PID:1580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1234568115-6964241575624557862010624670-7206634231733562780-987402038-219013456"
1⤵
PID:2072

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1968154587-7121248710660167421453158942923435955328519726-1952624036-1557047990"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-152177902228407365261431500765500537348922063-585647005-798680311625072055"
1⤵
PID:2756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1727674746691996621738214690-1466021217-4048087563078796401450207823-1770707231"
1⤵
PID:2976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-712400653-12823551621773078298764948293894420070982210969-1655945726-252690337"
1⤵
PID:2784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-243871283-89060658815022943851014726321-533398348-451374800-1932942023740661870"
1⤵
PID:556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-859152307-49528272019287109131278099462677721615-329634892-454227129873151715"
1⤵
PID:1928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18764794352034232110-661791369-1435623894-1183645122299647114-740386098665268843"
1⤵
- UAC bypass
PID:2968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5081344691988098611-10874230911873128515-1377180862449835962960591038-1560274645"
1⤵
PID:1420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-66954544714751543220503504797077812451575728487-1683118689-574405021461815750"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1171890074982845955158124438156022634-692113543-2005288483-823312379823647792"
1⤵
PID:1168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12996472188599674088788708981549370353-678538760-1571889479292451090304086663"
1⤵
- Modifies visibility of file extensions in Explorer
PID:932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1291905677174230289120293403771125729871-567545667352532387753174716713706666"
1⤵
PID:2816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "753219288351477663407577939-173348312-19525128681697990830-2116693463-1497451825"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19916710851201759234-2085206739-11353208561447394157775576919-1478697563-551889704"
1⤵
- UAC bypass
PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11675065751153221705-237074554-1920392559-11116003-445675681-130060477716146358"
1⤵
PID:2744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "757782912-2055774339-1934701441-989789446822678654-336936963-1422280896486299896"
1⤵
PID:2608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "181978868878895566157080289-891965569211701777017603509872085295430747368103"
1⤵
PID:2588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1340664780-297495136279949667-7936852192299629101238682166-1525470862-1192586309"
1⤵
PID:2196

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14083901801708834461531692435-172029145813630513611681569842-1631544497-1607681771"
1⤵
PID:2696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1568886112-1383947749-723707825-805560010-198390929-6202760801185827711141607726"
1⤵
PID:2908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-143343518648089425-18683567902038334842-244242903-456309659403075202944312994"
1⤵
PID:1964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1029451390-669599909-209244505-1584413535-576903192-137495833-1016323411755506225"
1⤵
PID:2392

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-82113605-5495883651972457-915705884122280824210416977939811260841644195288"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-169086457-1466771190-1407331007-20622876561335894855-1259544326-268006140121230261"
1⤵
PID:1008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4484682961707223597-793913300-18658429471186458306-1036628916820876124-406345138"
1⤵
- Adds Run key to start application
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2081491933407824257-1323114564-551361429-1477260803-20776572031495778712114310620"
1⤵
- UAC bypass
PID:2320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1975483984181468825524662334-18312979997585675551373366023-6454742901725347769"
1⤵
PID:2796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19546954701707274567398927622-1831226513155254500016800066474042509-2064567283"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1947887254304872138-2728219005894530101956792560440908895-841186071-933465016"
1⤵
PID:2480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1432782575-6412907651406372759-1452389747-699428964563581-237424107-20481625"
1⤵
PID:368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13513324121081549157148350391347113323816204279-940903624-383668840-1394062279"
1⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
PID:520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-35229647-914840295-1917004318-877171788-105560200314630357107025857911451387614"
1⤵
- Modifies visibility of file extensions in Explorer
PID:892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1835838737539155137163425712028821602863358893574546690-209735220921576464"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1669599502195431005711800045-27985733863240859-6133357961750004801-786943582"
1⤵
- UAC bypass
PID:1232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17973881629851217812144081827-2141349139-2112970564-1754069215-1397228671976114490"
1⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "459688112-1975393242922383996-1316942113-820370375-77050081847030113556748979"
1⤵
PID:1496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19547132741264069712-9852351321923510147-1247680077316437175743385925-1599333898"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "319085430-2095654824439550771-1557364882-90760486210269898021334620472004745791"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13841838463146791911345590164-8239683641701235466-602182631715273702-497644179"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1343728357394722881-7909172163679913857869562510932465-390707249-2135522820"
1⤵
PID:1092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13625016341316691659-148339597716454881731329211539-7940042241542287398778950169"
1⤵
PID:2176

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11142120221004524986111053975232430330170302147348957569489619411614685675"
1⤵
PID:2356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2064121647-34457644-122734436-1488504120-7933650531458720304-350268155-395681232"
1⤵
- UAC bypass
PID:2704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-71297385-114964653-1924573893291285535-239624808102025564-1977571636-788050544"
1⤵
PID:628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "701418871-467206971-1155259974162552607520978612151947738911340450850-1316752115"
1⤵
PID:1792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1044907215-2023886736-13849773936501919827301120101087899175-4335322341760288132"
1⤵
PID:2080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1280168596-1381985924-18634375271632521751-2075351048-17364979221874713376-1437755980"
1⤵
PID:2644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-257604638-1886383741-629113616-15855961997996475492003678394-4467491831820429007"
1⤵
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1712119072-10575296801197108108-1619418926-18178076761104977153-1331718827565220228"
1⤵
PID:2312

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1086112200-2622435818997897817412883975005113451021024258-6914542601473372777"
1⤵
PID:436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1559046679-1391869387-20097537532146010343-7695076349054902561045616458-1609865185"
1⤵
- UAC bypass
PID:1708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "108915461118779522601146853886-18823122115018517331423989015453577397326108253"
1⤵
PID:2624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "120792942-13529652511955274440125346739019998849151725402036943378736717325266"
1⤵
PID:1784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1003845845-652636685-2095931071-1888529022-198640144-1796206755-1133678252757506346"
1⤵
PID:2428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1231053386-11321369681764806271162154989815656865147668179844569545761052101199"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "962336876-14354601-21180812291862046064-1351696290209770921-1940473947-1377209079"
1⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
160KB

MD5
8e8470f8e56ea5d3f5fe28f3b5bfbd4e

SHA1
092c43de45a58165919fea5b42f936550c37fb3e

SHA256
4d66938879ed2c695eab7c1d816acb03905a66891df0478572b347617cc00238

SHA512
acc4a38e362a53793fccdf41481b1cf95141b8c4103d6e4eb1e1735dab4f325e1334013e80e8c96b9f297777315175838cf0b50627995fec0a68d94456acb5b5

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

Filesize
158KB

MD5
300f914d69113dc1cca242362dc1615c

SHA1
51a95e4b6df49baff2f51625f1e886bbfc9bbbf2

SHA256
e1c2ffc5d4021a0f463369179813159d2f5afbcc93a2ebdf6a38594b825098b3

SHA512
81d5c09cab42a1b2ac4a380ae515443f29d54016474cebade5ac1bbf433dc363029c5a4a962b180e1f9066e64afcd1e73852947c3496977dbaa64dc1d1c27b97

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

Filesize
163KB

MD5
f857af6fc837704d8ce5529e9c430beb

SHA1
340ac8a2b27ea529c098c87d49418f1c3559dabd

SHA256
b9e794ba2c7dfa3bf35b942ec3e070937914771edd32aceacab7e8e80bddd72b

SHA512
c52e70f765bcbd844cf23e561885082b7ccccdec8eb8b39c5c1d0335079dc71859151e4f70d7a08008e04d891bd82ef92b4ac87837e9381662c52f94a1e93e9d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
159KB

MD5
43951af0b23053bec72e044f5c0b276a

SHA1
64e52e5f077b6ac6b2a28205973b92d73bd34a73

SHA256
0c8a322b6ac327ef88a2e95d7ec5e62f9f51c11fd7d964be7b4d73a7f743b5e3

SHA512
f2697101e6d59da45ca1ddfae58051b908bbaafa86188e13a9f50aaf5e0bb5b4977f60337265dbf11cc35b2403ed7870b2338f964cb7552161536b329d7f75bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-02-01_f93a8f4bc08f934f0e8675bbfd58645b_virlock

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgAm.exe

Filesize
1.2MB

MD5
1c107bfefe7c7dfb0e4ebf6795e4c58b

SHA1
bc10dfcbcab1f66c789176cd95954c32072082b4

SHA256
326893712d163f5d16bd61c812dccb4938fdbb27a382964f091267da9acdee53

SHA512
034a5d01ebcf9986026d54a801a9cf1704f77b2a867bd5953f3fe27c4af3fdf563c69acb23abfe6e59d196165cd22248d283bce3843d296fc22180430134f552

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgYi.exe

Filesize
566KB

MD5
d10e6d920684afef96571000e2c6afaf

SHA1
f73f7be907c9825091f84e1b469bfa0a556da7db

SHA256
da1183fa7c2a4699ad6a1f1bcac2b10727c5be5e127b0ecb748e7dd65fa4aa44

SHA512
25b52deb3ed7b912befc9c8cabe64e31db2127d81680dc4ab768b8cbc6dca2352f12da2cddd5881c0fa5fa9f5b7cb0aa69f5ad2db46437877beb809266b43b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsoC.exe

Filesize
159KB

MD5
64477b869317cf188d72413930e8f19a

SHA1
29dfd95ec827d77570958f7797e03dd62781928c

SHA256
def8a16dab1f28f8fe45cb092bc524f44b3336aab85dfb4988bee260a803c7b8

SHA512
37c226295a9a38da22e7f60781841339f8638e0bdb4ced1cfd09fdaeac116a4006296a15cceb645226a56e1b28988b25f369d805e680099bb6edc1cf6584e99e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwAe.exe

Filesize
592KB

MD5
9a4d061cd67d7000de0c87a04e424ec6

SHA1
8e41747a90c327f50f578d141f6b41f6c9bfb0a2

SHA256
6ac85a4a906dda27b90730128fae0e900065d0f9881e61726296fcb9354c0acf

SHA512
73b7664b8d600b9ae7339ad2a8f780cce05a7f0f0820321a7c2d0c598ac4f16d176240fd70fc9edf6f127909752694b5140384bb393c0806bbf63c96a7b4290d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BGsoAsoU.bat

Filesize
4B

MD5
477ce3e4c04fe6b49aa0e184655c4945

SHA1
bf2a565ba6e9848f026a968d6744346bd58d301c

SHA256
977fc26728155bb39e366f642cd875681db7ae5aa461ee614e9f08057f7db273

SHA512
13ad88adff6a0b2390b7cef3af3a35264272edf1dceddf3856e6f9819731bdba10d98b4e1c48e4f3133dcdb6ace076cd78c22caad0d711278de662dacb4ec3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bcsi.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BegkAkEM.bat

Filesize
4B

MD5
076d4abe0e1f2970909aa886b7f2d00d

SHA1
c25534d278429d2c2175c42cbea6a3fa31a983dd

SHA256
faf14c9ef918188817956b1f53f4ccbcc87f6bfc709b81a6e7e32fe151c7fbe4

SHA512
15fd5de77a3ffdb771713e7759001b1339e74c523fef734a0aee3d0378afd034c16ecf939e37210ad8cd211de8f941f06b5367a960caa821d2e664c52155c234

Download Submit
C:\Users\Admin\AppData\Local\Temp\BkgK.exe

Filesize
157KB

MD5
c109e53ef353b73e1e816cc254c93ee0

SHA1
e1b49e5fc17d46affcc05d1251aeeee25cc13e46

SHA256
891147a86c42ef4d5bec7711d60b1ec33bfcf4256c375ec52305eed8b3566bab

SHA512
1870fbdb983e507b0ec19ce5aadd7def8c0a0d6339792e6bdb74ecfe9d52131616662397db4bcf907ef3397be32717d6f93e91e72fe635eaf310415c2b10e040

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIkwoEkc.bat

Filesize
4B

MD5
de6f61721baafcdef170430cd90112bb

SHA1
6942261d896e94db1a0b1ce3b277fc671004c3ea

SHA256
1bb5a663e599144c7b1bb63c5e6f240eb46956d83b476509cdeaaf49f208a057

SHA512
f644bc1823a40a9fdb594bbe9ce26ff0fbb77b73cae35f14d787211ca6af3740c3250785f2d1b40b25133f13fab973239e8963cc6e880be872257c05f66716dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DwEU.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIUo.exe

Filesize
159KB

MD5
85d45d88c1d6f58014a0afa3f8228729

SHA1
374ba83237797ae2bb870222fd600d02569dd37a

SHA256
707bed843afb4bfe19388b403774f3486d249932153c1c9957c3caccfb085005

SHA512
55a421d53a9639f3303af41a77ff0a92e7ea2de0cbc97c582773638f2ac51804e4d43621dc611027ed57a825ab62dd79a13db93478992d184ee3c580f1c5949e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEsa.exe

Filesize
3.3MB

MD5
8935c2a22c3eccdae797fc1a01340d4c

SHA1
796d2a4dfdd5ef7b634f8d1a47ee0b647b023aa2

SHA256
1ba32a6fb3f854a14c06ee100f3e49eeb5e533c7aaa10e17413c416284eba105

SHA512
7e9175606b5693630aafbc47a8e169f579938afcc5343881f96019777e43e2b6e366706d2dac4a9b4fee410cd3808547e02bf93e4c7a8767468335c8242de2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMssgUAE.bat

Filesize
4B

MD5
14e9469dbf7c2501668f37f67bdd3a64

SHA1
8ce2fee29f4c0489017cafd7d1b30b24267ff7a6

SHA256
32b3aba77fcb414d92d08c7f1ae4e043a02c956e62995dedf36e6fdcaac7128d

SHA512
5d82b395bcb0c3a15b55ae4d726b01bf245fa55b7804f220667728b6f50ca4e745ff6c5082b9c57cca7171b59ec3324456153752d30f25da0b4418208f84988a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoYm.exe

Filesize
252KB

MD5
1ce7ae53098b070d2a2bf0eeda932da5

SHA1
6a2a39925c3d490b2b1970a3a3fa0aee78c0dc1a

SHA256
dddac098da974aaf98bce8e8c9118e7fa0dc262f7783088fd0bc1d15d6996bb1

SHA512
d3fb6f94c390d99c0cc9fa07da1a55ffa4cb9d51c80959dfc1eab0c95ad33d437fe1078e911d5ac2da695e8ae8246685fb487fc6c584d3017543fb4487054526

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwQo.exe

Filesize
159KB

MD5
ee2a2d2bbea9d513252cdc4defa2e579

SHA1
d3b498eb2b52524ec704c65b4c61e1b6d977a1cd

SHA256
c2e6c481ebe50a9549b644853070412e692ebf3e0959b629ae7cf0879003eaa4

SHA512
5fd277c17d8fddd5953644c5865df4bf4f07c7c41c3d9e7cf6926012d9a745610998ea2284ecef9aaf371799cd12375cd63a29cd52fdc28fbde3f95961e4866a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkosoogU.bat

Filesize
4B

MD5
65501ce923d4614c1f0cd5769170a5ac

SHA1
6f339631c7e487502e79a2320a1ecc4dbcecc649

SHA256
be3114a9fdfa75dfbf31d563658209c4f074322f766753cfa87c9b0de8d0d979

SHA512
d8553e6823582d0fe6adc0bf85ee4ee43c740745f40e9ca07e9ab8bf68d05a8b0b23d05b71c06d360ec8acc2d6292f4cfa0d8c8577cced825e0f6f8a4e4fb97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIUg.exe

Filesize
554KB

MD5
27b69854e6a202326c6987756e8cf39b

SHA1
ab60bf205a0d4c83ea5ea8466b086e796ac489df

SHA256
015efcf960b6c2ff88f20102d99745c92987786aa77f499bace78eb37c9f325a

SHA512
24bfa01ab1f962459318df65ffac0f1c2277e8f0b57c6673c56ab9018419e69eb92e60240cf6b35820ad5a9caa66d4e300a5d8b3079f20520e0e4a326495981e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ImgUsEAk.bat

Filesize
4B

MD5
bee0f9dbb2a631f663b770909256975b

SHA1
d112b54598ad33e4c1241ab026b065c8894d71a3

SHA256
2d06fdb71ad5a49e9e736f013ff5dd6345ee0f75f51391bea462e3e3226e084d

SHA512
6c8f9e2c4249a483fead974d44f02fa179403b8669397ea02e51fd5e4bf2bd2caa9014748f91f7add35a7ab4cbaf78c532f1bc690ccafbe3ead41bdfe6f706b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsAW.exe

Filesize
870KB

MD5
36b3df6a15cd0c968c867fbab59706da

SHA1
1ae4de9951704c41c8f1b5d598e35bd15ab17696

SHA256
507210fe385c92a55d95d314063b17e1df0892743b0946ddea5439ce82dcdd4e

SHA512
e08c9855331cb51a0eeec4d697969e26a7b283f227c4c5ffa82db558311a98044f7cb5bf546db74b1168a76c0484c971f6534dee6969403290684730a68d9feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\JAIs.exe

Filesize
158KB

MD5
32a0f7c1b9571b842443cfa1ced33947

SHA1
279214fee8165f8315a02798bf91682028ab7667

SHA256
a1feeea5c9e21f4378ec9b5bfa7ee230228067dbe41c2486f50d1187a8c7b2a8

SHA512
a619f556ebe76fd75f2a374aa1637cdc134009367a155e7acf07ee16b2570243c7ae7c07aabf7505cabbce34fc475b93cbf55d632d3c4e242f44dda77a75a323

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEwS.exe

Filesize
159KB

MD5
d852bcc35d14c62280380d5cc1743633

SHA1
711c8bf2ffe8a5e21f50a5232dcf72160ae3efce

SHA256
e41bbe9feafce9cbed34ff02e869a80d364d08e1306d0baa2518b3718edd4aaa

SHA512
0caa2c46911bc8a388a389fd8a7baf3b5203efe385a1e428b36f1849de16e1fff882dea1c8a9c04ba75e238bd145bad8b6d3aa1f3e32dca4fafe0e59aad18580

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGQUAEwo.bat

Filesize
4B

MD5
152c4931b0f92a42921beb7cd3b70771

SHA1
893e613b61aa792acf96af180f253e49b855553d

SHA256
d76eaaf24c01d54a65d30b770a8d6a268330d6686cb1b857f9ff8d5cafd0adb8

SHA512
5f41620dca39c9a5b71f5db879c6d94443561beccc6b34c3a3f52c11a50e44e621640cfca2238bf92f582e5f119577004fdebf6e2534ce214a5d8cc40e168328

Download Submit
C:\Users\Admin\AppData\Local\Temp\JYsO.exe

Filesize
148KB

MD5
f01c5d635bdc43fee78985b28b20f2ec

SHA1
a9526bcb634c827815354fa6812929acae69cb90

SHA256
464772ab93dde14cade1b13094f2d5e2c34651f44b4c7c844ac71850cdb2effa

SHA512
06cbd573b41751d333fdef4120d7adc20d977bc6d70dfac1630cf3e73c8c4d1281ef3c3c81ccf79211b4fabccf5293f3d08d933608235d5c81ed6baa78723b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQow.exe

Filesize
236KB

MD5
3b87cd54c4302bc745d18103af3be1b3

SHA1
2c8e3bfb5f102c751bef0032b8f982c99fab64e1

SHA256
db0bb424682316900af642cb391c9afe01249b4b512b950fc7a044035507700c

SHA512
a81c6b395fad8c4f6a4fcd3a48d670113751e640c001ded0d17de42f7f3a46826e426b905c2ac54729484c781494ef0ef55733079716ef5376f6d3487049623b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgYU.exe

Filesize
159KB

MD5
f3b5e88e374f15dd446bec01fdf9f8f4

SHA1
ca8d5837b07003ef7cc8b36c8def92bd39f797c2

SHA256
3ab419b1b9d37fe21a2b1b932e4ebaaa9d175095959010dc16e90459ed39723c

SHA512
2ab4cfb6380fbd58238581792f6243d182d18d9d8e403b8d26338aebc35245739aa98ca40cd887dc0199ce887c6081e092ee77472c00e9286e1a2bd08576e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkQIUAQE.bat

Filesize
4B

MD5
6035190efa61c43440edffccafc42393

SHA1
6487ca0dda46499b5e1535bd8eb74919bd2fd564

SHA256
5ec562c476c5e92a9bd62e8d39043f2cdb0f6930115051bc4622b33e141016cf

SHA512
850a60add6be54269f6e9ab49fd8c698c94620eda5dc4aa10104000e22a6f131689fb3ea6fb16dc812d738b9d3e5ab722ac79dfc861cab982a98b07b15698c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEkI.exe

Filesize
159KB

MD5
19b6870ab28aadc42b5bff224dfa3aca

SHA1
1f716b589bd58bab24dbab029c19d356cbb36a26

SHA256
d841a704c2ab45b3683d3621a4c511069c1a12396028813acfc4d4b038e22e3f

SHA512
82fca4852c3f75b27ec6c4f8ea11e776f384e8f57b6573c3db1c0c8988bdc0ca63fe493914ecd63f6100cf6b166a15e4d3161e6a692bad09d7cdab58f9b0e200

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lwoc.exe

Filesize
160KB

MD5
7994b85711f699fbd046ae3c8f1b496f

SHA1
ac18ec89bfa793f44547f9ce7ff7d1dd59e4d719

SHA256
50121543a69c1207a719dd4c8750707e0c9f5312c2355deaf479ea4f4851401b

SHA512
bc32800df9ce4ca75b73b7818fdd02f32e4fd35031c6b410905f7f4e14631e27989d49bc87d258c6ad99def3251d14c9fb6f3c395f4de597c44e390e4fade53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MGUEwYoU.bat

Filesize
4B

MD5
fc1d02dd5f679abf576f6591dafb9125

SHA1
4d1766543e9786dcfcd950f17cb8dfc108384cdc

SHA256
4136d5642173aa36b648cc6ce211f227ed9894e1d2ba22615978d37de8ce6486

SHA512
5784509979182ea2e8b424d09a5c14d59a293107f96b6d17dad04dd2e003270a910ae42903913941a0b458ec6902874f9c97ea19abf37c6b017e8f88d05b3d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsYs.exe

Filesize
158KB

MD5
4bc7346170d65c56a527da02a91c083a

SHA1
9f69d896767a3e1520b8f83214fb2ead56a3fa4e

SHA256
4c123322b2a27c7eeeb63895618e3f2f54531eaee694e8b75c0f503adb2d560c

SHA512
d11d14e5bba31bca35164f9a97e2a2861d7d4a2746700e89c8948877b7c3da04d6a65722f657be46a37e92d883b4ec1e64722f553dd05fcb00c4ea490efd8ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMkgAkAo.bat

Filesize
4B

MD5
f803681fab5e161ce4498b3388db783f

SHA1
9b3666eebce02bfd96e33aa67f5872202b448cf7

SHA256
2d5180491af97b945ad2bda937ac49efc9f250dd84d7a533b3e2a4fef2ce7443

SHA512
f8ef45b001b2ad52e2b5b085f1cab62480c0e69e19f95f846e7253e847ad721c7ddfdde3c8f9afc5b2485f21aecafeacbceadb68cfbd485a2d7060085548b58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMoEIMMo.bat

Filesize
4B

MD5
9027cb8f448aaba1e8cf1a1eeeab99cd

SHA1
2a15393c949139e0ae426d15d74f594b5c038acd

SHA256
0b20591a559be5dba6cc9297cbb8cc694ccb95e6b99842115022b395db468049

SHA512
8605c4d2fa78cfec5f9eac161c7f87e8b384898fa5e08c7b4c6137a839aaf401e31a4ca0de96982199d3913d4c2687b77b765fb83fd3b1148078a92994bb40c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkUi.exe

Filesize
157KB

MD5
c0a72099a329cac3e4ca3aa00397cc7a

SHA1
8c9c9f4b3578aa8199ef669091c8051098589167

SHA256
90ba457a8e4fd1e20125e60bd6d463953c07c0e28e9ab56f29e4a927685e2675

SHA512
0ff07882d07648c5b619721f44c392b5b79d3ce3c640627104137a7c1c11afa994a03d77e99b8575d158eba8e51c8e732559c861ba86707ca4e069d4e8988736

Download Submit
C:\Users\Admin\AppData\Local\Temp\NwskMwcU.bat

Filesize
4B

MD5
cd351b1d7cd5e139dee189c05a5165e1

SHA1
b2ef199bb8790e7a0d37a6b352d7974144a85ea7

SHA256
e050667004f9c6e9ccc90534fc13041e5e83158c21d6b273f1107bfe85cfbcc2

SHA512
478d8a7bb2e1a20743f2bf9d84a9292eed0ec4d98367d039dab9971973af2a1e18e5f80e6c834b6ec23359d45262419b3dd87eb14fb4d6bee01f9bad1fc4d2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nwwu.exe

Filesize
158KB

MD5
b61a524168dcc8d1d30b7c5f80228f0c

SHA1
6bbbce07858d02e623663df8e87a5b14763657fc

SHA256
0374fd63b4d49f6470f327168fc07c384ca5dd745ffdc72da3b0ba2ec1f4c3af

SHA512
33e5f339cb1fbcf930584eb41706c7fbc32930b60fda2291c7244f55c70ef777b2fae3de803890e818212748cf027798b8812a4402916003ee6496d6390da6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcYm.exe

Filesize
158KB

MD5
b33b09cd5963502883943d30b20d5265

SHA1
45aaa86e72546ece297d1c38c4ae7d7e36c6b01f

SHA256
af01a40d9d7b2633ce1ccce4995da661a9f6bbbebe0b0846228007e4eb84c3e6

SHA512
1b79da6f8fcca124a50580cab61889eb65fa29281b8501d51f43ab11cd221d36e546a4a75c2c2026c60b38b46dc6bd0d4b585939d98eae38aa1c547f628130f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIUgAMMA.bat

Filesize
4B

MD5
16c872a5b399866f41b13b9fb13c9fd2

SHA1
76bda7732ddd758d8cfabf47c9a47276f6ad218d

SHA256
dfd5a34994d5c6d8a3560afd6f21902cdbc5d3930ce5fae4a35d6b4514490957

SHA512
f246ebd67f34a5182fa4899f2446043b425a16db3a69fc2db11bcbefc09c744c5b4482dbb6afecc82ce52001d1fb7918ec2d340b6321f96bd7b4b7c49a7d3d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\PsgS.exe

Filesize
158KB

MD5
1b508b8d775faec9ca8ce60803d87feb

SHA1
d671124b59c2325184317f2760daf741f8844e44

SHA256
56fa88443bd1867fd887529afabef05d7b1b500e84cb3ecdf18142f9d4698cdb

SHA512
88ff83f2e5db69e5a0453ea50b8bf3586f9273a44dd34ee376482d286da8f8c59ddd0b864e0fd96335e4e9e7eed2a0596f8f7f6a5c4e4a37146b999c0fca1c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEYcYAwc.bat

Filesize
4B

MD5
eb66a04fbff75188dbba88d1565ea789

SHA1
11cdfec56155d43095e0d8b8dafdb2d65f9131ed

SHA256
4ab4cee97f8298726e240ebe982f435da83f04008c29c70d2ae219331300d0d4

SHA512
bdcf759147cc4efb6adbba74fa76e0d7bbc1acffd2b5e78080a6f3746665afc943919a2b4a77b5c50da4989871ba9d422f98d621f424c4d2e084906bf610131f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIIs.exe

Filesize
139KB

MD5
07564efbf2338ef25574397402496744

SHA1
f1f6270d94e5d80a37a944faa304c67a1e97f85e

SHA256
d16ad5143245227d29b88711c640af61eacbb35d34f9d1efd44badf0d6bc0926

SHA512
6ee2541cd6a43a86f936bd4029151a6e41935347a90960b67bd26a72d1df27139325e8c8d47a15e0787bbf1476784d323e0aad14acdd6c83adc1c12cff94dc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RycQQQQk.bat

Filesize
4B

MD5
86a5bf8921e855f3fb6f0a976e507c2e

SHA1
f558a9bc26d5d6ffb49a01a111ad81f00a27510c

SHA256
87dc60b6d0c2fd4a75febfc6918b868f20e58babce11b16de5186c01382d25c1

SHA512
6bd1da4ec6ffe5b07bdf0ce6c9105c754719b3494efe30dc7cfa47b06fb828f94dd4088dd4620b63a820ff90bf3e9353e5088407e69a62d8c59e71e178e1f827

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAgG.exe

Filesize
867KB

MD5
3c814795eb6247daa93161c81f5afe6b

SHA1
4fcb37291c74ebe9184d65c1c9959e67cd05a07f

SHA256
8fea0c2926b44d482a9943ca57a42977505bc4ad3b837805e364ccc51e3aea0d

SHA512
af682f2a0327e7061ee9c5809863c0eda179acea6443e09abef3bfe07071a2b18e9b9b8df547c5c20d1160cb75bdd80093b6d6d8c519aedd6fbba4695e562b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\TAUQ.exe

Filesize
936KB

MD5
54fccf9ab29998b8a8b08184bad417d8

SHA1
631cf48bd2f493461932ebdea306d6c55a893301

SHA256
b802c4990d0780cbd4302497fa32185244ef8a3af40d91f220efc9c736c2fe7b

SHA512
447b0c98586b12cfc0723005af294dae9cf297ac5efe8d8cd2a7df457a2878dfc47061fd74d7338984c01d70c6ed1a00f1ab42ecf8cf3b79aa6b1d1a456cfd8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUEwUcwE.bat

Filesize
4B

MD5
0f01a1266d9879a24a4c3a59478af43f

SHA1
760affc1f1aadc94d052a78433bdcf55f6c605db

SHA256
90ef5872d386fc837ae218827fc85a93a889ebc1457830fe3bbcc3b28ea39364

SHA512
c6e30e61cbd5b70748a199569167dcdfe4fd15e03c129e9ffa1e283f3b29c5389ea4fddd76e4ce0cbc94f30f48a5f029a554eddcd121b3689c963cec6c904267

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMUe.exe

Filesize
160KB

MD5
0a0df6eeeb20f3dd547f2623bfd08f87

SHA1
b54a6b132521aa3de636b4f1dfb6f2d6480c9def

SHA256
72215bbfa0dc96f09b7e793f7d5081321e29b159346447e43b3433c3e70b4da1

SHA512
80d8b63f68e82ef3155db16004ba9241034fbbab8ac87d185fab0603eba7efafce67a58d7c23ba8afd96e8c46008619e431a60f2fffab5e08f69c423943ed0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQUa.exe

Filesize
160KB

MD5
23c7754e0d47d39cb39dd22219dbc9c1

SHA1
016986b2f5d157940079ae4cbde94b00ca1e3c5e

SHA256
95c59a2f99e794c7198c6582bf3165de7e0b5d752572a075466e2cc3226ce7d3

SHA512
af923a9663fd1bffef5aba77a4c199da4ad09b3754590e798a289a2e40aae5dca3e37fc376871a30d030f2f5182b003496e272af7bf5209156f2a9fc344944ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUIu.exe

Filesize
140KB

MD5
cadc316d84f88dd81f88b2c33eb9a06f

SHA1
8e33684c27bd411f666297793b9e93307f4dac45

SHA256
523256336a066c0c02955cc69bba05ecbb2a4ab88aa03e0a557c2374cb96c0b0

SHA512
013007237ce7f6143ff637aa7b237ba8f74a171933aa51aa8110088c630c6da78e94a9bdfc5e519a0785f34dfecbdbcc408a9de5559a38f119fbe3a7a66b7e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkEg.exe

Filesize
159KB

MD5
50033f32c1e4b9cd3fa76a8c9df0fd0e

SHA1
f5619b7dff8fa284b1fb9029850ac027d2f6b756

SHA256
f3efbf77f699e0ff407fefc6190fd476bd3c0b9d72500555148b1fe8b2729d92

SHA512
8faf1774228c8ebeeaebf613f0b7931f2934c7f7241554a0b799846718616a24a8cd4dc585c548cbc4a87c64f14ae3f6f26b8afff14759f9f4e21c32073acd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoEu.exe

Filesize
499KB

MD5
a75279dc7d88ba7abdb06bf506bb7c90

SHA1
50fd85d887700eb970c4b3cbf1bc78daa40c0f64

SHA256
0c38ab65618bfb596b6f4f8f061fd8e6242d1dd3fb91e7e6c97366231e197244

SHA512
9fe171bdb06b559b6bbd63c9a24ad535d53d51d5509d8181b7d8766015f9b935e5208309dae8d2300e494806107fba00a4d7a8e0f34312efa71be23cebf84b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAYscEMk.bat

Filesize
4B

MD5
1fd3c7eead6b941deb2e16fff8aaec59

SHA1
59878cd47b222286253a4415dfe04c13046d62b1

SHA256
cb9ee5fafb55516755b9c29d4a84a3eb9d74a97f839436bec29391d996a92ec5

SHA512
abde2a68e83f3bd388275a15a1490269c351d6f26bf9292ce28d4901298d8d9354ca95da39d17b4268a3be48a076f5b1098c085de8cef4f67921419308e202d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\VEww.exe

Filesize
428KB

MD5
8c17c4aa8d682757864fcb9757b34136

SHA1
ccdd70552170ba468cb93ebe1df58ba45ef31e37

SHA256
ce9d9a8630e905cf6f2a9d15ce4be258e89f17ca7f3c756870333a06b690cc62

SHA512
1a4bba5dc64d270b8df971ee474e1d7bbe0193ed930dcfbacca194cf99aa2e39e2d230d4b02838636fd38a645839d822ce7eb4280495151c2f85180ab0a608df

Download Submit
C:\Users\Admin\AppData\Local\Temp\VGEgYkYY.bat

Filesize
4B

MD5
6636df58b71cc442b6cfbee6693c1f29

SHA1
5d9ef34f5ca042cc3401e38cd76f3cd59c1ee826

SHA256
0a5c3c22f4245f25d051ec74d2e363f9067af017031f828769812a4158f661d4

SHA512
dfb93156544931475709a6d0d13dccdf3d05d158f14e333ca8998a9ca8c237d09f3ff6923f8cb6e6ae87f2a8680b9a581a539738e331409a770ae89a5a3b9411

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYAq.exe

Filesize
235KB

MD5
7b6ca1fa3db7f6663be5d95af6eebc23

SHA1
e163991bb1e81b323ec3efa235cdc478fd299d54

SHA256
e240952e0264468bbf7986dc3066b92b57512db9538b4c6e36b213a70ced26dd

SHA512
206753e60263c891c76556702d2d252fd961b93fbe0926280c474d41d5361286fdb42534d95c7bae6f103eb7f787aee1ab34cfcc8a9c88a5fc988add6e79b221

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vwga.exe

Filesize
157KB

MD5
c0b1bd83a228bbc88e6869a71772a8d9

SHA1
2ae0851f70e6722b2b79291e21d73c01615a015d

SHA256
c80b0ebe4dc2690035487b2c0428f11c4c51ca112b0e9ef2e902127f5abe51fd

SHA512
7cd29b0b436dfde0420ed4c8a58b75c9236b390918b4060f362e694c2ac18e3400537e630abc5413918ff1f88e5fda0e9d5c1711ab9f44f1b5af545288628b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAAC.exe

Filesize
160KB

MD5
fc5c6123b712ae74b60cf77f3aa4fcd5

SHA1
7d1d35bf202413d4dc854e6f1fe6e3d8fb05a874

SHA256
ff2b28e97d6958197e34900c0b15b311eff9017e8bed2d55ed59bca0b27405a9

SHA512
cb2fc32dbfbe6f90e545b649e820f61efd2edd92e3c4abb504aa1f5ff8754be1249faa8b191d44b1886021c9df6df326c74f4676406247649bff4d81fd1eb799

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEsksUsA.bat

Filesize
4B

MD5
7ce824d89153065b92c003f523a6f56d

SHA1
ab9fd4ff529ce1037d5664af59a05d2e714f5bdf

SHA256
e75467fc432a9bd95c073f7d910f5fba663c3b25dd7753723ddedbf93858c612

SHA512
4615353276a22618c250bb1c8878f6f8dec4803ebbd3ff9223643d54dc8ec715a4d6c51f9bf93a09fc055edbd9684ebaa202d2acb9f8b062379c474a6c9a4b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQgosIQk.bat

Filesize
4B

MD5
59e8600fbc06abfff597aebc8d568c68

SHA1
2b5cdcb03acd71b899385db81b1dabcbb1527b7f

SHA256
bd048b2f43b43f6ba752e1d6f9b240959d24e85c62854229068774b2ad3ee6eb

SHA512
ea3a4fabcc776f032a733c0c73fe2bc7b84f1209a3c0cfcb01d78aac6260379cfc9a5e2fed865dcbaaeb637f167f83ca7b679f88c08b15894768b86b6f8b3acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYwkEwQI.bat

Filesize
4B

MD5
46a6221ef2c41d9b17831f64034f3ce7

SHA1
09d30384e44ae0d503c45cb132759365e9040590

SHA256
db4041a5354b2a3ff68abb4e1fed853aa0665606174fed7242e8f8f16dabfbc9

SHA512
360b5c657ed83773a8dc17aea3d64253b8c437f791c705a3990858899f061511137be3e546c45a29f82d90c629e4aa8784a97e5cb249e2e09b1bcdf8701bb0aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WiAcsAEg.bat

Filesize
4B

MD5
3239721beb43ad665ef420d8ec7349bc

SHA1
9517f573a5a39c8950ebec1d0b83bc0f3ce1b4a0

SHA256
a1531c13b78a860a5a544753f0ca0fac5b622636ef964d803501b6d43920b3ed

SHA512
91a6c16aac59b8dd76f323c7eeba037e7241bd58469ff87515eeb4e89c6618138cacbe0d0d528286bc36e0a0f3f2ac524663c37ab0fa56846d0e4c65f7703aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wwcs.exe

Filesize
158KB

MD5
fc334fff178828c3b7e60cdcf9fa5972

SHA1
4050274570bbeae3a457e877f6ec738391b0b9c7

SHA256
42484dd3bdb3210ad39de209f0593c59b449745b961fd06df04dfbf148b08a8a

SHA512
baefab6e0e193c5ae631ee1f248d204fff2e985f864b467ad772a592ba445040b36e71f3e9b4d37d384b1e0ce577ea1638af2aedeaea30b5b52ffa7d0ab52186

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUkg.exe

Filesize
657KB

MD5
e5eef0c2d6aed21ba130ab846bb53aeb

SHA1
04ebe81b3d2ec2cd0eb13b1a328656e2dafc7e0e

SHA256
730f1bd61e9faf0fe7275355854c60cd9bed69649e0a94c0a51a52e2e2cbcf18

SHA512
63ec0acf010ef367b2a2074e1432cf43531e008ab2e88f231513b28400eb93df877ae8b6e8f4119b9730af0e451c2fef59f3b270af3fa409bff4111fae69dc39

Download Submit
C:\Users\Admin\AppData\Local\Temp\XcskQYAg.bat

Filesize
4B

MD5
9645e4a08c7f191ba759cd530096f1f3

SHA1
28b773f79b36f2fe3d5b44270ece123a13661204

SHA256
11b67fbdba1fdcfb1e4c48389100ad80610efafdb9e1fceb8dd48a75e8bd8627

SHA512
35a224d0accf6342349172a8694a3bfa67abf5d18fa60b814580164ebdcfa11d6e74c793fa72de4af342875cb7788b19e1f807542d50c3ed9383a47e39f6cf48

Download Submit
C:\Users\Admin\AppData\Local\Temp\XqIgggwQ.bat

Filesize
4B

MD5
0c04801084f5eaa64f536ed165603819

SHA1
d1fdb6b7551013478baf25beefe490919241752f

SHA256
97446b578ab10f8e95729d93606ca537e887453ed7f62992dd35b456fdc9dd8e

SHA512
8188daf1f91ba5ac7089eb535c598a3119b4ea3f677d2ef2de7c0d963095457fbe24776afca029e3057a07ae9cb6d3a72f697fb7c4980d9114efb6f2f70b865d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XwIMkQog.bat

Filesize
4B

MD5
03fda26a1e1341e42285ac162b4f79b1

SHA1
fc06047fdb062f73446521bbbaea5db192067284

SHA256
794e655f4391daf9ceaad4d6f203e4044955732d772531236ce420d40645e04c

SHA512
c5d1d16b2f5ba1050c5d4ccd86cc9cfeda76cad773d117cc31bb410889dae8333aa8d0fc8238276cf636ca590bfb6b0f7871fff262f14629c366ad7f5bfa9c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMQc.exe

Filesize
157KB

MD5
822a7fd43774b4f97315928e2e178c22

SHA1
a44adf1e4d9a8305ba852a057b4bae6b9777d1e8

SHA256
5e754d0b208279804dc8b066f03bd5967a17438d05752410116cec339aa0e7b5

SHA512
3775cfdf2e0d985f33fff1707ebb2b8b43b321658deda24e1f5f22e86df7e455a3fd633077aa86f3bc9982d88cd246456ef92a7b6ce5c6e309a2b79d2aa88220

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMYa.exe

Filesize
157KB

MD5
aac6339cd8f4d5af0f2f6f1765bf9bb6

SHA1
db79afb4aa641678f2b818facc693b590aa218b6

SHA256
9c6d0ad4ed7ea248f79367726b8d2c73dc77b2d18ec7f82c05b948f8fa59678a

SHA512
9fbcaca508fb502acc4dbe94d9b97581585b74a55ebf3f37f0484b1354a39700ff15f69f79b22278342b89b3e848d622a1c2cf737789219a3962cf03bf50ac5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YeEoYMAI.bat

Filesize
4B

MD5
105759d266fca672fe9a353432bfd027

SHA1
dd5857836134c9b67511506ce04f1dca3ec39608

SHA256
e3c8eb110fb3f4a5c7d0a9cc07f37b64bc196e7cc2be1e3d3ef7b5e4152c8f52

SHA512
5314719072ca83be73460ec8713bd2d8e920dce0e0f9e52e70773b2f2a3aeb54649c2c562d985c5be419c8924d579fad290351cf29f07a72089b2133c0dcf4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkIi.exe

Filesize
971KB

MD5
b4b4729b90598ab59ad6e12176cfaaf3

SHA1
9f5d3bd752c1c4de694ff0adc68c6cb3ff85bb22

SHA256
47a4a13654b7716f88078e7ccb55155316cbcaf67417c7a37f195233a205cacb

SHA512
0f981d0137529dea59c4ad302be5cada49f1a964e1caee72201a7af9deee1a0b8103e96d3684d18bd460edf010f6fc92a5ad11dfaed37fe30dfc9405d661b499

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoAk.exe

Filesize
874KB

MD5
87dac40ba4ae46e80338bc6a9b23041e

SHA1
35c7c926b2cabb4fec683b2fab2ec64517eb03d4

SHA256
e0ed8a1c657cdca24c4c841b8a75cad31d9dffeb18af05ddf6eaf97869ab3847

SHA512
3f907b98f818b0d5cef65daabc95cc55e18085cd5b46efb6a0c5eba254a9e6c2940116da32768afc68c0679cddeaab61a28813accc3f7698acaf367106a80317

Download Submit
C:\Users\Admin\AppData\Local\Temp\YosAYUoQ.bat

Filesize
4B

MD5
7aa2df735f8fd773d7dc21c7d9e896be

SHA1
30aeabdf52d8dd8b2d4c6a6cfce4ef3dfbe9f48b

SHA256
8058764bf251b44713721aa7549745993c48553c2fb6dafe4d655ac2c74bdba9

SHA512
d191ebb77e745305d45603d14f47d26b48979ad73f2cbc9be9900e512b49f793f9188ad75db5c280ffaa28999e46f41c2f5d16026ef1e303577fbb9f000abc2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwIq.exe

Filesize
157KB

MD5
052f25605d6d8ecef8df41accedd360b

SHA1
74a1ba43e36a5b859dd1143f23172b322ef51813

SHA256
a5c0bd51d4d0816d5fb623aaac9b19514077b33cd15a06f0aeb9b13938fca711

SHA512
f9db36aceac6b7f06b836e0fe27c7f856d07821f602caccf3859eefc32e7e85f825edd51e1bb5632571c6bdfd04c0e344364ffed5925c70c5142eb6250ddb8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIgG.exe

Filesize
2.7MB

MD5
fdf1640a585c6b2f28a0ade1b54122de

SHA1
efba7bfc2f1722ec9e21130b56e777c1ba16501a

SHA256
7ca8e6490833ce507aa929dd1e48059f39b11463fc68f92f7b9f86ff23ad1cdb

SHA512
8effde1c5140f5628d287dc88d75548841bfdebbee0c23978dc57f50b294b86fc5471b203a70d31260647f49cc30732aebdb551f3362d6a6f830a06c5b60f5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZkMO.exe

Filesize
158KB

MD5
7b888fd158acb92c2903ab7faa40265c

SHA1
8331d5014734a30a89d37c303635947d27b3df54

SHA256
a9d00925e0413db0c547767a0e815d4d50d55298820edb118dc59e1c175444d3

SHA512
3c1922453629a0de35f0c56786ca499a54e8aa5fe6b8342803c303862e9347e78e3de1ee1ef4285e30a1ce45bbd692831c8601eae96e61cd59b8344e98496dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZkUQIckg.bat

Filesize
4B

MD5
5aeb481ff446fddb9a8da54905c8244e

SHA1
ce97742cd61a4d8cc24c8bd491d310ffbc97e991

SHA256
e12aff231e7821f4cd045cb2284bb2ca493d5c730b5b58d6fa94d07b0ab8acde

SHA512
028ea7b122e2ecb7196945f164d8e4b4ca0e77f92a3c74b3a016b928a62b9af1528747be4d7da7a49e6a557c5641772d3685e02f50036b2d4be09e0d7027067d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZkoO.exe

Filesize
410KB

MD5
3e9e7353497cef006a92950f4c3ecd86

SHA1
1ab25bdb268a7e2b7bdfb68b798e2abafa1c4280

SHA256
de6afac1d09995a86ff4789b4f39cf60097b68d6b26eeba98c20621b51ad7f86

SHA512
562e053546bca1ddbf9d7fe2c971ff130024addf5b7d73d6884c1fa21acee69bf88d5a46160d48fb06f7637f3ec94e9ff58ecd2699eabb6affb6536a0bef258c

Download Submit
C:\Users\Admin\AppData\Local\Temp\agEk.exe

Filesize
668KB

MD5
3107e0261da790ea349638312365e275

SHA1
538ec2030e259c07c4e0f186e6e033dba9dc5bea

SHA256
2b5aaf6c35d98ff9ef0494725142fe1b0a0257a0c96d3d41d54cf22c2622c24d

SHA512
de36afa8b00939ebcdd06bcb45311443453637ec1ce34827a6d2388ee65470f09b6ce33ec1aaa7383cf7886d598cf644df02b1e739fb79de0b607c37a98fc08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\akQc.exe

Filesize
155KB

MD5
efc6562afd68e973b969c69db8f50484

SHA1
3ac3f13969777df7d8afbcc6c0e259f94f756af4

SHA256
b7056dd4688eb91811297c0c7f16471b2f73efdf3f4b5ea0eef1e47ec7bc4b9d

SHA512
6144b4660de1457ad83e3a808ace632971c86a6020c92d11ddce26b000ec89de1fca2459a1b08127cf1c0c074d0cc9882ab7122fd7a4116e920df09c9eab6925

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqEsUYck.bat

Filesize
4B

MD5
4a50c82cb505e705881dca43e653e230

SHA1
ae2094b25e3127db061360089bf1795fe678c7cb

SHA256
05f4df9920d5afed204e709378beb6d3bf963f756b5ca0a609240c92cec7157b

SHA512
1bb56b3209dcecb608d9df24eea7b5cb82411de2e47296798768ff39e2403a954aa2b3f92d96f5ae0a24a94c5cbbe7b8b4280bbda770fa941d7b248514e73f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMwM.exe

Filesize
160KB

MD5
c6b82c3bfde2f44f96f33a9ab477b40f

SHA1
3ab713d84d76f6d96fd2469fe570b19773548f3d

SHA256
47cff32597804c212e356c86abcfa5a18c7873ba3f8c3021d90f08dc34601909

SHA512
a48ec6e8d72ddb3f82a0d9aaba4f471435002b260d692cf9ff34cb328ebf4cb6606222680aef569aedea50daab2eb774030a3676bda5661339a518c50a602414

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgwu.exe

Filesize
158KB

MD5
702634e69f2470145eb4cca1cce61e94

SHA1
d00a14774d42b12263b387af8a08413f35bf05c7

SHA256
d65b91d639b55e092aaa30bf711bbec0c016332f0771dc863f286f52a30dd6a9

SHA512
1977708482f5d62a20be7c62ca27eec9bcca72853148f8a292d05d26524c4190328567745dfed7936e80378f94030197bda5e509c2e6df3c98d5a36d13524422

Download Submit
C:\Users\Admin\AppData\Local\Temp\boYk.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAIMIcEQ.bat

Filesize
4B

MD5
5ad11a27f2940d7a9afab76f92efa655

SHA1
d4d39fcf39d32f464e53aa64a579f43bc9c5c984

SHA256
78c8950d63a701d08e7daef4f1556fb1f727518fa6be00f3ab8d399aab79d8ad

SHA512
8802284f224f915c8ba6104c722e73f7b35ccc958a7e0d4e4aff6ad0608672aa6a1ed23f5c788c6de7b811358540360f096389b3dd8de450dc8b8d8f3bf29efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cKQUEoQY.bat

Filesize
4B

MD5
f01cfe9eca7a239df70196fc2248ed82

SHA1
58caf619c920ce5e4ef8603b03d321028db766f4

SHA256
a7ad75f96c0962ca6b299094bdce540ccf992fbc5c019c1e37105c00b3abb490

SHA512
6b51d186eb446f942cc1e330263aced446d6370183d0912a743b52e0e6a5eedd0f5bb4bc349804020b2c5f77ff2d3af448a60f7d782b9c2efd78de3c2f27bcd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQIO.exe

Filesize
159KB

MD5
a7c7584388742158d7f3e2f6db7585e9

SHA1
55e5bc624d48a4d4d94ecd41b5aba6bf16236398

SHA256
398fcece656457ed91e73b1f0de427c951f94a8b862f6f81d3da447606ac4c02

SHA512
f91c870a9d69332912fde4368d00c4f09aeb734ab4c78c27cbd7090ee69ea0e7cc4432ff7db4b53b5bb826fe3088615eb801fc30c23f79b7a9e7079868a60e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\csAAEYAM.bat

Filesize
4B

MD5
4ff5836f8f5df4c8df66a32cd04e219f

SHA1
b050044e6b3a0b4e27449a96fa8b0afaaef2e8c4

SHA256
7fb86726782fa2fec6e197dbb8036715aa8d126bec641c7dbbd05c65f3df15e3

SHA512
8ad0392aacb8dcef3e1d0198c4818fb783eae5e16dc9c908a0acccfff99166fa86d0713796f3c67ea10d519cf7fbcd5957cc46730a3a3d8e6960cb57bd1a72e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAUI.exe

Filesize
236KB

MD5
2392b2732b36c225543138aa200421b6

SHA1
bee284627ecfda3cb44a95f18ec67df83f0b98ac

SHA256
bedc8d8e37f1e8a6230b785ef2b5b5417e0948eeda7bacc618f8c8a4873bec15

SHA512
8a78f04df6432b692409be595a74c3b6f3534608576fef3ce6dbe5c1e4717f53f035793978eba998afbc3e290a8329e2c03e411e64b45cbb33baa148685b15a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dGQgkcoo.bat

Filesize
4B

MD5
2103cb1ebd11d8fd132ebc1572af9a68

SHA1
b02109b27d866647832cae920c565c1592ede05d

SHA256
e752dc3d386ccf037fe613d61797e9cb7510ea11d067bb30e9018d3ada6f2cc1

SHA512
23cbcbc35538a110658cd4015fea40421681bb8d29839c463dc66bc8624242ea580fc9f645d5bdb0d61323b816986aa68d2e8c950f9a4ef05c9d887fa6f64d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmAgYYAw.bat

Filesize
4B

MD5
b3232c47d6e5ac20edbff4acd9f88f75

SHA1
4b9fea31cbcda61a9f3a2467626b7dd66dcc6881

SHA256
a09c176113a4f731f105f50d72adfcdc20cfd08548cce1f87e615183a26371ad

SHA512
30646706b1f5ddb334099a6b92556198b4fc0fde7aefd0c9a6beecb1a549885a2e28841c4e29dce72b9001da11d91faf6a8fc5e7fb27c2a8ddf0256bffe2bb10

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmMYgAcY.bat

Filesize
4B

MD5
e80e2d5e7fda26b5321427c69e80f8de

SHA1
1cef33d5cc634bfed6d20b7ecfb8707edac26bfa

SHA256
51b6a1a22a0ea7aeb6c9ec7d2b2c7ca414f3b66993dfeec15973f6ce1d4ea465

SHA512
d9e8cdd1e0aa7590c22ad9af7d4fbae903e21848ca0ad9458fc5461824eef170083b31fdd650e909187352746993a319e5f1c8d12095be2f63fd2511952f8a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEgm.exe

Filesize
141KB

MD5
c6bb01f02d5deb472dcb148bfed93ca5

SHA1
42ba57928fd7ccd384c75f882439d67f54aff727

SHA256
363d7be373677b0329a261238d4191a79875ef5de3c96d37eb78172dce4e7bd0

SHA512
0177828bad71346f602d3eb9af6a6812ec445ae044fb508a7bd2ce9ce929f46c6f0f073200d9c29f976485220d593cfd827cdbcdbdb738dbf471863e35e35a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIwK.exe

Filesize
691KB

MD5
82ba612bd0e2401444b87b1180a67856

SHA1
281a52af8291746b14477eddd20abd03f9f2f17d

SHA256
0a462f7253795b803a967b8e5ad4f676cdf8b0d5416872263f8de67ca04b6e3c

SHA512
e731988cad8d6cc4426ddb7c91e48127bab251c8ce0412f4cd505c91c0f0447ae3981882dded0d8bd8c5a7cf72a9f71c4b6cea253e3db15019f16807a77e2f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\eWMAccMo.bat

Filesize
4B

MD5
4de62181ea5b0ae0e3e3eae9bcc67b43

SHA1
afcc457f4b2f8849c034968c61d5c022ab6de1a9

SHA256
ce36692ba67f5857f7f63262de53e560679a6cbc34085d91546f7a4e97d2b6d7

SHA512
85656afccd88273f2d2c941a86f3d533b1d75f02b3402cbb9e08d5be24a4f0050613a478ed568a7019ecfbfd8657185fed47ba6314dc7c0514d4096a5daca736

Download Submit
C:\Users\Admin\AppData\Local\Temp\egAw.exe

Filesize
159KB

MD5
cc3fe3e62bad510a60ef8c8df5f6d4b5

SHA1
3f06edaeab61d77a885295188b7ee4dff91a6776

SHA256
5c42be45d5ad3074cbf620c41e980988c6ce23d1b87820786b5ba7de27707f93

SHA512
cc000a4e99eb676b90c456e97b8d28627f8da9d43ce93d3fe86aa0c8c5ac25b56ddc16a68fca40e9801d355c3ce5657592ad6ff1d6810c55c5b4af85c4fb0e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekQEUQAk.bat

Filesize
4B

MD5
107968a4f61aa5a814a4f6bd69a36a05

SHA1
3e36ba074426830ef20aa32f44663a92418c4945

SHA256
20db2e84f88727e1cf32c01fe19055d1f446739dcfe83d32f4249f78a4df4579

SHA512
9c5ee3acf13a0f58205682ee79852754dd08f910cf46fdc45fceddf65096afebe6d0ceec3659a3346eef80b2bf886c9f60af983893ab08da6885c2ed523d279f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fEEo.exe

Filesize
159KB

MD5
79b0788aca7b6cfb20662ecad80b9aea

SHA1
0a3d9e283645d8889484b21074a2efc897c70def

SHA256
f2338d2b8e081dc722f2e2363f1e94b27af7883e99ccf275838d4b51035d9f62

SHA512
e6d4c3d8de9d9435b6809151d8d1f79bc23b2b077e3a7e3564dab4a6481bc5dde7a0d7e716c58b883ce6b9a40979430510fc77456ae0d6af69873db3c24bbcb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fEMC.exe

Filesize
159KB

MD5
9a4bd18769c9a2079d55bf349a6ad38e

SHA1
a49616dcfff99656860e2adbb6b0f7c8117cb036

SHA256
a3bd571fdb3d225736483d2c21f00d65624dfdb7814ea6771befa3b9bc8acb7c

SHA512
4fecfafdacc1fa5bd7db985d14eb020a574753ea9b123f19f06bdcdb45f24b3caa313b8dd631f0c62ce7ced9875c7e866262c206b41bb8aedfa8df4395cc1fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQgUYUoY.bat

Filesize
4B

MD5
b33e080e8835eb817ba32f82119cbf4c

SHA1
794f8a70f978f3bba70634ec955cb2353f327e4a

SHA256
8e4e8408b9c613e7ffadaad40607cad366d7ea4be1d6b93700e244092cc73a30

SHA512
7469fe403740236fef4ee82a73a3f0fcc71ea3ff869c19c45d408989d637b0936a76979b869137f62b6accce0e00508778ae1c66bfc586e0eaca9454b8b240d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIAi.exe

Filesize
716KB

MD5
ff7480d54821c264b9a4c1eb70b040e0

SHA1
1da26a2765b5a270c325882bbf6c134314a19d97

SHA256
a68ff89fb953f32947978492c6417913c63c773d93b2f8e96349801c3ce31bab

SHA512
598d3cef3d552e1e24cfccbbaaba430cb8ac3367d864ed2a5383630f53b034fce99f854c5eb71aa364bba762521a89418a958181f23dfb3a41c85ae58499063c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYEQ.exe

Filesize
156KB

MD5
c630fcf647a79ad27df84bfe7c2b6bb9

SHA1
19415e0f7f2217fbd5de65123a96f476eec3399c

SHA256
9da59331c15dd538dd2f4b44494a85c523642ba0950f775edeef8e25e13c34ac

SHA512
beeafe28d184fa77e22272c70bd98c90c04d5aafd79806c946bae4bd332c781280aff2ba4809c1681789b5b11d30353968819574b041ec223c2c0291dfe60033

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggoK.exe

Filesize
158KB

MD5
99a525160ece5e5dcda345d4d67a4477

SHA1
f84e3cdab5077e60d121740e1b8d7373dd9add9d

SHA256
9ff30aa078e24ea4a97e7206a31421c7454a61fca0b05e7a9d1d5856c1b38580

SHA512
a4513968bd76cfa40d43c949e5cb6617762a52bf918af97417528d1cc278c1489f19cea8d914cc33223e70d14e2f80ddc961a4d0eae229d26be6d13f2bd3540e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hksI.exe

Filesize
522KB

MD5
598166e0974d3d627c42b41235e4ef5a

SHA1
c602d5ca3d08876178a65e0395d054481ecec46f

SHA256
6f8cb93edb28833a0e2693e1a013360ea32756c0407043389a1929d274182075

SHA512
9f607d23a84cb41b91fbf6dfd6bd4b666123711d6d3275ed985834286ebcfcde8ebeaea78084daee64d53aa17c1510aff84ed8eb29aca91c0596f828d5bf8456

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwUA.exe

Filesize
159KB

MD5
a219f2be3c32dd3d7a47f05e954c3657

SHA1
56c2305c4f1869656b3c3dcd6a64dc76d11a6d11

SHA256
c89286a33e94d1ba3389a874642d401ac4704d6283ff5ab458d7541bd42aada8

SHA512
512bacfabf35cb93b5f8104f7ba60e309d5eaee057a35e84cb01d570357a95d5813b87014def97dbd9bc8da4b496da3cde7517cbfd431cdb844bbaf3619945e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwkE.exe

Filesize
238KB

MD5
2b9a4a21c92d7b8c0b3fdd3792e335fe

SHA1
01b08cee5ee942b36d12100dd3ce5416427f9e5a

SHA256
570bc21d15491be32cbf888b681ec58d09dadbbe48291767c12e6add51b194ee

SHA512
e896a47a3d864a2cdb85a4a5bc5d51e6dac4a0f490479ed0024092f37499376df2a775ec3f9c0cf74167b57690e7e28d8814524f2a8703fe129d41fc97f9db5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAMo.exe

Filesize
157KB

MD5
c30c83fc9507d704a494241eeebb11f4

SHA1
8ce87087aa55d0d88207e0b4374cbaca6b885075

SHA256
d1b14fe25b6b636d7656f3bcc2241e2a344358bed136b15cf817cd163272a5a0

SHA512
45a701df78ad92d44f94346a4630e2ab0c4c2b28a0af88c67620e49f2db68e22f9c497709f391634db732aa2f6393bda6538b133067287afec461e8ce743bf0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikIQ.exe

Filesize
158KB

MD5
ac70deac9a8b282e75922ea583620743

SHA1
6076ca355ac782af29e327c7239b1f66cdfff4d1

SHA256
d77b08478fb59cb8bc938cceec79eaea3d690dffa9fb5c3576150beb830e271b

SHA512
7223dfae96430bfb51a1731be2af89ba833c3bf9c3da143ffc7aada470a1f65233a75bfeaeabe5c75791293583473c29c12f8bdf30b04c2287a4b8c85de8982b

Download Submit
C:\Users\Admin\AppData\Local\Temp\isUM.exe

Filesize
158KB

MD5
9214c77e66581c0dedbdd9d964900690

SHA1
7b29fccd3a1939f4a0f50e4e031ad4f798fa475e

SHA256
4cb76d945a1eb46e79a07f8480fcc709a00e12c4541fbf6c4400483eb85e2ba1

SHA512
ab808ed35fce84b35f2d32b4ef3fb725d731a566a74f8318709e65a086a12c685b6f8ca666a9d729b39373cb170eafb2974542eb56a260717de5a943a4b07ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIsM.exe

Filesize
157KB

MD5
c3fb452ff44fc971b0792cbc76e037d7

SHA1
5607be7aa2aac5af8a7f3a5260679def1412cac5

SHA256
077e2797c7a2bdac83f06370388edf4a20aeaf2353a00dc6cdeee60d2e055873

SHA512
fa8ff937c62ac834b92407a609d45839392c09fbbd5e480c391cc1b942f288665cc9885f0f109794d83d09ab627d7acb84b909669a16925b4050f9e5fcc5602b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcwQ.exe

Filesize
159KB

MD5
1f5a63f6b99b799165cdf3ba955eff3b

SHA1
63a6391e9cd6a9133381ccc87d5407a5d0f512e8

SHA256
0befb24ac4d9a31ce40a20890dcc0c7a21bc2dbb33dd06fbaedd8b29f371beec

SHA512
27a67524fd8a0b6f2419da340531542e3569fb8e9720462e3b5de8051b2363c89beeaf018220798e99857f8117176b387125db7b75b19a2c1684fcdaf6ab8f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkEi.exe

Filesize
158KB

MD5
7fe6045980a028f78497128528c50059

SHA1
d402bcf289b707ef5820e7f4197c8295d560c87f

SHA256
e312c914e88bc6ebc43313c83734b99c99a00807eb10cb47bc94c8717ee60785

SHA512
ba1a82a28b3c7a559be3207b043ecbee86e473029eaa7db61eb66563dbb4641e5915317bb6ae0bc357c58e399a118d7dd4e0096a94f7c3c05fb94d3bf1958169

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkUwYIUw.bat

Filesize
4B

MD5
2fce92de013a4d0ed15777d41a05d643

SHA1
f1bee63a0d79cf4e6e77a142c080427bbdd03d69

SHA256
6ca462f51201e27a8a52cf250ef6f3533110054a6fee17cb1eb379375083d532

SHA512
8972354707295401c18bb2b1637d353054f287a41a762e8c4ce3fcff225364c86f1aa2f05934ce19e9a659dbabf50cfe4703e4d35aa21d0e3e1bdb581dcc8142

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsEe.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwMQ.exe

Filesize
159KB

MD5
c417724512c4d9ea848ddcd2acbc0857

SHA1
e58a63ef6f2bdec9866815115820149395b77eba

SHA256
049b775e365de4402097ed9189dc5cc51fee21afe1689adf5b55a0c41f3b5411

SHA512
41502128874d493dd9eefd839b46bfaade7c5fd3586fb04b0f7ddcfa2139f4dd9098f1c183e02a626393115f0c9301f69ebe1679d01a5c036895437b762168d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEMM.exe

Filesize
1.2MB

MD5
750f8d9cfc1bfa6fa7a1f054a7b85f0c

SHA1
5728eef4e1f2a3239f38a0c7c9262456112a16f8

SHA256
2724e18e56e794de7d1964e2a32611f59780d95ae53841b8d84a55d5179b3189

SHA512
f06c03cedc3f6f664b1a3b256d1e41c885e8229a5ac17d984007884961a0ece29da47ecc2d720aac1b332c8905e5dbef7bd9998eea615faab9225cd246c8cf00

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMYQwoEs.bat

Filesize
4B

MD5
34885dd23236c99e1d57897494699d2c

SHA1
cff8ce5d18fa08a7e7e9fd919c1af164f35fd248

SHA256
f5b3e01a8681110f3255b48f681cae0955ec4d7e8ff0eb6f5a5d5f3d6189edcf

SHA512
9708d115bea12b82dc875c4129205cf4f8e71468b174ed70d7705a97fb92ab2d1019ef6156cd97096644fab226ca6559ac7c2ae74d86f4555c0c70aec95894a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksYC.exe

Filesize
159KB

MD5
c93218c42d74bcb00de438a5d019c052

SHA1
6942075d1feec962a7700ad68c89efe989fdbf99

SHA256
1f114173cb1cf7fa98ac8f42278aab559ebf71d57c9300677f09d31b550f7877

SHA512
8bb4e199212ccab1edc4605dcc5cff4a780b8977933cead73c3761f0057de79ccb25920ca18583bcf860a7e51fe8c93d55cbf0dd5c1936ae0122cc0c0f672b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwME.exe

Filesize
159KB

MD5
3fd7c3a6881d0fc3e4d7e6aac03ff0c7

SHA1
c928ff835f71a23c8ef2dc89d1f380821bf364df

SHA256
64b15142ae53bde72669773c3cbe871d24f0e704961c3ebc05c22282df2de602

SHA512
d58880fa7f20702d8a4b0ea3765caf85e860f6aae3195d9ca953fd40abd4b2a3e0cddc49b7d3efd5c1fcd466975692dd73edf96c4ae4cce7b292edbf46f28f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lYYAUYwQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgsk.exe

Filesize
137KB

MD5
a783460b95b9aed7150fe0d5ea41628d

SHA1
9cee995fb3cbc4341d095dfdd71b663142d83da4

SHA256
80a009593d55958f48ea11b516e6d814ea62395246f43ce8e0d49d6b8b2ef07e

SHA512
991fd55c78c26f01a18dcd801d96999d3cc6099f7e54818f41f1ef52bb1092290f357b2f8b214739b1381b96cc78b89ba9dfb1317bdb585c62afd3509041619d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwsK.exe

Filesize
907KB

MD5
1616e07cebae5015354d2871fb3d7ca2

SHA1
5d9c9679d9a88f13c2d80b01db2fdeea22c46ada

SHA256
6d65b5621e68a2ef3f522ca09c13ceafb54f8d03ab94bcb688d76084b6f121ef

SHA512
a39e1a045dfb4c6c0fd7fc9fa9c834f72b554627ca47382cf0a75fd48e82ae2cc523dc479fc3cdd9fec0e8eb5d83da0b141c82ba67804239f6feadb330d0a99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQAU.exe

Filesize
157KB

MD5
5d8abe7f849c44dca5d1e34d2c6ec02e

SHA1
ccf12818af53dab1733cf23979b387fddedbbaed

SHA256
3b197510b264b75f9e51972c097427d7068b3208faeedf6bd683e5e972442857

SHA512
40f3ff3ef48d6c2d485c426bc4af129fba4b42f446e4182f6b7096f8702b3dea0c43f0abf6ec1aa213e38484652f272e1b2ef1d14704326f5dd123e3e32e4366

Download Submit
C:\Users\Admin\AppData\Local\Temp\meYoMwQo.bat

Filesize
4B

MD5
5251196b9c983befaf9f1d989c8014e8

SHA1
f0645f40757ecd827de45e998efc9d0bcd713857

SHA256
c788abc9dda6100add1ae3c949ccb937d8a03056719497a1ce2005505666b490

SHA512
48a3a690f07fac1d976ad5cc5438ad95770a9e5f0a7dca77e74c19154a1e31efa408d8784c1259e0307aae663c6699aed0687e25d5cd4e6e1e0d048c04a34909

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmAMgcIg.bat

Filesize
4B

MD5
1db35df5dbfc3966714f6a76f906a59a

SHA1
21e09c96715e7ec92630c1584a54828c57c9808a

SHA256
b9858e6b58f387b7a6cc6ed515c77f5f7347c805683cebd4e407f0a89e0e652e

SHA512
39fbe9d08fd41f3d469d9387a077ea2067b565fe49c6bb25c10685f2be5be98849c5ee8e89308fd05d48a1e1df4850038b931c7820c95397e8965acdfa289c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAIQoUsY.bat

Filesize
4B

MD5
9fbf2a8a6d646be5a1716d1e796cbc2b

SHA1
b44d2bcbba9022aae633c3b7c0c98f63d57eddb3

SHA256
bc09599afe5f33071f7dc94c2bed23fbefeec33937b20c53cde6aea13de7b02a

SHA512
94405f0e689fa0ed8e2fa7a657fc913b71cd46daed402eee76baef846b6d95596d41bf9ad43bb97dcc1fb68593f4b39d2c480581a4067ade636c2b4ecb9ad648

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQsy.exe

Filesize
135KB

MD5
d7521354990887b30f1cb4d89ea9660f

SHA1
6e3d069eaf8f9ee99e6607400fd54d9190e3362b

SHA256
cd7a9b5b60ced3eb2ec10a6fb53c084e3d8ead81406c874bde81a122aa14d97c

SHA512
8dc5572a0fee51fe6a19459a5cf1505798fa5f7087f1340393d81176410f15222fba4382e85f843885f6ab0d333748525a0416bbeee23981dfbf7c478b348c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYEQIwsA.bat

Filesize
4B

MD5
278f8a58cff83d800625e3caf62f4357

SHA1
324c8f18569dabf5f17dc3370cb84c182d1e91ad

SHA256
8cd4f0bc2b791b1846aec1831ec08c6263862f7e56716743aa692275d29a7062

SHA512
08cfeb51cf12b3e169de2e814ca9e73416e0d6b9f8e6c3764cf41f790fcc7710dea2033505572122b2c25eda258b9c53ff05f40588ca17e5a4b4b279670e3284

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkkO.exe

Filesize
157KB

MD5
1f4295e8dce167ebec4c11b0011f8e69

SHA1
cb56767c3aece0180db4dbb50afa284e5e7c3a94

SHA256
baf613fa53e46f74bb1eadac0c03bc9b900ccc16eebf0adf52828d740072de20

SHA512
36c4236b10aa98a86ba57c75cfd059ab6889d2a0be2d5b22335fc3fa98256e1e8c347ce1e53985465bb3e180debae869e7e2e53714bfbea0e972b7cd1439d19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAsS.exe

Filesize
158KB

MD5
023322f1fe05552abf7de7dc577805ce

SHA1
13842c0bae23a1a1d5b48b479714fe56202c563d

SHA256
eb86121e76beed908ae560b13dfc561dd45510978166fb24d329c58f7a14bfa6

SHA512
ca88d4e440689e22ca12af02320d0329b8bb673c854e26284b74bf1c99933762f1486047a7c05df935090f23a5f18491dd14e779066b094ddde6a26b513b319b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oSkoMMQg.bat

Filesize
4B

MD5
0568c536a03f0e40e15e0796778c74cb

SHA1
03360f1a97652d664a263e501a319db627bdc787

SHA256
004367735eaea7c1b29043f0891a85ba5cfd596d9d9902134880960c4319ad48

SHA512
1e6e5a1ffb875b20d65690d303b6dc5aab42ccf59b450cf078f388bae01369c0082ac5d1e389f4166544854ba11b05b603dade5a7bcae22bd4909c0d557318b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogYQQswo.bat

Filesize
4B

MD5
19c242cc9e62d785feb06e87ca63176a

SHA1
cc77f63012a98d5de3bbbacd4864017863c0f4fe

SHA256
c48170715b790c745adc9c5f581ccaf9d7d33531650e56a5f6331b03d593dfe7

SHA512
a4657730bb46ff82873404e6b8de2bcfd891733cc4163451354e91d00995440ac8929bf9294379baf15c39f386b81498136ec8903d25372a614cebbd0d399d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMwY.exe

Filesize
3.3MB

MD5
e0f10423d140386a6b45d030d81ebafe

SHA1
4f0a2aba2c6babf5570480fb85e766f9eeb2c792

SHA256
71c9f11b92aab16794434f954737fa777b9d5fff5946eaef6727ddb36e79e799

SHA512
3ca6f72693ffea7627c5d27dc8752d0dc32d24ad8e61d92838db8fa9c1c04874a6361d24a9a1fbcd47b8121ea1ae5214b776a6e27726a54ae472b4ae0be17d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgQK.exe

Filesize
159KB

MD5
eeaf48d3dd9462d0c45fdd7cf5302a54

SHA1
041fcdb687418c0599f61147df71051d29e2b8aa

SHA256
bd21b20fec716bea76338b7dcf036bea58119d741cb691b506effeebd3f47076

SHA512
f5f65bc98e6e3c6b906c4a469b6a453a4e181bf72080fd6629dfb8f7c83771c255d6a9a8d1d175b5dcc731cd07ebd4d8f6a2eef0e2ba396d5f89da1cf431c968

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgsk.exe

Filesize
159KB

MD5
45e67f6d4c14c032e66d2f20af5fc846

SHA1
d6951075a37683c5e0e28ee932eb124dce89d643

SHA256
9e4e254c4309bbacf858a2fc03aadec5f6e9a89fb3f9f4ee5ee37c8b67f02f46

SHA512
e632fe5f6f383fc008e59b3a41820506e5e0dd26dc4a75c2d5dee2eca8d9b5373b05546775b3b2a45ce978eeced435ef78278858360a9cdf61e245235768de1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\psEocgUk.bat

Filesize
4B

MD5
d1f91a5440d80fd64cf18e215ab2ada8

SHA1
af61c1ec1638e9b866e49081e6cfde79a7a97954

SHA256
4de3b4ebe1a0650d5049d23a5e4bf37c8ed0ed019025e80bf05a0bd0d6223114

SHA512
57e351c197879bbb43aa510dc99f2d1bd05058431cdaafafd36515d4ec7e69a816bb7d1e993aea4ae018c114280d25437d5ad0453cc8d88b07979701c44988c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwsq.exe

Filesize
154KB

MD5
543c98e7fb3f084431c2db76e34d79c0

SHA1
14ecb4016d62900c9aa73597f3dc7e6c0a5cd216

SHA256
90e8b006a8ce3a79bf84cbd1b35c927c03a5b13e31b7098b717babd4d7a0b0aa

SHA512
6835b75af79df6bee607cbf7a3be6897ad9d3db301d1eb8c4bbc865066f5f1f3be5f0e8d6010e66261bd38219f2c78759c3efb7cf6fcb2ede5cd717b949d2975

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAoA.exe

Filesize
869KB

MD5
5ca2388db0e57e839c0acf67a2fe9909

SHA1
47ff63f5f10d2adfd5b85ab9d58d2c0f875f74b4

SHA256
579531e282c708a978191f6d9cf3b7c857b5e3d2e80cc57e31816b4e72d6ed2d

SHA512
1720d2670e26d60db578bd934209f8b4c80b9ca2146c79ffa182962930e2ae98e4f404a8872aaa327dfca5ac5b4f5643e7cfe090ab7d89d2787374d302e222e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEgy.exe

Filesize
147KB

MD5
39eaabce3813181fc67784aa532ef33e

SHA1
c19594124e806b4dc0d71554724eb71c6c03dd8e

SHA256
bef8e5e3720cad040c47414bb95757813859d916e4fe69a9f785de1f03088794

SHA512
e20a0ed7b9416ecd5c5944aa41ad594b2bb81f4abd86f99e70b138ff7ce5cb82a694d81717dbbe187c2256b6c61397480a96cdd8582956cb551e34e5a4283653

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKQMEQUg.bat

Filesize
4B

MD5
7d89ca835be5efdc49d6f3f7f141a82e

SHA1
6502515d40f3c3312385961733d541bfbc189ea2

SHA256
17beca0fbf9d1edbcad3c2b0b155ffa682b05a096b17184d92ac55ce021735c6

SHA512
47aa7afd3dd880a848107bf1108f920ca6f4d73b17bd05cddd41b5c920c054e54e0aa0c59c489bd84183ac2249691eaeef4f61d3b6c5f439c0ca7fc2de68cb65

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkIY.exe

Filesize
644KB

MD5
cb6302b9ae5a406eea57500d98bd4a62

SHA1
7ee40472d7d783c7b1b26beed4f282c17951ee8c

SHA256
d771ec63b33f69825df2e125135c650693d1dc9916021035b1f76481e883395f

SHA512
962210df15d05ce676a3eb842fcab86102a1bcdfe91e28a26d04a5891f080b11c8641e53c2df0a7752a32014c3b9861ef42753926f2f9e6f11c4f4374e211e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkQo.exe

Filesize
158KB

MD5
7863b832fe7462badf09ecd192b6d3f5

SHA1
f11e4223df01b2a00a6f4ea57e04b1bb0f1721f3

SHA256
40540c08c482513d6b9f0d99a8ca7660e9577704b0f7f00f9a55f7f2cc65faba

SHA512
4c9a386ebdf9e005d2b18732a2ba23140622e076f29fcbadb3573a0dcef48be2116563e71b85f31831bee7be4e2c1e6da73789e8f83218723cf2a8dfac708d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\qosm.exe

Filesize
160KB

MD5
569f9543df2ec384cf6cbc5203172303

SHA1
3a1b6ee6933d9ed176788c68bed859eb73c412cb

SHA256
d470ea6d246cf072371d10e03b1c5ced0e91cc210b5f8df0a5a6932ea2133d97

SHA512
1c3e59e94c3d8b5e0776142977b1207b1f47dd891c61cf2a28767ed735935d99597f8ba7e6d9c5997f10134ba497f025114eb40140602e819f33b9d1051bd3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQMM.exe

Filesize
160KB

MD5
1dc68f952af1d2921344b704055f2478

SHA1
cde7ed5aa0a1cc6b9fe27a39e5f9c083b5681f51

SHA256
641deb05824e616fe316a1a8aec728ed63bad87dc0dcb0a06d0fe95d1186f130

SHA512
e2804ce89b19c5713a4300557f32667e93ee7d300037f4407887c2b06f810bf98975a5bbcf48cedd57ebbda749ab120f5407f22252b51774d084fd270953b0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rYki.exe

Filesize
158KB

MD5
505e59fbc5f1b46ad711b88a75937535

SHA1
04f16f8d8c1e9389f7b644ac6f1e712d138ccacc

SHA256
93dac97fc2c8d3652a58e2460d215bff9e17a9a199a291edb93e4cbcbf1be6db

SHA512
82170799f3685f2877ea9bf85192ad53508d6340445afbf3659f2d105fc187d965e7277e4961f44553a4ef75824b4f1438b59b9b077d5d39136fcd8f41ae262f

Download Submit
C:\Users\Admin\AppData\Local\Temp\roAG.exe

Filesize
158KB

MD5
aea013914cff9f29738dcd49a7120c2f

SHA1
6af2c84ec5d50822a1ffb9ca0b5f90859cdfd117

SHA256
4b01a738da0f0e94116d24368e8ecb9fe50245a0ff8f3f962e2a9ee5d5eb8bb8

SHA512
c4d1a18286343ec68fe647d92ed522ddf6dcb92cc9ff084d8c4748828454f5b9c8b1cfad0a9305801207a1f043c975b478623e9eb44ab32921a9882ca450d12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\roYu.exe

Filesize
158KB

MD5
c02f2853524073e09f67b61c7c2574cb

SHA1
569c3670b717aa26a3f92747622d4e0159311dcf

SHA256
a0e44c8e6613d544b5564baaffcbf28cf2966040806d7232f2e17f8b2061d5a4

SHA512
658da65b3341958b854e3d9e9dfa901faed5bf2b95b0cc725a62d426ccda78b0e6c22c399c07ce62caffe19c2d5bd17c1b059684cb4ad12630b3d51e8bc3db00

Download Submit
C:\Users\Admin\AppData\Local\Temp\rogc.exe

Filesize
159KB

MD5
9fc56cde377ddc04b42e3b66a2ea3862

SHA1
9eb1830890588be8f38328744d3019b174584b9d

SHA256
0b1d2ed0309caf4c3e6c64730b3be2afe888934a1498f4bddfa53deeb49b12a4

SHA512
8f28d6e48dfbfd223e15a825cc86ea5b8901cb279d4003033c089a675965cbb6bdcabd3ccdf72c80fde576bc3faabdd2e70735dd0aa5c587adec35d138742d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYIe.exe

Filesize
157KB

MD5
f2dd414880dd6608cd63fa785f2ad577

SHA1
bd40c714e47729c1c6f41639c49e93c81f642d24

SHA256
746dab87ccebabffc26f5a9467e579e193ebfcedb9931a4ffd435d1f693f4396

SHA512
6a3863ca1dd964ddca3483156836f4b9f1036c3922013dce3ffae498ef60dc39dff435cc9ae01adcbbbf466bb31bb1552f500fb2144137d7fec7abf8a6d42409

Download Submit
C:\Users\Admin\AppData\Local\Temp\smUAkkMA.bat

Filesize
4B

MD5
7b10b41096444a24d44a59a08c6560e5

SHA1
f83b098f6f4def54faf5e8043aa948a50fe1230e

SHA256
bc02181811b410f39da004ef0eb3a240e31543222b6258612c00e70802f7774f

SHA512
6fd43859b4df7f0ad21d9a04ca01a4b60ada5d14c9d213f65d77ed5b7dbfffbc5a4302953c84f4f84666eb82c969d596f9808fb374a27e4524b6a4b36738981e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sscG.exe

Filesize
159KB

MD5
0c911848149c26beb04b7369ff061841

SHA1
4a178f99bfdfa027dcd59b8da089f1fef9f63f03

SHA256
987c5d78caaac11601b2d8443e66b849c06b4aa495920e0bbee4329ef851a61f

SHA512
e91b7872a9e4cead3fc9f0606cf12a64177e1aeaae8aad833db4bbe622495a40cac02e3bcfafb37a52c697a476815518a1c5a390cf4126dee8caf63746bd1943

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAMc.exe

Filesize
157KB

MD5
67fde8ce066839c087cbefc57138bf86

SHA1
f7a403be8fa3072074159e6033e8bd721dd6c4b3

SHA256
21624c4d557c111325b6545ed19e057e83d476f8c76a6a1cccd75de4d5014d8f

SHA512
dcd4bece0ed99819ced126111e1a977e2455b1e77df1554c5ff574160f48bd5aa782d7768bd48be03d554102011cd555df4b1ce6248ededb52b83aaf92f2876d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tGYgkAMs.bat

Filesize
4B

MD5
a43755eef090f66603784770526af817

SHA1
d0271c3f1f1225dfa0abd04b826621f9ecf36799

SHA256
61db10fc417e4c00ab0f294e8eb4a872f558ba08a50b29fef2484b79bddb8e06

SHA512
c4713855f7b2ff467908caff7c60130f22954a5367053930c08639d5b9b94f2bf0387abf123bb061bc4372efa2a4d8d070369d572725bad066a2e0540435f0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tIso.exe

Filesize
160KB

MD5
841bf1e68579bf73582010e96fb54332

SHA1
9f35abe8f259a3006f0018ff21122996ce019ebc

SHA256
81c4e34e407a55a80fd860315699cec6b5ac70155f79ea18bf47ee761973beb3

SHA512
309c86528668859e3815cce47329ea84f9ab57bdfe4d647eddd8b18ae70e42923aac6ffbf20797c97228e845ae653b464244671c4167b0b402c9ab677e48c5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tOcoQMQQ.bat

Filesize
4B

MD5
c3cdf6824116983bb11c6d2720a87746

SHA1
d2e6608336a3ece121447e95896f5c5ad8cd6ed7

SHA256
c1529657f04efd9c20ec35ab15ed2af8ba61de23db339d5207c55680825c40ce

SHA512
25cde9506684732cb6dde1757aa8ff9165f1761abc81814ab857052595a3304e9934daf0e850e27d99f05de574f6baa2e1d0ec4698362418f7a1cb817381a663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYUW.exe

Filesize
160KB

MD5
09102cad232d9eb60d5c33d4f0308300

SHA1
f72d8ab94fa725ea8c926f1c78d0e76c1137f7cb

SHA256
7697e3e920b7d5e81ecf2346415c295e8274f35d7c700d888a9d2b7109aa9c86

SHA512
f4e0e0f63877e2cdd857b18a803c1aadac2d7d3e17ec4490e9fe193fcbd4de13f90f82861e9b4b23e05056098025543968e45fe6c2079a0cec39add9ac91a377

Download Submit
C:\Users\Admin\AppData\Local\Temp\teUwIcwA.bat

Filesize
4B

MD5
5254b24407568530d68089fcb190c337

SHA1
cd49fc20075393a362bdf8c38e4edc2a0564229b

SHA256
89235c9cb82bd756873946f27fe8f9b1e6214bd35eff5974169bea95b7a43006

SHA512
1fb4a4f5707f8df855b278a408dc59c24bb82e64b31caf523468c54510b9837275e19d95c3a47895a6a3cf8486d7f35cbf7b2d2f4e952d763977ca68116b7881

Download Submit
C:\Users\Admin\AppData\Local\Temp\tscw.exe

Filesize
456KB

MD5
8575a5f9a7f0d0c82969365c2576a57d

SHA1
be6b38790c0d53d086473dad001c3c7558df0ad7

SHA256
318c389269753b30de95df9413bd1accb70003fba43878a3ec691fc606756db5

SHA512
ca026fbc3b303b73c4a5c9c3a341cd375d227ff776c657abfa30baa1b28790cf85c798993dc19cf38bda6211c1326d0f96835b902af036e2092bc7e4d7ef57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ueMEosEI.bat

Filesize
4B

MD5
2941f4aa94ee393fff6b009d4e746db7

SHA1
26d791e57e1c76549ad78cb2b6f500bfa4503f26

SHA256
22e20e388aa779a028d800418058276d5767f6b0d7351de3cd4189d68b2cc7e8

SHA512
8b45e8fa61760388b5582187a21636604999fbfb553afe7d672158e63700a0e58d7a484826b0afe8a64d9a7e2cc3e721be960b90f415cddb95b29c5ffaa5d190

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukwU.exe

Filesize
156KB

MD5
2b1f62cbcc1e0fc7445a66712f5c52c7

SHA1
fb5a78532e33c4f536206a0a154886f8117afa86

SHA256
7a0627d3c618ecade885f98a5877c07488f578ea77890396eb9cff6de460b834

SHA512
00aafdf0aa91ccb9e766f6d2f9721d028636c86d8a27ba70141286433a5b241877cdbc8450870fb218917e05b46bc0cc457b36a2618d17694ec952199c197a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyAwhcAs.bat

Filesize
4B

MD5
c734a9e66565900d9a18758ba5ef7bce

SHA1
dbb0302a3604761e90813e8a52942dfe8929ebfd

SHA256
b6cc8b9db83b5b564bb79e30ee88a19771e87d6271251bdb26575049d8aeb733

SHA512
717b460027ceb7168d6e883092d8c580ba6cb93a7896e3182651e5288db9257c19708c5e9a1018e838a88d6b56302b165e593c0f8fb49175260762172cc8adba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEQu.exe

Filesize
158KB

MD5
09584f3b84ac9e0b6a47c6ddad8d8f2b

SHA1
97859d60e8d90298c472d863c67280a15ee4485a

SHA256
13a2b42c9b5321b0127e29cf98d2c19e94e8df422b5a5dcf0e6aaceb1054cc68

SHA512
5c4a0122667b68abc4af747638441199dd256fe935c60c0c8face43055f035b45b63c4324bfc2843d56c3979c9b73a0e62686b9ba112b0616d878efda335139f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQEY.exe

Filesize
157KB

MD5
d10a78477c7f9eb23a5f0157acba8560

SHA1
55215e7b0816d6f1ff6c15a9a8ab3c4f59e2d692

SHA256
26cecbc7af48a693c6b22910c0dc65269709161cbace19c4a8cea9f171748b65

SHA512
a246086aabaf7ea6bef4d1ed06932fbeca73fe132263bb6d8a76d8ae529779e04872b90d84a9410f80e0e7fcd3a3bbaa5c5dffcc33143d4a076b29b84b9ddd5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcMY.exe

Filesize
158KB

MD5
537e4418ef356054ff8874e2298791bb

SHA1
1b21b110beb7aec72348401ec810d8a09ba429fc

SHA256
9e9827bd8d866995c9d22cfadc2790554c9944e317ca9f25e75b9fb0a250f9b5

SHA512
9f6012d582a53670eea3c1e11de7b663b334a5b962c6925ea3e2820dd788823bb62e1985e32f2dca97f7b38801636400c69227409ea01eb8479b7e93cef0b7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\veoAgUkE.bat

Filesize
4B

MD5
4e946ba02519a1f63168135ecada6bb7

SHA1
b6734dbce3418b8e1d41dc36d86b7d14b2c9e1da

SHA256
42fabf37f18b374f271f38ab27e6c4625e603b6b01909a8c7eeb3fe0fabb5e7d

SHA512
1dc1e995019f423242efcd25b6c65cfc958e055447f2e5938a8236158105c2cebb6b78da8785fcaf07c332aefedc72769d5927a807aeb381e46a7d139294d700

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkQW.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wckE.exe

Filesize
555KB

MD5
8f47d25e31d0d0210e03921b7c03eb27

SHA1
70f7a20f7ef82e35cbd356ea07efb578f9dab6d0

SHA256
808b6ea43573c1fee0ccf376bc2146745bebc662efc0e52bff73027f87460324

SHA512
d2e0c78fc5381ffcea305456fe4fe973f707ffd4a9a4d2c684429bfefc385855e9f27284f93d002f95a7cb34a87b060c032704be8bbb6c5231a457c7a4395050

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgcK.exe

Filesize
744KB

MD5
fa489e3f9c59efbf4be7e42d279a8150

SHA1
1f6fcff47aa91bce5a0ded09dac93e808645d0c9

SHA256
25c6f74776588a38794ecf3a92395146878dcbd80cdea384926400cea35ed3d0

SHA512
9d715c08711f4dd32f1aef00621c9374fd69902223237de5e1c77cba03cacef58642f3be6b525f3f30e78b5d5e4a18cd85eca0e524cc2c83f3fd4200226bd2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xIUw.exe

Filesize
159KB

MD5
a1bc7f254d5dbc5534ba3049ff7a0d0d

SHA1
b82a817fe6499ea804f06f60022daf0dcc490c46

SHA256
685b537368bf47567df4e645daf1032a719fd5263a5042e233d1a4510a7e5ac7

SHA512
2ca6fd47e006d0f886079c17f496713404b16b422ac52e7169fe6194d14a371aaab8f137434787a4a7cf8f300b99fd668541e6241d9f26abfb51e93a1080d3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcEG.exe

Filesize
158KB

MD5
00bd4cd2a59331ccfa2c13d3c9a6c769

SHA1
2e3ffd4d2d10e9aa8cbe0e516eea15a2f53a2604

SHA256
a3482d127546bd3e903c036162878485d11f08c7c5517c34c3ef33d20012c42b

SHA512
2423d9cdfe44b0fbace248efed8266c3f52f0599b0225a52921591c84b998fbca8bb225c6075d37f1a7bf3e1d1cc20e996ca688574c9741eca2b7b304fbce635

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwco.exe

Filesize
496KB

MD5
f6bd70b7084767a5f18d6dc9bfcc6003

SHA1
e4c7cf769f04c98d30cb67b60d45ba08962a05c0

SHA256
302e001d3c08e8da6342bba8994bdced520631bb277c48fec0c418714669a624

SHA512
29aa67c690f3e857b488cfa14b1d44c0e6ad826bc8852224cbf2183d4f5f4640f85609c288031de3f37ba152fecce36dece7d4e8ca00479ddf104e745ca1915e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEAe.exe

Filesize
564KB

MD5
7b52c175a6906cd1eda87a2a8b00ae64

SHA1
03937e95b8bbe186c0079866982d870d55bf1f58

SHA256
0cd77ceb204f61a96695fda4cf67fe30c81812f060cb4cabc61bc5e9a6aee32c

SHA512
4c7f175beefa87f15c8b1d5300cb2fce0b3d75fc33e1bec493e87d2134c67f08c2841f0beb5456ef80dc4357763b3487279726224bb7fe5fb0282bfaac736072

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIAu.exe

Filesize
744KB

MD5
7cf8e4269a11948de817d9d641cbd899

SHA1
cffa894f21fa97d17aca13e4a03e2efb9d64df05

SHA256
7a86d91e8280865074edcd4c3b3181720e982bf5edd3d55d2b16c23d6c5cc1cd

SHA512
f9d4abde5cd8537346e3f578045d585ffd05451ada6aecb3ad6b8725d8571fe221471ff584cb550d1bc4d292062386733d51a54d2e105675e22917ae92839ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQEk.exe

Filesize
159KB

MD5
69421b89fa22d7ca3a15e1135232d065

SHA1
e8a83d58dfb0e32c1e94cffa6e0bb906213260a5

SHA256
f9ed984249ba35834acbb10a767126e25cc85d0efd90b688eb8b57722fca927c

SHA512
f0141202de0db5f21aaf064ce3f7a31f44b0b8dd0b53ed689636212a52b5dc732f24e609b5114351550fe2ec763e97cd715dcc1ee67cd8b6b4216d30554f5114

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCsUAIYg.bat

Filesize
4B

MD5
0e029c717f87e2eb30b5363d56bbf061

SHA1
0f64ec01aca413bd7d1b9a9b956b77665ceca7f6

SHA256
291b725f99550e4e4f3d130ba3d02b9cf6b4fec7c99740887a7c6e65c0705fe6

SHA512
391345e57c2d8c966c71ece7c88a20eaac840934a0b23950b8b3056653460b39ddec14a3cbd8215698fcde361d207d0d10167e978f79ded35292c52d9855eed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQog.exe

Filesize
156KB

MD5
da1c54f07b065cf4c49be0e9fe92b756

SHA1
6bbf94b376e5da436893c50811e7a4d7046d55ca

SHA256
85be4a96a0a3b42b72211b77e9a279a34c8616c4275419518985d3dcc33afd1d

SHA512
c909b449087ce964747083367feaee491fb98df4de466effb310e6b008fdc04e0c31f6b6d55384234b1473c3b441cd0ec83b28c6c1127da67290a91a56ec9893

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\ngIYwgcc\HIYMIkEc.exe

Filesize
108KB

MD5
c5d6225b10c4954feb265af9e51f33be

SHA1
af50844cfb1c9e53f49f80a36ada6ff70978f4a7

SHA256
bb14c8fc0484cde24c6704e658ef2247f3e9630a7232891137b86985d3a7dfd8

SHA512
53944721d12062ead2a4fbc25836e4161cd6f38b6e0b1ddde9e4673f085856142c6a16c0b4c2d3f6bbabc0dfe51daad338eafcf26fd252bdaeb74a0b993d9073

Download Submit
\Users\Admin\HuoIwgME\dqEYIkws.exe

Filesize
108KB

MD5
a9b6f55063033d1adf9882fa71d08e26

SHA1
310be9a8c14cbb0bafb1e2af6aecbc641119a2c2

SHA256
466396e36a4042ed1597fc5867d1c67bdafff9f145bebd01df7d466ec69e0064

SHA512
80dcba97dab11ebf39c3cdd9a7b496f9cc7ab37a3dafa3389bb07359cea79024cf930c0b15aaece727f1876da4dd0ac40c5947bcb4e3c2089478271aa721e47e

Download Submit
memory/268-357-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/268-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/572-77-0x0000000001F40000-0x0000000001F7E000-memory.dmp

Filesize
248KB

Download
memory/572-79-0x0000000001F40000-0x0000000001F7E000-memory.dmp

Filesize
248KB

Download
memory/628-386-0x0000000001FC0000-0x0000000001FFE000-memory.dmp

Filesize
248KB

Download
memory/636-288-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/636-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/764-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/764-427-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/792-218-0x0000000000120000-0x000000000015E000-memory.dmp

Filesize
248KB

Download
memory/900-428-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/900-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/948-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/948-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1216-149-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1416-297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1448-101-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1448-134-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1512-264-0x0000000000530000-0x000000000056E000-memory.dmp

Filesize
248KB

Download
memory/1532-289-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1532-318-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-366-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1884-356-0x0000000000180000-0x00000000001BE000-memory.dmp

Filesize
248KB

Download
memory/1952-203-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1952-172-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1976-56-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/1976-55-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2020-126-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2020-157-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2032-204-0x0000000000120000-0x000000000015E000-memory.dmp

Filesize
248KB

Download
memory/2032-195-0x0000000000120000-0x000000000015E000-memory.dmp

Filesize
248KB

Download
memory/2108-100-0x0000000000190000-0x00000000001CE000-memory.dmp

Filesize
248KB

Download
memory/2124-124-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2184-150-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-181-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2216-516-0x0000000000510000-0x000000000052D000-memory.dmp

Filesize
116KB

Download
memory/2216-507-0x0000000000510000-0x000000000052D000-memory.dmp

Filesize
116KB

Download
memory/2324-42-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2324-12-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/2324-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2324-21-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/2324-4-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/2396-227-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-205-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2708-343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2708-320-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2724-31-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2764-14-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2784-319-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2824-33-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2860-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2944-34-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2944-66-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2956-441-0x0000000000160000-0x000000000019E000-memory.dmp

Filesize
248KB

Download
memory/2960-171-0x0000000000160000-0x000000000019E000-memory.dmp

Filesize
248KB

Download
memory/2960-170-0x0000000000160000-0x000000000019E000-memory.dmp

Filesize
248KB

Download
memory/2972-251-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2972-273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2976-241-0x00000000001A0000-0x00000000001DE000-memory.dmp

Filesize
248KB

Download
memory/2976-250-0x00000000001A0000-0x00000000001DE000-memory.dmp

Filesize
248KB

Download
memory/3044-333-0x0000000000120000-0x000000000015E000-memory.dmp

Filesize
248KB

Download