eb03d9f10db9702b47d0ac0272de491404ab94c03f09815a4de1e756616a802a

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
18-02-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
Size

116KB
MD5

57f46f31bbfc624df706e8f444dd4fbd
SHA1

079deaa00141c8e8d1369bfa3c65fdd043cdda33
SHA256

eb03d9f10db9702b47d0ac0272de491404ab94c03f09815a4de1e756616a802a
SHA512

1a68b2938f52b3e1bfd4355b38303756d913bab83dbefa67e52dbaf85f146dfbcfd5dc731455900eafb3edb5af5d0a36662bb2982d516be1a79169b414899f91
SSDEEP

3072:rmAUU8s0icOGNWCF9jXthMaV8oQO2NCN2+1JNi:rmE8ViUNWCjQI8bO2T+1Jg

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 58 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 60 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\Geo\Nation	jOEkosQE.exe

Executes dropped EXE 2 IoCs

pid	Process
3044	jOEkosQE.exe
2852	LykMMIQw.exe

Loads dropped DLL 20 IoCs

pid	Process
2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\jOEkosQE.exe = "C:\\Users\\Admin\\TqkgIIYA\\jOEkosQE.exe"	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LykMMIQw.exe = "C:\\ProgramData\\WwYgYQgs\\LykMMIQw.exe"	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\jOEkosQE.exe = "C:\\Users\\Admin\\TqkgIIYA\\jOEkosQE.exe"	jOEkosQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LykMMIQw.exe = "C:\\ProgramData\\WwYgYQgs\\LykMMIQw.exe"	LykMMIQw.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	jOEkosQE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2944	reg.exe
2044	reg.exe
2860	reg.exe
1868	reg.exe
356	reg.exe
2252	reg.exe
2424	reg.exe
1432	reg.exe
2256	reg.exe
1800	reg.exe
1112	reg.exe
1308	reg.exe
2768	reg.exe
2932	reg.exe
2400	reg.exe
672	reg.exe
2536	reg.exe
2804	reg.exe
2548	reg.exe
1576	reg.exe
280	reg.exe
2476	reg.exe
2784	reg.exe
1956	reg.exe
900	reg.exe
2120	reg.exe
2956	reg.exe
2056	reg.exe
2264	reg.exe
2072	reg.exe
620	reg.exe
2876	reg.exe
2812	reg.exe
3008	reg.exe
2828	reg.exe
704	reg.exe
836	reg.exe
2436	reg.exe
2844	reg.exe
1064	reg.exe
2088	reg.exe
2536	reg.exe
800	reg.exe
2400	reg.exe
1824	reg.exe
2652	reg.exe
1064	reg.exe
1340	reg.exe
2776	reg.exe
2268	reg.exe
552	reg.exe
2940	reg.exe
2412	reg.exe
2216	reg.exe
280	reg.exe
2836	reg.exe
2204	reg.exe
2032	reg.exe
928	reg.exe
2684	reg.exe
1524	reg.exe
3036	reg.exe
2872	reg.exe
1584	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2264	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2264	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
1532	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
1532	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
1724	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
1724	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2112	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2112	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
1940	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
1940	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2612	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2612	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2980	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2980	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
1196	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
1196	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2740	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2740	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
1748	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
1748	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
1604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
1604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2492	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2492	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2744	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2744	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2832	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2832	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
1056	Process not Found
1056	Process not Found
2880	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2880	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2084	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2084	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2508	reg.exe
2508	reg.exe
2844	cscript.exe
2844	cscript.exe
360	cscript.exe
360	cscript.exe
1644	conhost.exe
1644	conhost.exe
2788	cscript.exe
2788	cscript.exe
2328	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2328	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2044	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2044	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
1792	cmd.exe
1792	cmd.exe
2860	reg.exe
2860	reg.exe
2820	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2820	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
548	conhost.exe
548	conhost.exe
2784	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
2784	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
1324	conhost.exe
1324	conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3044	jOEkosQE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe
3044	jOEkosQE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 3044	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	28
PID 2416 wrote to memory of 3044	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	28
PID 2416 wrote to memory of 3044	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	28
PID 2416 wrote to memory of 3044	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	28
PID 2416 wrote to memory of 2852	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	29
PID 2416 wrote to memory of 2852	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	29
PID 2416 wrote to memory of 2852	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	29
PID 2416 wrote to memory of 2852	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	29
PID 2416 wrote to memory of 2656	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	30
PID 2416 wrote to memory of 2656	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	30
PID 2416 wrote to memory of 2656	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	30
PID 2416 wrote to memory of 2656	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	30
PID 2656 wrote to memory of 2604	2656	cmd.exe	32
PID 2656 wrote to memory of 2604	2656	cmd.exe	32
PID 2656 wrote to memory of 2604	2656	cmd.exe	32
PID 2656 wrote to memory of 2604	2656	cmd.exe	32
PID 2416 wrote to memory of 2876	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	33
PID 2416 wrote to memory of 2876	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	33
PID 2416 wrote to memory of 2876	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	33
PID 2416 wrote to memory of 2876	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	33
PID 2416 wrote to memory of 2584	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	34
PID 2416 wrote to memory of 2584	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	34
PID 2416 wrote to memory of 2584	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	34
PID 2416 wrote to memory of 2584	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	34
PID 2416 wrote to memory of 2568	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	36
PID 2416 wrote to memory of 2568	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	36
PID 2416 wrote to memory of 2568	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	36
PID 2416 wrote to memory of 2568	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	36
PID 2416 wrote to memory of 2480	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	39
PID 2416 wrote to memory of 2480	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	39
PID 2416 wrote to memory of 2480	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	39
PID 2416 wrote to memory of 2480	2416	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	39
PID 2480 wrote to memory of 2508	2480	cmd.exe	41
PID 2480 wrote to memory of 2508	2480	cmd.exe	41
PID 2480 wrote to memory of 2508	2480	cmd.exe	41
PID 2480 wrote to memory of 2508	2480	cmd.exe	41
PID 2604 wrote to memory of 2496	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	42
PID 2604 wrote to memory of 2496	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	42
PID 2604 wrote to memory of 2496	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	42
PID 2604 wrote to memory of 2496	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	42
PID 2496 wrote to memory of 2264	2496	cmd.exe	44
PID 2496 wrote to memory of 2264	2496	cmd.exe	44
PID 2496 wrote to memory of 2264	2496	cmd.exe	44
PID 2496 wrote to memory of 2264	2496	cmd.exe	44
PID 2604 wrote to memory of 2812	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	45
PID 2604 wrote to memory of 2812	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	45
PID 2604 wrote to memory of 2812	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	45
PID 2604 wrote to memory of 2812	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	45
PID 2604 wrote to memory of 2828	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	46
PID 2604 wrote to memory of 2828	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	46
PID 2604 wrote to memory of 2828	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	46
PID 2604 wrote to memory of 2828	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	46
PID 2604 wrote to memory of 2844	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	47
PID 2604 wrote to memory of 2844	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	47
PID 2604 wrote to memory of 2844	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	47
PID 2604 wrote to memory of 2844	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	47
PID 2604 wrote to memory of 1824	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	48
PID 2604 wrote to memory of 1824	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	48
PID 2604 wrote to memory of 1824	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	48
PID 2604 wrote to memory of 1824	2604	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe	48
PID 1824 wrote to memory of 1248	1824	cmd.exe	53
PID 1824 wrote to memory of 1248	1824	cmd.exe	53
PID 1824 wrote to memory of 1248	1824	cmd.exe	53
PID 1824 wrote to memory of 1248	1824	cmd.exe	53

System policy modification 1 TTPs 10 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\TqkgIIYA\jOEkosQE.exe
  "C:\Users\Admin\TqkgIIYA\jOEkosQE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3044
- C:\ProgramData\WwYgYQgs\LykMMIQw.exe
  "C:\ProgramData\WwYgYQgs\LykMMIQw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2264
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        6⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        8⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        10⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        12⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        14⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        16⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        18⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        20⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        22⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        24⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        26⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        28⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        30⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        32⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        33⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        34⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        36⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        38⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        39⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        40⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        41⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        42⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        43⤵
        
        PID:360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        44⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        45⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        46⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        47⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        48⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        50⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        52⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        53⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        54⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        55⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        56⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        58⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AoMAoQYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        58⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eOckAkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        56⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        Modifies registry key
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nyswoIYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        54⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rOMYoEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        52⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies registry key
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        51⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        52⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        53⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        54⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        55⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        56⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        57⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        58⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        59⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        60⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        61⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        62⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        63⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        64⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        65⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        66⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        67⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        68⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        69⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        70⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        71⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        72⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        73⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        74⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        75⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        76⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        77⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        78⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        79⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        80⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        81⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        82⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        83⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        84⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        85⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        86⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        87⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        88⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        89⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        90⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        91⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        92⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        93⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        94⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        95⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lSsUgUkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        94⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zMIMUgUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        92⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bsgQQMYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        90⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UmAIIkoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aQIosUAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        86⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GggQIwYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        84⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        Modifies visibility of file extensions in Explorer
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YSkUYUUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        82⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JSgkgcAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        80⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fsUcsQoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        78⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        Modifies registry key
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zoQwssMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        76⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BaUIMEUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        74⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MmogYQoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        72⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QGskQwsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        70⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OocsUsYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        68⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        Modifies registry key
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QkAoUMMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        66⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xeIowYIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        64⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        Modifies registry key
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zGMIQwgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        62⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Modifies registry key
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lkgwMMco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        60⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        UAC bypass
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bIQUYUIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        58⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies registry key
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hAQsscAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        56⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        Modifies registry key
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oOgIowos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        54⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EGgccMcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        52⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jAosggMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        50⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies registry key
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bCwgUYIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        48⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rCgYgwAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        46⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YmUYkAME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        44⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\omIsEAoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        42⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\suQIYsUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        40⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CCMcQUsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        38⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tagMcgAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        36⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zakogAsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        34⤵
        
        PID:480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        Modifies registry key
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jKwcAAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        32⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JqwUEIkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        30⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SOMwEcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        28⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SKUUAwMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        26⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cegoMsQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        24⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QAwYsYoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        22⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tcYkQcUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        20⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JEkoUwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        18⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FKgAEQAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        16⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fGIowoEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        14⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pyswEQMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        12⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gOQYIUEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        10⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GyYcAwEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        8⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:356
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2788
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2832
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1028
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iCAcYUQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        6⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3000
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:2812
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2828
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2844
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\qisIYAoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1248
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2876
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2584
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\vOoUgUwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4246104181943818260-717093864536443572-327240327-1469107910630367393-1151663241"
1⤵
PID:1648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1431835820-13240321431167831143-18556394621036812536-542731965-1278998390-136472389"
1⤵
PID:2380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4822478571183839959216968185-810918214125611217-1324533556148403816-734929139"
1⤵
- UAC bypass
PID:2540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11660237361030961142-734239437-95066396920095136179408027202003767582-1505942829"
1⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
1⤵
PID:548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
      4⤵
      PID:984
    - - C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        5⤵
        
        PID:1324
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        6⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        7⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        8⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        9⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        10⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        11⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        12⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        13⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        14⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock
        15⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock"
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EewkAQkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        16⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWUEMcMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        14⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fGwQsAYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        12⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYwgAoMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        10⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HgAwkUks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        8⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2272
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:2536
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2372
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\toowsswI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
        6⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2632
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1708
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:836
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\mKgMwssA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
      4⤵
      PID:2028
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2140
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:1956
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2892
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1868
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\yycQcYMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock.exe""
  2⤵
  PID:640
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1236
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17376592522032578395664715813-693960227-884811008-163389781874979416-403661426"
1⤵
PID:884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1877134372373538703200049148-1562571702-20869402243259670702043206450-1031877404"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "204765709-192924740217504715511229452557-5735297471499999452-1434735830-505130544"
1⤵
PID:600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-95379215920979046661283294678-538625373379291409615036503-2034456495194964593"
1⤵
PID:328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1265445401-1139847278-714746122597319127-19746616061423484848-1538186778733199915"
1⤵
PID:1036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1445687176-1758222491809133875-1043829328-1433182733-1654564687-607568865-515295315"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1117751048-239918899-272301267726817672032593234-98641885611204523411608767895"
1⤵
PID:984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7698026461121139185-1028782677-315537705-1761756062-2124716413-2118742859-857160661"
1⤵
PID:688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-210093313-991122786-701928900-1292595464-480794860-161074248121473461292088170630"
1⤵
PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "838691388-246557868-2057425662-109188550-1927557025-4111114681554673360-1210721505"
1⤵
PID:1380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "968529438-966206130-1046802661-1518302101-3703440717441398431282678310-1063824498"
1⤵
PID:1652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1928479255385070195-44711668-20576724007466835891213170487253940448-638179129"
1⤵
PID:2272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13720372202474206221849818441545261159-2078849575-1438140405-2034771832-554549342"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1350258380-654725668-614771056-16909373207024242731114950808-104353046-1629324063"
1⤵
PID:2428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1340309637-1405924097353686287-949104619187896869-1025174958622673164-1162663284"
1⤵
- UAC bypass
PID:1012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1212101869143017096313515651771806904157-698239641663727705478119145-1062389461"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1160705730-941405910-1128008043-1949343167698619600-418358685-874992627-672381035"
1⤵
PID:1532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6004494641590125296-1265951601-547844176-175894621-1588372484-5572295101494593"
1⤵
PID:1096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-780304057462134000-169943215811737679671150559740783169298-3662785761336715850"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4247853861456120715457388671-50504507761217576613826963711692967260729020544"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1538104936-118431521217626376431364322617-16856845951576295409849646636777870296"
1⤵
PID:928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7653488621001842363-18048095781598816516-14277541471042237679-343741623-1604382085"
1⤵
PID:2972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2031667312-3737499472018933359-224451775-144132727968349329-475466930-1059350352"
1⤵
- UAC bypass
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17902085613762854991793424933-16067895371501651766-2122195869-1380929719-555879282"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1282559829218568426-1150480958662640083-1664098604-1458084196-471101082-6247197"
1⤵
PID:2780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-177602533419528072807842620001203768667104549742392419695-3532322401395383945"
1⤵
PID:1056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-394636618981266107-132424313-1480706403532159017662883530-1629177871-1403538680"
1⤵
- UAC bypass
PID:2768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1782377452-1562165839-2044828613-2031766814623189596176619047013044639051310540189"
1⤵
PID:756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1564465617644811894-294726995-15245776831686901276125310528-1842425411532904129"
1⤵
- Modifies visibility of file extensions in Explorer
PID:836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13420626401761604375884823478-5177914875916356661536824665-1898410902-135331540"
1⤵
- UAC bypass
PID:1956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8931272612284499521514561459-1924053086-49203-108306925-856610365-1921571341"
1⤵
PID:1512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "625131209-1411127790112608443913725262362122383427-912612768940949981029330339"
1⤵
PID:812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6654325118832149161433617144-758888471-1239035095-16260956111550471050-2046011839"
1⤵
PID:1704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1175717746-2119553385-1578412411076900823-1917286242067099964-179670806682857374"
1⤵
PID:1864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17929248201037066208-186098712281778609420418024161094998723-1308842207-44158385"
1⤵
- UAC bypass
PID:620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1630277209-1978810791439240156-1468541726335087010-11255728301075894486-1453881954"
1⤵
PID:2116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1948620453-572163325-1830474235-1364698803-1469899354-852245016-654431911-1215129904"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-981214076-19177732-1839188331-1296793531457839080-1694956267509221085-1757077437"
1⤵
- UAC bypass
PID:2268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-341183870784116813-183782448-9597271771722565903328838600807534356-79540628"
1⤵
PID:2656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15363343701639967140696254204189626700-5959941758751442211613991819-1767892470"
1⤵
PID:2076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-636764001532483156-1816110293-879084585-359645631-1198588831-975230724212607961"
1⤵
PID:2548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8596031356342536277246468621403952966263841845-141030075-12447869251752369473"
1⤵
PID:2228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7144736611959854684-223050376123736532378539991277920944762181943-682960526"
1⤵
- UAC bypass
PID:284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2741144151500223737-1621814273553741791-77706276210735753501665339679133006113"
1⤵
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
236KB

MD5
00e315c1c811d51beae5b9ee92bc057b

SHA1
24d40aa31a8f9046b767758b526731d3d42f2c72

SHA256
c96d5d1c9fadbabf1b5653b7ea890363cad2063017ed038c1c5213c930b6303b

SHA512
e7475f8996481b436f9f5cbf2b3675d2ad2e7ebd4e4f81988584430af4a63e8f69d11a873ebafe084980259a7b8b4563e7ea9e693100c009f933d23a07deca70

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
138KB

MD5
0a6049fa2523243e19daec1f9e451bc6

SHA1
9073293355b77c0d04adb97f338dfdfafbc06864

SHA256
ca6d106a2a670fd59d99435b537c1055a3bbe722403b33ca11a85f3173a0386f

SHA512
6146cf8ec2e7657de3c194010ff9c762bb53555f492deae3a58bcf90759f33144ada2da12b8c02bd5d0ed8d61d57355fbb8d6446654e6db48bb5c4ee3c5c8c57

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
139KB

MD5
f8da4debdbc3fd525aeef1b33f819998

SHA1
a2256deddfff1bbdc3c07756cff253b78a182b99

SHA256
244883deed12a068ef3b2f65a4f19105be4084f4ca2b3d93be1ba5e6b9d1fc60

SHA512
c2e531536a6f261fefc1736acbd27395ce77f84705d56ebd0d61187c3a8cef1f8b6513e31991ad182a36f98134dccae781356c42cadfe02739912bf774951af8

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
137KB

MD5
494bf324dc98137ebd763a74493b1b96

SHA1
3ec9e75bc0c2ed3f1b6b764f4aa69a25d23a5a7b

SHA256
1b6f225a8c7d3421927fc12843a0506b9c23ae7a48262a1de93b8c84a9333786

SHA512
5ee28fd17fb3e291582b11fc57d6f5643aa637f55333055bb216b24b03371d5f97e643392d9596e2b6dbbc9b14bfffb88d36ff51272411eed60cff906d31463a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

Filesize
157KB

MD5
c00982dfc2aa880184a4f1264c9c6600

SHA1
567691a1564808cde2ae7bbb672a37082614718d

SHA256
c815e6db09f31cd3ea80930bf573cbaf3f3073c8faae80ad1bd2d941d6aab401

SHA512
df5326c53b9439fd0db4b90b757392103807d616b560e3a98fcdeb608d88b209385626ffd9c94091bcc5083342681edc1a19dae2259d25dfde45442a75a3e9cc

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

Filesize
157KB

MD5
d4c19ba854274e3202f1029b673a240d

SHA1
4b7ef41e8ba459dbddfdce4e07c163dedbd812d5

SHA256
a9944ea948d012114160b841824fef19765dec9baaa72de2cd788526132af955

SHA512
f74051941ebd8fe7e105afeabc1e72b52e57ee07e2c2fd9989bd9cedbba2238c28b802ad31986e2492835c96c8f8c7f36ba006de04cbc48d6441c3846e833d7d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

Filesize
159KB

MD5
98452016c164dc03fa4a229d5905a7d3

SHA1
0244ebbe37bcd7cc935e45437abb9d79ccc9e686

SHA256
13e399276bd5a45f0b526dfdaf3e1875ef90495f169fb4d7ac6416fade3adc8d

SHA512
145540d21bc42b7ff9c9d2836d918e20d394272815251b538576a17950beaf47fc5127b293f8e67e2dc98b006927066834c343dadd59246631a7d3ece3b14424

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

Filesize
158KB

MD5
a4e7e85bd34e8ae85e67f6bb1cc72407

SHA1
3663f732f5dca0bf05694794a7d3755bbfea1b5d

SHA256
fd6fabe27bb23190c8cc0bde8e627bb9802b0640f2162e930f7b10d63d8b02e6

SHA512
1b831027139f968dfcd6b7c4b175b910b8c067d9a8e9b4899cae0806081f9073523d92c1253914640ac2a5f94f4a0b80099b9f55d2da44e3a715732f8c6706de

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

Filesize
160KB

MD5
1fe50dc5ec40c0e7e9d38772d18df02c

SHA1
65c70d3077d93026c69ea4924bc3ddb6df987b1f

SHA256
8abfeda5db30301d8f1cafa100a5fd7a74fe3f8e9c0381b6651a026d9265b208

SHA512
8f51784ec0938d8dc66d9a263bc71f4d5227a7b9840ae6b3a167743f12c6939d046d768a6492540f25b67f5db22f48ab091df304311c25a4465b2ba4128f5725

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

Filesize
159KB

MD5
442924956d9eaff0538b9e9177f31886

SHA1
51f03fb47f3183dc1c4c7aa32c4f0e6c3ffc0bb9

SHA256
2b7da9ca7c76332a410a4559c9b964fea784b6c89fecfbf401f4921431bcc859

SHA512
cc9dbe3ba65ea021406a0fe1f6edf7efa60116d85edd4fd95cfe90dbfa9b0bcaf5335e13ff38bb38c0c665331f9d48e2c9f0a6d6e0714d2138375849196fff79

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

Filesize
159KB

MD5
61184944e49235210f6d4769f724e255

SHA1
eecdc26495f6408532c46c6ae73e0304f1a75576

SHA256
e6d3947992e96ac6e79e2bb82b4a831fe2cdfd0bdfe9f554951cd2afe0af6981

SHA512
6188c2b4c5538639cb57fdaa9793a99fdd6d30fa0ff23b956c210f31823c6d3d6770659364b2a552cfa6e34ffa812ed4c1a5258318c6579a9e5cfb25cefbd716

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

Filesize
161KB

MD5
ea2d4b23601de4dd61acdd4a664107a2

SHA1
1a1518e240839dfde979f3ceb063ed8c34ecea10

SHA256
70de997f4144cb143ddc22d2a4b7c274509d19583af3e95597af1dcd8b85df1d

SHA512
9d64bd91cbbb4366c2b102e0e4215d38c2b8577d353dc9a72db86a221bb1d483322d386b1ed7e14c8f99d06e0652c593f726ed03fd385f8b5a3c9454e95b0056

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

Filesize
158KB

MD5
70b796145eeedbd822b6373c6cc5cc24

SHA1
bf9c39bdc64221c9d72978f310272f74be11675a

SHA256
6826321e0764953bae688565967f9d4638159e6cd0c19591e9dfc334940df141

SHA512
2b98d662bdf207881086e0167ea1f930400ccc98e9a7cff3aa4877661040341b6275eaa08e8883657a1e53a047ce944a07a0375f1e10bd7b277c87db03589819

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

Filesize
159KB

MD5
c6c27f13b146eda66679f3ef6e2734cc

SHA1
ba57014ddd3405ee1bf6a7e8cfb65fd18acfdb77

SHA256
4a0f3ba4ec31bf48515dd55a66d107b4c114494cb70520e6f56319303f360254

SHA512
8ef0034e9e685c41e20689634b3d6f95553805bcd54a444978a0ddd4adafe8a9e06666da4f425caac4efd46ed6f6d0c448bb8300d8c07606ddd017279d47fceb

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

Filesize
157KB

MD5
3a893238e419a55aff0fe09d715542da

SHA1
6ff9d2116d8acc07f30ab9fbd1dc24ac34da62dd

SHA256
2ff629647f490acead896d7819d2d86011d5dcd5f4d4ded75399faa7fbae40b4

SHA512
ee56f378aee4c8faf2495b3d34b739bee61dc4a1bf7750fa0d6cdd696688356b7485fd7041cc3d1d89cba50c0cb38fdce8b8358ae6522575ed8fa06b84ab6628

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
158KB

MD5
70b6f2a3a595b028d0e9d9fe9e0d090f

SHA1
80d83b6e21f1b711e9b4fa6cf0644a4dbb5d8a08

SHA256
c78fe18caa5c04161cfbc3af190d4d4837cf788bc8a0312f5aa2aca30d72a3db

SHA512
bbdc336c8639fbb54e504e7c7bf41a4507edd50b17eff7857c113eca78c970e984c1187c4397fed812aba021c5851da8bea06b8c1c15292ccbd4bf8eb116eb96

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

Filesize
157KB

MD5
2a2743387e9ea0f6d771e253b3ec527f

SHA1
4af66ea7f08b70c513913a546fb04d1242a536b7

SHA256
336481fb9d2ad50ecd6a74ecb35a70720aec848faecac0b19599847dcb8314ca

SHA512
a785bd812514161d24dd0d585b8970ee39c1b9599aeb969e91d753856644bc5e1250c8009cc42d52efd933a1b260ea09a783ed31861949b1a4514a7845d41753

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

Filesize
165KB

MD5
0e0b750a5140a933f9235c37dd1760a6

SHA1
02137e5c116191900963510aec3e1c6f9a9e6869

SHA256
90b23f3c8038fe16d8981d85ec8ebf6ba059a3bde6d90a27de1aa33c2340e7a6

SHA512
1388ad6ee1be708ec2501175365c09037ea25a248da9729351b9ece5f5d12ad2b4bcaaf393f5818f5ae0434283d855b074ab7461330a193b7e8a116d9f3df054

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

Filesize
157KB

MD5
8c5e484368f747ce5b37bc595771fccf

SHA1
8134939be5f1b127e3a60922d2b9a9b6cd3f627c

SHA256
677709a5f71abeb1a8736ccfacd50fbb048b8635bb9d143625d9babc4e202431

SHA512
44ddd2ef85fd0f26a7b19ff00c1fe243fe16a0b0e56defc199398dd90ca90881b802217e03bb046f6ca9c4f255429efac0e359c9129dd5b81c4df15ca51a28bf

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

Filesize
158KB

MD5
542e2dc7f566a259cb00a5e3d8f683e1

SHA1
017523f4ee7b8230d0bd7fb69958df901f580be8

SHA256
9846b9ef76478e732f4effc4ebf8d58e5b6df05a5f8cba1bbdc81f466983b256

SHA512
3ae38a3b129248218a63b0448b8d892361c5e964600baebf7c9d355e4acb246182858804cf3d90b3f058f0b9c52900cd64bfa073f308a28e11d2e1c629f9bffa

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

Filesize
158KB

MD5
b924d8caac92aca96e4595f91e237c24

SHA1
3e953fc03a7648cd4751aa0101a1409d1425296d

SHA256
62dc34578ef18a36bd51ae4d3632e45d300d8a9f7455d83ffc4bc03e81a312b0

SHA512
8b41c9e9e3e36583b4b4c0396a812e17f70124007510e86703e331197c71a185c0a2ca46faa24a34a1afa5e91d0f02dcc8888ac8194ca70bca97a2c2a2f9e8ab

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

Filesize
159KB

MD5
ed4f8645fb9e37f50420b827c579dd22

SHA1
b0ec70bc895fd994093671f300dc3afef8b882fc

SHA256
1d44d84779aa33207002ca51ec65fc50ae24fd86fa79246235a32d481ede6afe

SHA512
ecbb499e392d0f382d665986057a71425529f92fc15258eef6b9d809eb59f5eb88062546febf79fddbae491ec103429d3a69accf18b634e51587b9a44dd1847a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

Filesize
161KB

MD5
6e29fa388a45c8e836507f81c8dce489

SHA1
5f19fa78e751f5edb9b34965e36bda896a56f5be

SHA256
88fcf7b547fb5ef936b925a7d8c6a6209417fecb275cebf4441bc7b38aa0c7d2

SHA512
2af85f290713ec337a73b9da6b6059056780fd0c10b3d396062910cbdd8e60482f3241f98eb6e706958372f66f3971e781224dc1d8cc41a07996199d61d916ff

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

Filesize
157KB

MD5
238c654789890642db334b7eb58f1132

SHA1
3351d4f8a72e1edec228737c29d2187aabd7c97c

SHA256
c42320322a0cb1affa28303cb8fdfd1eca130564a2646cfb1e233e9503da8ac8

SHA512
327c1b60fca4afba792ba59208055b02792536e21ea5db9721d8a437c6427d62ffaf5408887336af01bdda97feebf7b16d947e39922ce1488c141a80369661ca

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

Filesize
158KB

MD5
88b536e2477213400dcef4fbf5f6f6b7

SHA1
d0ef54887854b22517e3e67cff94bdeb9e4e0b43

SHA256
c9b104266243f539c309d9ab5948f2dda47f55d6fd2c0f5810d7f15eb4ac0275

SHA512
f8bcaa0138462ce06ea7b54234e1291f64f2efa1d3abcdfabeb657f9e45aeb1556c71c12977cb7359384ab932c3bea8c42d9bb6732cbd3a7609176e6545a4cd7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

Filesize
157KB

MD5
d739e78c0debfd280c13844b784ac250

SHA1
62210440b3b07c30a04637780680c06d342a1960

SHA256
58f66b1307a213b8a449343c1ed1f736ebf1a08d8e892f00976dc730c28346eb

SHA512
9cab0b808c3930184d0c21f39e68e6afcc3c7b71f8c40299f27bf021f85997f7eb15920afe38848684e8630a9220e383460a506b117287ac2d0341bf0d322b64

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

Filesize
163KB

MD5
c28968b5821cc4f1dde258728e4bd606

SHA1
67abe0632559194fea0e492ccd269ce4ff5e488d

SHA256
d413417d2cca4afe0f1d70a849c72b363a30f2cc11c9d92288187dd687f4951e

SHA512
a284115c9b391c30354bf6c4b82b090575064bc4892a13eaa5e04e23afd28fb89558b90f5855c1d7213078e9dcc806beab6d64d92ec802a1b23571bc55a937ad

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
560KB

MD5
bd4f69fe21736563bbe96aefe8a6b45f

SHA1
93c7aa8f559a2d7bb19a60c685fbe4a44cc4fb75

SHA256
7482a9cca6e64e69d8b30b89ee6d8c443193bca8d134e0a4337f031c6f2fb19a

SHA512
e55257a1d591d2003e44100827d9376c54800b362a88172ecbd1ebfcac701efc34ffe2f7bc3be44306d982d735f63db33a02a991297bb901e4b048ea494ab40f

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
743KB

MD5
127c1fbbae02bd808f793cadf89e7a25

SHA1
077fcb4016f31aa1763e79c7e5ec9e0fc408e85e

SHA256
8a0f2a3e8e8ef60b06b023ed7b846ff0726453b58275f6f730a9e557676c800c

SHA512
1a4485abd55b06fb3a5260098ec581e368fce71db4bfeff75732aa62401d74b070c7ce437278799d538ca31a02b7de681444374cb6948b678ce3e8c125672d4f

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
744KB

MD5
e03fd6ee1e955906391da1cedf1782b8

SHA1
5846692308f0725717492bcbdc61557a0fa91169

SHA256
9687e6d33e3e0ee67610383b4815a0dd4030cdd14619ca28f89e2e0beedd9ce3

SHA512
732d649427630596a5035b239e84ecc3aa5764a6ef1f5d21f12020eca63469b3deffae347ec28d56d346e9475dbdb8ab1ec97d3d26e57fcbef3270811b929957

Download Submit
C:\ProgramData\WwYgYQgs\LykMMIQw.exe

Filesize
110KB

MD5
6e5e35362021b346d09e379a58fae6a7

SHA1
45ad08b993d9289b4f7c89c72774fc60a0976769

SHA256
fc0d77b5627db2d7f34e64c4efdfb72c1acf966f3e68a5be04f8762cd538aaab

SHA512
2dfed563438ce55e8876fe9074ac967f36ff075a968de06c9a6b2b4dcc9837ece7d4b42d090fdebf0ef32e39173d21278b47463a8006ae88376e6db30148aa7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-02-18_57f46f31bbfc624df706e8f444dd4fbd_virlock

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEEQggwU.bat

Filesize
4B

MD5
7ecb2340b197e47ec8f9ab627154ee06

SHA1
05a70cf236901455d28aaece70d55ba2051087cd

SHA256
5dda0f680f45cf31bf76769d98676e067b491deffa0944ea6d6fda63e82cfc10

SHA512
f3b1d68aef48b799f2d2741d0e0592a1793b6020dcd8703df5e442dad000891a7495d2a17ae983e824163fe14e0c7d6d9c659c8e9f5940125889e67475ad7e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIoM.exe

Filesize
158KB

MD5
ca2cfa28b24eb59b0b5e51d131591ae3

SHA1
3ed0ede7d0f4480b103544dd6c281b42f1cd3228

SHA256
636775dd6d6c3f6672872fbb5997be87b76a4bc3a85c3a485cab24ceb0267c32

SHA512
8286b6d444654a4ad5501e1a60c18d7f1a3f56bcc6d275670fd1eedce771583a616ca50a04e3b8adea56f40b83559d2bce60a1d5dc016b6d6d1f433a90d6c33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AKkIcAUA.bat

Filesize
4B

MD5
3c4e3c4429a591c140fac7a8d5ce130b

SHA1
7d8fa9a8f90d39d2f09387a6131a687c2dd0ebb8

SHA256
86934fac6625e10cf49bde978ba928f323fa7799d8f9c2d9b910abe8826f0b6d

SHA512
5cdf93f30b8e145556fe5a61eb237664c962f192d2e1f66c9f85a38fccac769ef1a199131676bf6b028882938ca239bdf83e8038f39de7f6dfe8b57d33dc527e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aoci.exe

Filesize
156KB

MD5
0e513493c8277929fd6adcd3c7b8cb33

SHA1
96e32abac00ae0a9868d2c65a263d6e3a2cb5d40

SHA256
0a9320d17db9bfb7f3d29a5d04ca06ce06831dcf9ff8d694b168093d2ecfcd86

SHA512
ff211494d46a92bffcc62d67770de32180fd8f35233bff6bb2859515700f71a55913f785b5f1e30ae665ccd4fbb509baf1783c05da43ed67cc9bb97bca376734

Download Submit
C:\Users\Admin\AppData\Local\Temp\AokY.exe

Filesize
159KB

MD5
505c58f7d7f551be7aa0527d4acd6c54

SHA1
dc8954e49efde0708a7f36a0a0c18fc298a5fa2c

SHA256
882a5f9b5382c45cd2de3fc97f416636454fc9df4f95b3343dc3a6dfb7054382

SHA512
65a749048b85803e8d09f237f979ec6969fc9d352aa8cde6e3cf9ed96cb7a0be9de171768a588a49aae647a8ad5959dc691fb954e2ec772352313873c73ff4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwUo.exe

Filesize
158KB

MD5
3823e81c12d10e2aa0788beb90902a31

SHA1
291ecaae3ec1c889394bf64d11d2818ccf7b9cf4

SHA256
e711adf46df3bfeacef21055b1ed535b039d5be95ceed2d00412382b70eba67f

SHA512
57d0149ddd1b045b86f3ece7532169f4e3e73c64e29ead27c4bfb1943bd6d729a75c1a52c14731bfd3298439b0cc3fa96e368645cff8bb06c819ac02c0749a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAgo.exe

Filesize
160KB

MD5
d1340ae15a4f064001f4f70853e952ef

SHA1
b4a075dc8405b7a43b5d3be697df109452a469b0

SHA256
886afc5b7844825088703e4f68a48fbc8386b1078ea7477e8f7f9aa468b91925

SHA512
2a8fb0d690f5c6ff46b438bc8b87db5b1b6bf99285038ce2ba77def55d4b748ab774383e6b5dade23343df968b68a2b55270d6805a878373218182bce8fa25ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIgy.exe

Filesize
159KB

MD5
7f2cc59bd61d1d93b33e5a98a532316c

SHA1
a1a9137c339f17ab5b6347e2dcc7dbbbb348d76b

SHA256
f31e50f8d7cc9fb8b022bb59977a0075c16c2a5f0bf6cd7571ec6f6f8a2baa06

SHA512
6d4678ed1bd257991e08ef9920330819f633da4bd2f12ed1554a6c70687a86f05b6d1419577969484d2bdd44690a98374efc6845b6db53dababff6f78850d4c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQMM.exe

Filesize
159KB

MD5
c554cfa6fc3c9f884d11ab0734186859

SHA1
9fc17cdb1bd8ab5e4b40e81bfcbc6f7d3a104baf

SHA256
2a2eb9e336f6342d953645cd189262a78aae622672a8d1033f99be960f3537b2

SHA512
bb267f123e84409875829dac8c3c42705a47c66d30f8a92d33e91824c0e1ff873e846ae157f0e74d76b6b9f038632e3c9b45ea4c4cd951b44d81b10f4ac29d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQcC.exe

Filesize
157KB

MD5
e93cc655f9b0611a362682c4cb621d43

SHA1
28156b4709877744da037c75496c9be272639899

SHA256
b57086556b1ee11a3a0cbcd4d738db4e21ce53f851d813654aa64decdeb25fc2

SHA512
311b45fddc1218cc474f54302c7fe2b451fa9c5dbb389059d82cb1258d6eb4fd6b16c84ab827b3f60f5371ce7371fa98d5574a737212346971e2e90969f15f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQsO.exe

Filesize
236KB

MD5
7711f3efd263dd3d6d64c26b3adba03a

SHA1
a3e8b144590087447e0c3002ce8caff0accaa906

SHA256
96db7054729d0303ddce549dc7e91b743dd1be85794ed3af3f408f6c4aea8643

SHA512
bc60713029d3c402cea30ab55cf2b539541fd8b5c13c777b9fff28bfe1574fdf4180518cb6b9c5fc37afd8ce52c25e5d7ef2af9f9f9af161dac1dddb740e14d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcwI.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsMg.exe

Filesize
869KB

MD5
2795212fc14b864363fdef3ace3133b2

SHA1
a0b7f5697adcb663aa1fa512f9e500f8c4f22998

SHA256
421454b25333973639e5cc27f682fceadcd84bea99d6bdf922cdd969f3fb78e1

SHA512
57aa7f71eceab954d2f5adb01d65eb4284c4777255d051c4886e77eb92ff467093fe053e7b1115abd912859251fcb8bb52d1e468cf7b239f1ca5a6238e340ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DuYQEgUw.bat

Filesize
4B

MD5
605a26249765ac3feb579572e3c39478

SHA1
255c1a4d6fd93b95066653cdc5216895361f3315

SHA256
60dbca22f6059c54fb3a3c03cf589b8f4f7712196640db452f8d10ac55cdea63

SHA512
d58ff4b3bf9c188f229d08c9739078716bfa59a7de92a296189dcbe8bb3d018d77cd63ba05996d6ae2b664da226affb26508b4cf1037429a580e92e932c32a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DwMIYsUo.bat

Filesize
4B

MD5
74f8600cd6f90af772782239688b1f7a

SHA1
782015d283f8ba978f24f1e73684dc51a0b26065

SHA256
a69f79a6ee00d3df5520fd950a0703c0d55d9886d6071d60bcf503afea1ba3cd

SHA512
4f0054464ea21e8a9d20dfa0f9852bc03ef24313e8b6d3150aed7cdd6b619ddb26367db3f303b27d824e3fb721aec0e20453613f541de27705fe1a0cb96317fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIggogcs.bat

Filesize
4B

MD5
3b14b532cd07ca4d2272c720f5846dc3

SHA1
7b2ad5819bfc3a27c4ecd8a21625b8dc748e35b6

SHA256
4db328bb6091f23f5923245684a13dab2d3a041eecb9099c9da0643716862cf4

SHA512
2ea7e4ab8379b8d8734535676258da300daa94828ae469680dee268385bc167534b8687bf0ba9a14a32af13cf96a41b82c6821aa85599801cd3bdbec5c253818

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMgO.exe

Filesize
690KB

MD5
cff8cae5638ac4622ac3cb85953262f4

SHA1
e1c75005848d63a738c15dd5afe5be3868a65020

SHA256
133c4293a51d38840d2f7a2f67f1d142fefdfefb7ba1249fdc0da5a9e6a0a817

SHA512
8694b9a54229b27b8e7f19d872da4505ec82830ffa9f6acf756fb14d191f49d1edb476b05ef85124b661495d3abe72a36254c2a6ee564834b24bdcdc4522522c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCQEcMgw.bat

Filesize
4B

MD5
f9fe492e020bcc05ffc01c0591cce917

SHA1
0241a8a55fbf6b23ef7256410b1294fd232218a5

SHA256
4c5421ad6a742465c3a39a3829d7388cbbbcbcdb065b26af70f7a8a7cb8a8980

SHA512
5ad9c3b72d294868e74efe86f0d6be80b36df3ba78833e7810269a216bfdaf51ea06a3fa0ce97928c9d5fd8430243403988206ed9ac932ba5de601cda5c34df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQIs.exe

Filesize
590KB

MD5
1b7c5b349e5b264020b945a44cf20823

SHA1
43d95c7836b6cfa5e8cf150e7483a53db13276ac

SHA256
1564d9cb9c6535502fb4239a15af4edf3a20e6d30b95db46cc23922f3393d74c

SHA512
523bca5d1afa07d6f52a722eb8a68b19e24f182c43a8c6bc1b96e0f4dd8cc7b8bdf873504aeae7cd958f39d9fb1195c9417d63ac3726ec11b8b71e55f5169513

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcQE.exe

Filesize
159KB

MD5
b59089631e88ad9691709a36d2751b0c

SHA1
839e40298ad80c7c36207767416745572813d256

SHA256
9e990f90ec2300902f1c96810591c43651ddde9d553e9a1cff691ff5e458db4b

SHA512
2a4c78cc5bd02253cc54244ae27c93dcbf3f9b2dd5775efbdeb6d1223b92691a3007f5b87edfc71de0f4cbab6c364e60267be5d8a5bbf26f7c39b85c94c3ecf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkIkAQIQ.bat

Filesize
4B

MD5
3026a04f6be0fda62dd51fdf208a4324

SHA1
bae5c1acf2d9f2362713f1681b7c80bef00f4a21

SHA256
67389e361ff53c9c211925511071b396f87291e53496b89f99959d36c227bb11

SHA512
c5eafc153a5a205977a3e7898f6764de129e067f8f6ba71d35bf4adee6922f82d1cf576cd5a98aebfbfa3239c619ee2667608f73507426674fd2c44f98e9ffee

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGIIosgA.bat

Filesize
4B

MD5
442e64b7af261bfc0eef717a9584920d

SHA1
c483e91ddd9a1b079e631a94ca1cdde77b04edea

SHA256
39cbe9d65ecaf1d3f9bda9d90a8753b1b987318189b186b8b8c6c803990c11cc

SHA512
2297a6ca25d6323841acbace3675a883c1fa9a4d179f2bbcad9e1b698d5b4680bf90cf8077c4ea971f158c0d8c3a933f71497bc83a62e4eac5b94b52bda640b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HwsMYckM.bat

Filesize
4B

MD5
b9295a3ecb4dfd5bda2ca7765ef5cd30

SHA1
4fc5c7437cb068bd2f491c1267cbea9de8750fdc

SHA256
9aa4f480f0cd5de03c914ed1f39492194f8b7f79f57aae97af4f5fdc57235856

SHA512
61b9386c99dc6f9cd7c8c278dc7b7d0ff64a4df5e35b10e2158425195236f8f3a17f3d13bf6dca4174ba6e13198c3b93e859862921104b631acbad3bf5e6d6a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYEC.exe

Filesize
1.2MB

MD5
4a77839975974fdd1d8dde815c52085a

SHA1
e574b2f56ea8f80e4a74b601e45d66cd86c11b38

SHA256
a7414e5677728d41d5fae672817acdd1ead2f772270361d0aeadc032fa12ed59

SHA512
a144cd98a07d64d0a00784ad33b7140b98f3d07a67d3a34c7ebb8e493cbb728f7f39324c1c758c5a8ea500ab6a73dc403818145fd03929b3e09d78b76087cf32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcAE.exe

Filesize
158KB

MD5
ed5b3ab2650e9aa891fb937db9275a91

SHA1
02ba124f7b97c31a7c449126200dc348a27d0d07

SHA256
f52b11d8cbf2eaa8a21f4492fd161af51f3faaff62047c60d22c29bc1c995ec9

SHA512
c24fd07f546eea25e39b0c2156a5ffb58cd04a87a5ba883c57b75c4d5dcb8d78769bbc6326eeb847b00f96fb97b02b479b452a89a7f38fb255e3f267a3cd1f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgoS.exe

Filesize
158KB

MD5
a02642e9b032bfb3c18136361049956a

SHA1
3167b11535962a6138fa6150d3fb6bee1ffa21d2

SHA256
9e0fb2682d965aae639903a517f13932d00f10d684856bde0c492a249bc74c2b

SHA512
0f3955d80b38f0a976ddbb5ae5c678db8016da0d631dbf63892447620fc29a10226a154522dc9bf59f70b15d2213c76a040d2984ead47b98194deff5a63cc46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IykYgEUw.bat

Filesize
4B

MD5
e609b9840f1490b8d85bc9c7ddab80fa

SHA1
163a6e7b22424bd94ff938606da3e2814fae6a9a

SHA256
36357838f4337197ad9c401376894f261b353ab31604bcc0d56d2748a70bb3ae

SHA512
88756acb17c1cfd844716f265f787baf72a167bc5859780708bc791db697f9898e2d503b646d8bf0c9e65b729ecc16511da287c172e8c93181ed418d1878966a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAUs.exe

Filesize
486KB

MD5
25269b41620b910be57d5eb0fca6e3ca

SHA1
c0986b9ebc7453bf8c6ea1c08246cfb36ca583d9

SHA256
bc2708c11435a9b4287c891cd277c6e166784162cb46751ea44b2c324fc6b981

SHA512
d26d5419024c303df978737d6ac6106f96ec1b84ef358df65716f1056b2863ad15ebba20fcd0418312ba8bde4d935725380fb82fb578984853714b8822ef3e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAgM.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KmokcYsQ.bat

Filesize
4B

MD5
e27e5cca24f3b600c9b6b50211c51409

SHA1
1bd7d9e2bad8130a743d106924429eb76bfb0640

SHA256
f45dcba0040e13ad7f6b80076a08213d441531d7a74dc0efde88e0dadfe2ffef

SHA512
a1210380987555b1ce988d6b717b620780cb4959bb9b6ec62562fec9761f91a318dc96a290d86551453851702dfd183ac2dfdc9a721853caa4659f7bf04ad8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOcgwIYA.bat

Filesize
4B

MD5
26b3632394efd896d1a2b584fc7f9622

SHA1
63f7cceb1e3ca642bfa120bde9a98de5349fe0ea

SHA256
c26b2b1cda561785dccf39fac8c4aea02c3897f0b37195fe0759009f2c80138c

SHA512
ed28c38ed36c7bed8447195e844b74417eb470d231b6eb51d1648eafd6568570f8aecb4d8c2b1627b8abb627322454093af0bdba9355e5ebd64eb6ec6c9452e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LqQkUIUg.bat

Filesize
4B

MD5
ff562752d8cde9f86834629f717692b4

SHA1
e15a8a5434622896d47964580c9d1a86ccd18f71

SHA256
b105a38c9b9be8ceff9a05ba915d55c9d8056256813eb0572fc1d11d0c29ad21

SHA512
5ebc3c1ead1c940855cd8d94eacee2379e121481e10265b5a9435e64e7364366a2e5f2ae986149ce3fa062571ffb78c5f057bc0e1367c74b5b04dbf5c7809791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYkg.exe

Filesize
866KB

MD5
47ab225c7598931b60f1498f3f37dfb7

SHA1
3d3e6b9d3990d7e326b5a865c60c4edfb1b382d9

SHA256
1eee7d3c27031c227b26834088901ebd0c43a4df4fdf103333d01dfbf968fcd4

SHA512
117785188cb7f7eb82b8d3d2a518ef06615be4a63f29add08d73aa9559e4d9856555fac85a56fd9a91c8cd05768e87fe2c5c2be13332d5a2dcd874e525517f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYwo.exe

Filesize
157KB

MD5
1dabbcae074c85026ff61d4c92bf9489

SHA1
873188774ce14a0a9fdbc6980f4bc1c5c0c197af

SHA256
3b81d585349d28fd0447cf9f43bbb70df44a02fe99234df21cecfe120a82a0bc

SHA512
3dfc2bacfa841f04a0eca239feb411bbc76df7134f20586e518ee6109e91fa26eceae42595c2969c17cf8c8c28bf8dba579526501d484157298e5cc4899ac4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoAc.exe

Filesize
158KB

MD5
eda2f427d640217f4ddaab5eb039dd85

SHA1
c77c64318810733f6a8ab249f1f140f30849d0df

SHA256
36a62a76c8a15c35c0f3efa4ea7bb362fe71cca0a0bf68c7d41ca8708df40140

SHA512
13a24ad89196cc95d6135e25a10cc92d181172b09ef74d8cdb999ed070e34f67286fe813b11af3ba3ddcf7e3ff223c7bce2d2b7a0d6f666fa0052298eefae9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoMG.exe

Filesize
158KB

MD5
cb92c9392c64d6a958e3e0086bdfcc5b

SHA1
f9f958eedf06c61eca8e319caeb045b969e75d25

SHA256
fd61752424804bc0da5946fc4cdb7a62b20cf6e6310056db7fc34b8259cbfb4a

SHA512
3066d7e474595c7e2776a2b7b0cd996b00c3eeebe60dec85fe79dd0c72137566884824b5a9781f098c437094ea85ad4a39e262d53f4e1f6c2aebd7dd74c5aac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoQe.exe

Filesize
159KB

MD5
e8bfa58caab3ab1d0af0660c03415baa

SHA1
7b7e676305e39dc2ab37c93592aa3cb968070a58

SHA256
e6344d5e396ce1dafc79ba9a1acc7e8e204ae28bc9278fd992de7a0347cc7473

SHA512
61717f7f1117ecc6e9c4a3af7b677f0405ef5e7641c9a3ba66061b0db17e9cbe578e72fa5df9a757f0e083bd3ebc44663dbfd15d2d76b89bf63749bc28d08a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MocoMkUo.bat

Filesize
4B

MD5
beadab791e3e8c9a2ab3af531466e136

SHA1
3213c961ec2c52963b9a92b40f372ddbb054d38f

SHA256
7a91ec6dddf7376e14f75ac76a99e6bf2f64ce14f949f517fc622b7c804bde79

SHA512
ca60de691595c37e848015ba0a0cc1878d5e0eeb5c2c0f93435b5bbe84f85c7accf6abf9af8ba902f028130ecfad1bc21cc8456e5a53512967e2b39edabd6d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MogS.exe

Filesize
158KB

MD5
d6c11f2e9ba272c2c7399138001a17eb

SHA1
02969cda5cff85ecfbf0603593e0bd0a67b127d7

SHA256
bc522de360a952dbd23ff58ca8dc50d07b9091351da2ea126265dea6803db373

SHA512
dbbb582583218ec9f7a64968b17255b506a46778637fa6d92428900ff0111a5dcdf195b11f6f5c01a0cef31d15205c50f13029a2f417934e7a27e35ca5cc25c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMUkEsIA.bat

Filesize
4B

MD5
b825a47fa0aab82414026993dc355bac

SHA1
a3bcce3f10b6bcf038c8a3b798c8923bd7d2a20b

SHA256
13fe216b18e860820effb66ae4b8c3d8fab5c8f60fb9e9d0e60c25cf3794544f

SHA512
28ff193292c08bf7dd036796289afcbfaa93fc6e946bbee6de94b9ffdb18c1505a929f0610195f089e2b4ceaa17a8e151a2ef88318568757461f0c4a57ea0043

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEIU.exe

Filesize
158KB

MD5
a10acbfd1ab67c8753fdfbf4ff53ed1d

SHA1
f8567fe848ea96b9d65b63d95bb58cb2f67b812e

SHA256
a59798cab4b7ae11aca827f1a0e5db9252d557bfe82ac8f46125ea388d79e34b

SHA512
66e652288f20c630ce6eabc9a5d397173107bea982711c733b2bfd578a60798f45d29816096df32c6e71272aca7f6b51d53a224a7b7bb4639ce3fdbcc0ee19e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcsW.exe

Filesize
160KB

MD5
fa8bca8828176a2c69ada8289e4b96ae

SHA1
a8cb681f3303d05c90fc1a21dc77a252c536689b

SHA256
2456f077dcdbc1ea89d6acbd9460e9bdb96a87024558c5424040056626ef16e3

SHA512
11a03a5d9678ec70cda8fe2ec2ea4d54494d1e21d5a9eb1fe3e8d2e002f57ebb71fa9baf4c2693b23062d32124d97d801fcd3180a13164cd88505c494b4c5ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ocwu.exe

Filesize
158KB

MD5
8f839900d09b25a13d56953c3da72429

SHA1
9e7c86664772bdd54c80da9a595f4cce19bf1cd4

SHA256
aacb1acf1890646afaad0ef33a19a90818248dc792806675c95073431859c40c

SHA512
f5c3ab591a1e2464dae617786b00e9ec0ebf2444bba07a5664368b4a62cf70f548ad70a8e7c33dde386ea8bc9f4a2ff8bfe577af3d36ab75246b2d0265281a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkIq.exe

Filesize
274KB

MD5
e9815405898dab2e482f731190190ef3

SHA1
86f642492cc92946a955df80da2079d61ff6f046

SHA256
afba0be8e2e5a3d3629cdfca26294986189c7e90c297ee010511230fa9210026

SHA512
d98b82b54ea24fd406b0c1a07fb2f933ab468e7042e13bed3c2b8c01eae9253bb1d10cbcdcde696682a5d2eddb2d88c26dcc1f8907fab40890ae3c1f093fa22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PWsEIUMs.bat

Filesize
4B

MD5
f4516743e75ae4d6b92171d2d3ef095f

SHA1
eea7dce142d0ba9b20017c3e719fbc9cf74c0071

SHA256
398b2a01d44171819292de3032576cb854c17860e1e9d98967273aeb8f9cdcdf

SHA512
b92d43c45f372da433ae76782e9905de2bf06d790818ae8f06de1c7cbf2556530bc6db54fbb90b8d637ccdd3d26f4267b23eadf15f4e7a77b816939a3c08526e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIYs.exe

Filesize
159KB

MD5
bec32eec82033ec9c05193a2ad7ff64a

SHA1
0719cadecc8ab1cbb3d30549f68bd63357102f3e

SHA256
cbdc91b655a90183f0d651a9e2a1ce819cd64b13fb69767063cb0373a4dd2acb

SHA512
95d96786f0610cd9049e1be16056f1a14c78b4e4f3f65e25b70619f353c6cacb3312857839236afe24d366cd36063248a90392427754e23cbd3ae3a1a9754b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQAW.exe

Filesize
565KB

MD5
9f99d9536356cdf524740c0b6fe521ee

SHA1
881d46095c2f6862b3df77919c5a303412c0a4e9

SHA256
88a85b2fc22d05830c324cb9b91d2f85f7b367abc7041193376e269a0f393aa9

SHA512
7fa97038a6736183eef250ae4b7d15c8c9c2dbe9714828e7e16385d605f2a2b48c388c6e8af786ecb61ac10c7a6519b9bbc38eff6dcc6983925d081cb7366843

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUAu.exe

Filesize
157KB

MD5
3ab4a00147c7d520d21157ea80f6a78b

SHA1
5cba0cfe1d7837f1a18a5964c7b871bfa5015156

SHA256
abd0a84248e5f6f16519c40005f3e5e38a4fbadc9cfe526931911b11850c8a3d

SHA512
8bc167625bd68cd1f7046f1d2bf5f890414dd7a58afd46c0937dde82dd637a13cff8d7efe2ae975dac3f5d4e9c1dcb27ee91ae5760958e0af966cbcf3c5ab315

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqAYYYwQ.bat

Filesize
4B

MD5
62a6e1e0a15e9fdf8434084072fb7915

SHA1
8144128c193174a23441a35471e48315337d695d

SHA256
5ad7eb65ab67eba70853ae79578ce3d1d73ba9526f4f8446d37b44a953172c3e

SHA512
26eab6a15215b0c2270d4158855293df7afdab0958786fe16d80609664c59e83deec74925c2da819b6e30c3f7918867e1c5f77494e38657c880ad94cb0675137

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMEsEsIs.bat

Filesize
4B

MD5
ce3e9127f7d665c6612d86247cbae3d2

SHA1
56291c0f28e301d5f7185287b221331598be49b7

SHA256
58e225e70d22139140e5a1ad1e742ceaf55dca60a7c027e3708c06423ed409e5

SHA512
c48a67abb6efa292c26cfc5967b7f20fc0b21bb105270c617dc3e8928fb3a7477d13f5ba108b63a2bdfb0bd63230e5cd4952bf342f756818dfc32fd5b80c078f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAYG.exe

Filesize
152KB

MD5
18bf9ee6dabec408bbdc54b381a7da57

SHA1
0d71cfba7ea7f233f7906d999c761848c11d69cc

SHA256
b74cdd2c74dbde5cf58fb3383ca0577939c7c3faeecce48edfae0beeef3fffcc

SHA512
671be1bc6b8ee188e0bdf3477d64cdbfa36afe723f3edbeb4a1956705a426ea9145dec97b66f936e3764411636c8e52d5791f6b12c21819f5e179d9af18ebabc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMkG.exe

Filesize
159KB

MD5
3389917f4496b287b0e5a99a690cd7b0

SHA1
ebd7921b84d6f59098e5f9671f514dd4203592c0

SHA256
864d5aabad90ac8136aade03e4513a611e021872624c774860f8ed4a7ae23bc5

SHA512
b96f370b1ba227bc66728bd32663451244a7fdbc365902bc40124cbf04397e5261b7c9da154768673f2a08f3d3d4ec81c117b60f275952314e72fc9b99cbc8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\SWAsYwIA.bat

Filesize
4B

MD5
2a4448b27eb975f6c5ba6500c5a4e090

SHA1
2c4152f91e831a3cd5388a642ae232a4c6f49ae0

SHA256
d0d0f9ba90842c69a4c57f92f0389c30e4b1cb3d1fd593e8d46a475297315697

SHA512
78bca70bfb1c2c598de2a328a86b8f255c08d4ee23b414559e75c4059915057a6a6437471afcde385c81cdf4eacdee034ad25ea7f5b1ab19c1f7f4faa74a87e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SekQIssc.bat

Filesize
4B

MD5
de722c5013107367858979f4d33491ef

SHA1
37f5cd142e82d47ef624c5f603739242966fb75d

SHA256
ad3ca72f7755f321313c509adae79b848e663b10592e2d8134df0dc1f905396d

SHA512
e45505eb7580741612dea074f760e9c854a98c50403dced0de80e1ba06768e21d9b2344494f811b96d57749fa083f97203b99e44a70fd5ecc91187303f51481f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SggS.exe

Filesize
158KB

MD5
a1e3e97487f9f3a42b741ede8d5c2257

SHA1
9aa5b2a03a2b033750c12c053eccb465faf2f91f

SHA256
98efeec6a24398c2619598f3c1fdb76945a3c6ae6ab51afd1b9317f6599bc6ad

SHA512
5cdac334cba4124b68c628c98686a07208f49116315ace4240d29c23e8345a0fe0a77a88bac9ce4bab879c5dd71293aacd776f342d9caed01940a57ee08e4fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sski.exe

Filesize
236KB

MD5
3474592aad1ed6401197455d1ddc8dd4

SHA1
283460ec6198399f2e4b28a1709e13f7244da549

SHA256
c9f2e1847ece57644e7fd7111ab360315b7da91aff4f28f03347be246a6cd192

SHA512
3256ccbd3d0317da7aadaff233440578412d8e2b7a7aa79c19c671dadd1c3d9c20b95477f34070fc810a5f584725da0af98e60287c2bf47e1b596858b64b6bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkUy.exe

Filesize
690KB

MD5
245765bdc114acd95e868faafa333792

SHA1
3233a25b04a07612747e78df9eb806b352bbacb5

SHA256
4dd1ec791593435a6776db50cef9cc457fa81e21442a5a27f4594a29559bfd6b

SHA512
2941c8bfaf8ae5691755287814bef627c18cda87365ae81ae72ceff4c0439d82d51f8402de486e39d7193c8b385db6e5e1710d50ca63bf09bc7cc247620e0210

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoQw.exe

Filesize
154KB

MD5
e2b0d1e9b3c15522a3dc009ba081fc6c

SHA1
39ec54e00b54268bcfea5552a0afe2858a647e7e

SHA256
d6128e68026af54ae338f96b6925ea362141d2c500c15787a3fdf24f4fa4e28d

SHA512
1e3ab830c583d9b44099fb589289ce4e0b56f4b6ea87563c9419ee01706c50e0bb1f14f9aef6aa03c9dadb000abf554095a73da6b6a559b4ef54c4532c185d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwUk.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMgcoMUQ.bat

Filesize
4B

MD5
4945ffe6ae10565bfd95ea274b0d341f

SHA1
17fccf9d0d5a7b49a0983fd1569168c232cec894

SHA256
051e841dcc6471e80f3ede8ec63088228830fb7f841fbd39a68f674ab6a15afc

SHA512
1d84931fccd37764ab81a06b648bc53fad7b5bad28a4605c9c4120c951bda2d4a44afdc0807da9391ede3a3ffae5d4323e64c3d0a454a52f514728383dfd7b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEom.exe

Filesize
356KB

MD5
bb13f919293aa7621c5790c4f50bd348

SHA1
0c1fe86b26bbcba00a274434b46e6de5abbab24d

SHA256
eca657df924c354f4571b6ade4736abd59d551d71493e17c4d0198a549af60d4

SHA512
310ba20de4525341c4f4f48df4bcfad2f839d3e0150713db9cf75aa27d0f21f31349d9d52aa56c597e6a0f6037737afbb2a282b393ad3149c8f839af3b751b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIMc.exe

Filesize
556KB

MD5
71c2cb221fa66eb9bc171e241cff5fad

SHA1
e68a276ad34b561f35f736e7c5c2f4075d341919

SHA256
e8d848b403641ba6b53c38f6b359db336ef79d8f23152fd4adc76bdb2be0ad1c

SHA512
c8619db08f0f94630cd26155434c6e053acabbff38cea9d91d3f74c91789b803cd78a56a4d3bdecba89bd9cf26b6741a1707b80333b9c6287689fdd89d3648fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIoUsoko.bat

Filesize
4B

MD5
cb267af959148de30c3ff3221b49495e

SHA1
6ad77f35456f8b64ddd20ac6a642a993c82ea994

SHA256
ea01e21c80b2e75bf35f3c5f0ac4f7b6a9d74630a371070d6ed41a122ec77da1

SHA512
4e2b3239b38f721b4b2f0644b61cedad14e67e3ceb8b285730e2a5c6972a184f24218b59a7484a81888cc9bacbe62ea63f79e3aa6605761fa3e91aaea4cfb2b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQAMUscM.bat

Filesize
4B

MD5
cb5a5cbc017f2d1503641cad6e829d88

SHA1
398d8ce60c894698ec1c3d15fc4ddb8bd54b361c

SHA256
bca9e1b4005f36ee8ffe52d17841f7b19dc858251cc4fcf934c8eac5ea3a5bd6

SHA512
a922c06345d4578c6099ea4d9b9769661840c5bcd2b4f66c635fa9d140cfd15063e49e0348e4249aae9cf3c371d350912b89f9111b02079b5b45cfd1d8d8e57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUoYEcks.bat

Filesize
4B

MD5
75e31dfebe8a7bcd6acd19e18c8cb46b

SHA1
681cc567f85a971db5e6edb894427d20913a8fe9

SHA256
973812e1c2c879f4df4fa7ce8775f23f4b84156844850ce1fcfbf8e94912a205

SHA512
a1b513b29454f40b2ff9e27bf7dbad0fc169326732bbae1c1d5e1611cb2b7e1843238f129307cdb37f0319f2503b183f7ace951532b6277c6673a334588efdf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYkU.exe

Filesize
149KB

MD5
71dc1d91063d83341a313aefd57b444a

SHA1
4aa7dff3fd70c96c510667e6cb797560452b93fd

SHA256
9ab38a6eb454c6bd563229d33c0c452feff1d1f1e9327a82e117c2e408af6496

SHA512
bb010f13a31ee13b913975213f606ef8acdad275771a2a0b46d4ffd2868c4c0d2c1c33bc81b7ccc50b852e46267111a18a39b5c27efd6487fe6736bd1f9c7dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcAQ.exe

Filesize
159KB

MD5
8076b68d31bce3109917d382742bd484

SHA1
6695ea4b99bcca85c1027b5f76d9a9140737dcde

SHA256
27ce6e1e704cc5e2442e3cf94b13bba40649a4af402ba74833eb0daa14f3475e

SHA512
94a1a3ae93bccd005057734a06dcac5a935b3c069d890347773bc31ffd714ebcfcd8d285d523d1948127c300dac2620dcd1df48724eee503bde746ced08101fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoEC.exe

Filesize
158KB

MD5
f94d1f1660ff987fadb6ff1f47d0a256

SHA1
d1372e9e1db406d7b5df262023c2c34a3ac3fcf5

SHA256
711682eb19aa914cefc663d2ec44ad9309f08d61acfe51c08814629b4e6726c4

SHA512
94fb21e26387eeaf6e68eb82c46190be4bfae02abbf74b0c0e2ef593388bf34a4e7fa13b13ff079e57168384c7f0e1fa7b407f62673ae900ec48fd72419326bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yosi.exe

Filesize
617KB

MD5
25a9c386f7fda0aac657da70c1691edb

SHA1
0afee28ea9f2ce712ba09fc8b470588c9a72c748

SHA256
ce46fc7f9ede7ba1be073ea60493b216f895da272977186578e86367603b82cf

SHA512
bca1037ac2d83a6b76164221d2b5f0d386b8bb1776a63656e834213bb87c1e1dc776666b522b237a618a60bfb06d4c24d64ace09858832b875bddd7f6980932b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YscU.exe

Filesize
159KB

MD5
3b95f0b5738359db8e586b52176a1873

SHA1
873256960c89a16e6e9cb7cbd778e519ba00ea30

SHA256
22899feb08b641ceeca08cb0faea0701bb0214735a8063321dfa941992543f5b

SHA512
3bb849be2a702751e4cdc7e8adf6a2d234034f093e981eae13cde0b5b7ccfcbec3e3ca53c27dc57fec428fa515e005cc1a9d121541f752b47695aaa53f611185

Download Submit
C:\Users\Admin\AppData\Local\Temp\YssW.exe

Filesize
159KB

MD5
005c2b806dc9e2fc5827796a28a95257

SHA1
81e2180b6eb0758bf6e4150df9103d5efa2d4316

SHA256
67956763951d2761956f4ced9cbf9d4c7d3fbfeb456dd23130e268f487a47869

SHA512
2bc3572012a03cd7f0da08ddc112d77397a23958a258c2aa6c7d09737d2757a3283a8601d216da0aa2bd8f301e85d8b6174e174aa2df352d1dd01dbd8be442a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQEAQgQU.bat

Filesize
4B

MD5
3c47af72964b98c824e580e82fa1201d

SHA1
108237fb0e2739cd2ff33909b8db1b594e5bad16

SHA256
c23f780546ce41ecdfb80dd1f17bbd73bb596044267dfcd9ade612ec9b84cf50

SHA512
8ef0c266a4253918bfaf089b6937e11aa2a74d9de78d286418a31fd6a65096cff521111d26646b5e9801dc07087312047893c926a48303fdf5e8a5e734c3be7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZegokcUQ.bat

Filesize
4B

MD5
298250107e310f95c65b05218982f352

SHA1
e615efdb250f20f1236387b3551645f7db0fc241

SHA256
11fdcaddbcf18fb025a117e55476772797a392d41a2ea2dc46bb939f11ecb7aa

SHA512
22c8473fe7301534e0cd54d2de54514f90bacea3b145cca58b1a7cb2a6ea1c91e22d73255fae56d85b28f807c96d2ad5e25aebe8a9be888d31efdaa981319c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\aKIwUEIc.bat

Filesize
4B

MD5
07f9f707ec361aded2091744af3e069b

SHA1
0d8966751054be424f957a758fd0c61e4fc7d599

SHA256
2881fe6e1b19ca302834dadcf0fb91dd3ca444b72265c310ccb72c3e99544ab1

SHA512
ebd14927c7c38f5357a3370fa76927b41130d2f4db8f11fbe0a88e66b9cbbc7e5c3a52c4b3a7d332691f65f951b4a9b6f9bb9ccee5b8aa716c4cbca29c15955f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aWoUQsUY.bat

Filesize
4B

MD5
76d02b56728af7b66ac4e1bc9e9b36f4

SHA1
a2a5a15cbaa887017d763f91964b28454f52ad30

SHA256
2d5bf6a8cf424fe3a84d168c86edc9aff0922ec91d59195448846edb81cd0af2

SHA512
2561b1e5f1ddebd13e4779f01533164c82903a34647e1b17c6305f8dff2e7d63eba791ff0e2f75e4125e1a96260c03e7b176a124d2bb81eb8184f5522974bc81

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYUS.exe

Filesize
139KB

MD5
cd2710b1ebcb9ecdba3d8ba003122e68

SHA1
45dab2893571dad3fff6b3b45803d71db2c57fbf

SHA256
d541b4454656170c1f25ed9fefebed640e72dedc00f07781910e019990775ae2

SHA512
040bde144524c2340f85efdf97a6d0352e1fbd2de28476b09469a7f74c354993dca46c55b97e83d1ec2a7d17291d1fc9a6f43fb8177e18567bf768bd842ddc69

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYYy.exe

Filesize
157KB

MD5
cb829742ae77583a8aa1700f1d7f8cf8

SHA1
e071425645c4ce9864860f0613032872c747c82e

SHA256
b21aee2859b0471777658805cbf3102b70604b68f6def55086723ea8482221de

SHA512
b083ef8e1fbedbd8a7574656ac573a29d54a7fa5533a13e03d1f7d73ef6a99038d93e6fa4a11e9231eb4b22c82779eb892f1ea060aedd8a4dc5898c19fef7ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\akoMEkAc.bat

Filesize
4B

MD5
cfa6f02a91255010d0dd896fa1f29bc6

SHA1
ddf8a94393d26855a4d99596eb7736fd7f9ba034

SHA256
9b7e99d46b0f4f77afa34b0f49588e2501ada3612ba200a741d60598318b0dea

SHA512
c3ea2c0f3e3e9f8c1eb3614e82457786724e4032e5d013553390f9c7c696246df8fb23d5878a24aa1afab87ce67d7bf73163fe760441fca1eb6fb774d6848b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\ayEIoIss.bat

Filesize
4B

MD5
108749ee3be2b6ccd378922a3eaa399d

SHA1
922b53fc1d4ec38e8b74fc1625d14d48afc115cf

SHA256
c24d07a52a68be8a342e42d642ca6263f354302298eda7b489893cce375241c0

SHA512
a61be04138f6e0ae9374b3343767f50ef5b8eaae8084ad01d67863e73240c3eb95180801603b1e0757b6af3c8e600661b7dff8ea9c3f308e32f3790f5e16b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\bywwskIY.bat

Filesize
4B

MD5
9c7b17624908ea5a52f7ce2764f5837e

SHA1
de040574b23a09ac5451261e2392393a212de172

SHA256
c3f89431b0788897fc98a9d19e4386ef5673642160e365382f0313eaab25440c

SHA512
ecc3bdb3d0660994b8f46bbb6ccd7bfd8d5d4edfef695c2bd67da9ebfd64f2d2ae4be0b41a068f0c836ce30e6a5b6391b059316460ebd4262d022479ac8184bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIAA.exe

Filesize
429KB

MD5
a52e581dbeb54047ac81461bce1f6b01

SHA1
6054cc8b3679d75249dc7d141bccf325320a0f11

SHA256
76176313c58143218ddc79c2bf540d704685568fb7cfec9a780c1bb8839382b9

SHA512
7689f86299364c1ef58b7e4f658682a95df8c4e8eca1c606d779b3776d75fb211ac2424448ce83c6c18ee4e215ed9174a579243f84a6b3a6d005d05da4120790

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIkY.exe

Filesize
936KB

MD5
020249ce4fba6762f5c316dbcab8a10c

SHA1
84669aa186aa3d249e94a57d25ee81531d666773

SHA256
c1677c777efaffa2e5b42987c42c9f588b35195bf80a6ebe35019486efefec5a

SHA512
39dc4826fb95bd7289b8a55e1342ede701ca65844565615d35445ce4438697b2f471e673dad38ff117bde7c75d2006b31546c742fcbc3d9c001b78a37bd67c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIoe.exe

Filesize
3.4MB

MD5
62f93736d4d48474fec3ae40eb53c8ac

SHA1
08b6af87ac6893aba5dcabfc3450ec49f855b75a

SHA256
5b083e4f3d4bd9482a036958cf78802574017ff09a5df1a737e11acd5dddbcee

SHA512
5e73e52f3af452213753e33e752a466f5406394c9a86efa229a280eac30b0997273f78e3811e57846d29dcbb066f6fd3cd99b9129dff386ef091ec45bc6c2574

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYcU.exe

Filesize
657KB

MD5
ba2f4780894b2b962622d8888ce13843

SHA1
7507c0fcfab3e5d69587bb2e5cce70bcd5f77bd2

SHA256
df60a4c6589977503c361436deed621a474f42a1436211785219d9f0d570fc90

SHA512
6ede6af598d3e4168f55a271f2f6e118bc5f9821cf7e71eeac16d8662f32ed1af96cc4c50dfef89143aed7a1fdbf528352fd3b6aeb3a4d453412de4158b1ea09

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgUI.exe

Filesize
566KB

MD5
3fb1135d821c63ecb407aa415dc49711

SHA1
240a9550c588a3bc7341a902f1303cb123535326

SHA256
94899422044e4a5826f3b5dbd37d5c31bc68c1f23b6a0bda77ad8d1471d50b8c

SHA512
c379f77a25e70ed6f43ac64020ade878abb53405b5a8d5fd9f81939c51cb333e25f59c8f91cd79b287577e9ee08b88c0e3af7a4f566abd962588b8e100321eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckcgoYgE.bat

Filesize
4B

MD5
d63283f59a824b6d544c253213a5825e

SHA1
a16c1abe108ed2c061f7c856b76a11b883f00228

SHA256
48580f61266f252dded9e79c36e9e72907eae8854eb883d38f5dddba634c9d77

SHA512
118e8fb4eb602bdd9dfad2c38d57a6308bcb06a58d3905fddaff99a143a16f7023622002bfe197b48bf4af67e9038c1ed061e620f7ee029090298aa0fc4bf947

Download Submit
C:\Users\Admin\AppData\Local\Temp\cocS.exe

Filesize
157KB

MD5
2b69144fb3d9dc63dcb861d9cd428e40

SHA1
a5253e47caeafd3ee05dc3991ef0f7f0580598ed

SHA256
43a74f85424c7bf4f28f14fb9c8a1456e5d3a81d0af7ae9b98220ab9599d4969

SHA512
dd0358435550b4df943a4129295d6e0667dc0485b060afd495f142bbb82849a85e12393a6ce263c622a2f935176e2511c92f4fefba4af7b71f1fec4a81ed7ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwUi.exe

Filesize
158KB

MD5
8830f0dfe7e2ebd3f5c36d5ad8eab5c7

SHA1
f317a527bbacf4de58b5b293407d0a6e9e052324

SHA256
f913d133ace8ea2962cf49d7b4f056605a40645a33bed38434f6029353a54036

SHA512
562d735fc8b671eda7db0b3bda7687fc5d7f468982078b152ffe348ad3688db9fba84b434e1d49f840fed1fae1c246efd23fcff0996b3d676b4d9ecd6172b981

Download Submit
C:\Users\Admin\AppData\Local\Temp\dswgYIkU.bat

Filesize
4B

MD5
64f4aae88031327f5d2d5332b638d24b

SHA1
469bcd7a0cb9daacb9bc44e91d8e1cfb32f3fc83

SHA256
8dba669361772705c28ed92d6b73f316b379547d40c8744e214937e927d77144

SHA512
0bf3274ecdf9c4d928e60c06ae6fbf0b4e4be7f54c35c7c5583c5cd98fc09b7a4229a80350e7d1f1542fe5b89a0df178b81faeb416d543e3779b10f2077b865b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAoU.exe

Filesize
1.3MB

MD5
ed175fa6b524db1b1970bb8f1df2384e

SHA1
85a6d6446a87ff86f6079ad1afad7618242653c3

SHA256
d9b9c868d2f638a532867bea1737f118f8382e6c7d759c5d13e2ba8ade4f2c01

SHA512
f785ec8aa41a037a153096b35e1088b3b703ad6cc74ce10dd6c364eadd88ce12bf0a5de15efa9d1fabfc56b7de5b4e9ad8e43f45c877cf1ed1aeb27a4af23ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEgAMkAA.bat

Filesize
4B

MD5
6b3c00bd0bb751e3ea1732a2d66f8a73

SHA1
f669876cf7d1a4e0db64d7402eb169d04474e0d4

SHA256
9424fdce4a296928032063e413fcd3788d3d1b9927bc3dd64fc64161ae038821

SHA512
0d35991ae52b9f2aa541be7067a23329b71bb82cacc984ac79d5f84950d502edaa3b3daa0d2e05e3b874144ce8daa71f0ed53ea3b827b500b423c58bb942fd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\eSUAMoog.bat

Filesize
4B

MD5
d9ff9c4f320c4f0f94235b0c7f7bd770

SHA1
0136b29fa77d874e6e175b2b805007b40ea46992

SHA256
a1ce994d82667ce5d84cc7a96275b900a0155aad5bc9615fa50a84461bd6cd57

SHA512
7cf519b12ed886891decf2fe66896704d5ac8b6a35cf78d77dd02afa2501fb49caa9944debd3f7a94d56aeddd8d24ef66d543f6a70c0192d3258bd6cecff0e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewIC.exe

Filesize
875KB

MD5
fc98331e53019d6665593fe470ae680b

SHA1
133f3099fae58b6f9da4271d82a4009d29a0d9f1

SHA256
ecbd66b5b5ebd6d731bfb8d989f0b4e518a79d6e73d170beac5c791446e2560d

SHA512
636631024237dc2fda500908b144a488638997bebcf1a012f42b21ec988e08216eaf5cbdc87f3ddfcdb4b1732ee369ce5861a143acbdffbc9352019168fb3733

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewYW.exe

Filesize
135KB

MD5
b2bc7cb5ffee2f9ada987ae5e46f2952

SHA1
fff4cc970adede748e1f34d1d00570c8ee9c01f6

SHA256
9fdadb8b16ce55f3ba18c82a89dba3317fb1d1a38d31be8cfd236be73e12421c

SHA512
cdb484698394a2dc8872c8231cf15f175e5dada34868898a476d73f2138ae78b23ddb97d38cd04d405c703498483a031a066739507f97e818c2324bb364a9080

Download Submit
C:\Users\Admin\AppData\Local\Temp\fWAcsIYw.bat

Filesize
4B

MD5
1165925659343de83df3725e94e75d07

SHA1
04597434332c267ddd013afca1c414ce4b91991d

SHA256
be896cee463cfd93629dc9847a97399cbbb69652cc8213acddb81d1a2fc40f07

SHA512
7e11ee94cf63a0ade97960aa49c45f9052a7f14d38c861110db216f2fafb286647da8de02d6072fedbacb58e63d439c0f09035de6a640b2634f5effaf5e98359

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fscEooYs.bat

Filesize
4B

MD5
efc8b4acee19d7c62c621630709b9fc8

SHA1
3900abc51fc950af8aea5eda60bd885d7285a77b

SHA256
e4fa6f40d0ee152407cc68bc76ff4786d7c64b669f374db94d72ee9fb8847b21

SHA512
faebe6034c230139b3b07767b18c973d0244a84df35d452d43989b58b1bc57d22a763c87bd065cd2833d68edc842f3c249ea2d080522a87aeac892787858a1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQAq.exe

Filesize
1.3MB

MD5
e11bc93a53167a9f65cc6d38e1621fdc

SHA1
a97fc7d8ff4d3fa2327e74142efc172e198cf97a

SHA256
bf91529d9d496efedf920843a0106ee32a7a0c8f1536b79197579bf08cd05c19

SHA512
777c9e2a7d6aee1f67f10aa02cd892e96f1d29b6d1ffc7047f6b421c8a0f5c2574fe9ec2e22fa7943b123d9366dc2092f4cc462dafb900c56975f14bb7ccb4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQkC.exe

Filesize
158KB

MD5
3e2e8fb8288f1f45798743620e4ee3df

SHA1
ff311273d7fdcb62cdf7444287418f15dd51ca98

SHA256
dcd9cc0679d58f421db37f161788a6a1623ee64c18f0485c7b36bcda6b3d0756

SHA512
56c04e6678d671e7f557adeaeacfd7bc852e8ba5b7e70964b7228753351a5f5dcceb71b4182867db202031c4facb7f8f4cfb7928c4141b705ada4eaf57eedb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\gSQcAIgw.bat

Filesize
4B

MD5
59d3b687459d0d947e1c514faf856ac2

SHA1
8f889533c46c5fd7d3ea11094352aaff8bb016bb

SHA256
6e076f8ebbaeefe172eaf734e8dbaf190e613d8aa0dc030a8bd585c1ad5613d7

SHA512
85eb778ab9cc5d4e380ab09ff6ff2788cd52386d0f77e3583ce66ec11fbf99cf720fccc282e249ee6ef448ae63cd663b67ef275bb1ff5ab10def8eb98ddd4847

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUEY.exe

Filesize
505KB

MD5
b9d0ecdc277fcd3cd0da8820439d54be

SHA1
2bbaca4fde1a7001f3b90c7a48e5b085e5ad1cbc

SHA256
369d4c69dbb35833d80f2cddd09363e2bf84a276aa6378a779914fbd71a2ef00

SHA512
9218bad0d421b8ef0204b59b2ab941e59a7fdfdf0acb746db23883edd0d2a1a794c36246e74e6bbd794dd7760533f5d55fcd9c9cd9fe6212f8dcefd5bf30780d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiQQcwkk.bat

Filesize
4B

MD5
e34c5c158c3937c45e6045ec88a0f768

SHA1
945326e2087b2d51d0769ea648ed8022bb91ba7b

SHA256
cb3cc3189542855e4a0f7e3c0104f2a3e79ee779cdadb2756651cf25f500ccfd

SHA512
e296358816ea00416f2afa3016df8f7cff3497ed1526237efe13baa6b4c7ca7c86f77edb89174c3c141c05d10aa1973964890645a3fe76edf93410e042e4416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iKMcQAQs.bat

Filesize
4B

MD5
291b0b9cb845442f171dd417cfa4de11

SHA1
8a3d1e567c9cad110bd0e55019b379cea8ca3c5d

SHA256
7f57db44169694635e76b976996d1a8b8962cab391f26a3d16ff19016b71f695

SHA512
12d0c740a04cb8433b9939ea32cf696081154685c389723cd2f4ca3dd35c8d959ce1b07e510cf8f1dcd72e9b1d23aa12feb8ba19f489a25ec6016a23c3760819

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUcMocQg.bat

Filesize
4B

MD5
b65bb0b530a1a3b01a63aad582e72710

SHA1
79354cbcf696ce9c561ed54b09aaa4c358a9212e

SHA256
e1a81462f089792834278c2ba56d5dfdde26b2617179c7b958f8d0f1739d8f9b

SHA512
4100707b2a4d950188409c33fc8b2e8e063eb96173aa6f3872d07002cd66699b61a990584b4c39c69af0420cd5779f28b249306961c6b3f575af9873627d20a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUsY.exe

Filesize
157KB

MD5
a78a27e32ac9ebbc22611b1df6e7e1d8

SHA1
a293ee7fb2c971c488e6151c9be15d3fdc28923a

SHA256
30ee8d5e8205f06405059b55c12ec59e4d8c835ba407f3b332668648813789e3

SHA512
0ec178dc16c9dc53fe078855f84abffc227138ce48318a897a94dc5b99a390919050d86b8428cb131faf584a1d24051369e242a64bc4d6456c1da6e35bd790bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\igcY.exe

Filesize
158KB

MD5
1069669a93e57d891fe83e5d824e1e21

SHA1
dc747c4de6e190f39807c3b82e58a60632a4f043

SHA256
7d43a1d5cb53165f445e7c8293ff638fba27d62a8c7ba048343e4ae99c8b657a

SHA512
e0eeb38832afd9eb763a88316d73adf65e96e311760f6046de4a2fe0c99e9e60f56b14c0656e1c21abea6c2809f7cd8c40a2dae53330c8e59fd1977d84300c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\iugUEAgs.bat

Filesize
4B

MD5
4bdf697630912cf8233e25ea979382b4

SHA1
65d80da54d21813e5c0ff5fb3452d9333684fb86

SHA256
f0b3a449f42416aa85306327b577fa2bdf751b5fd332a7504e41f6c4a0df68ac

SHA512
caa2cf59e5376084e3cb904a1d11e7f456d54a0185e172cb2f0f1ddbad3cf32c2b5789d0c110405a7829a746959bc618cc1d3a0f855e00a5a20dfc749bdc04d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jQcIAUwI.bat

Filesize
4B

MD5
477aa2b6968af8cb4e8c5d8cd690dc11

SHA1
3bb409c0400abdbdb98d15ad953626f5ce91ef08

SHA256
22755c7ee5330a01aba761a2f4fc719b239d546b881ef8704323922344dda19f

SHA512
499414e0faf21cac667345c0a9d0424e34558219561ea929def98e69b65b0c3120bf7fb3eed88f6c4564e89c93496e9b8f053e34cb03f6ba9ab4ba86f2fd9795

Download Submit
C:\Users\Admin\AppData\Local\Temp\jUUwQUYM.bat

Filesize
4B

MD5
5cba8782ad3311fe0085ca96989771d7

SHA1
cc1f0cfd22b0463a6c0a27b157aaaa906c95db38

SHA256
458cc7f23f2ee9d6208e15e887dc4518a2e5018b62121bee6f92101f6ba214cc

SHA512
a640041a0520121d9047fb31a525c8d8e7272ab7c9e77b6f5c5d4c90b888148053b693f3c58b5fd22f995ae1cdeb7698da78d6064289abd118d45a6127b57f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAIy.exe

Filesize
157KB

MD5
56ef5f6ec39c983376340d9e7d016dc9

SHA1
b9f90e109d7efb1b972739e35f79377370803455

SHA256
3e835620b7b69049446bdc50f170159f55e0e75cf7a5843dc8c08cb33c6edeb1

SHA512
c6067ac4ca1ba0d60bc77357314b7fc564ff19fc1b8d3588ca9872e680eda00d1d4a0eb26ac3b966a4085fb0f1be79c691a6d59ac4297863fccb78cd67bf27a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYwc.exe

Filesize
158KB

MD5
9487720f0e6b4a612b363790119afba8

SHA1
36efa6e1ac33eef78dc8a20a18d286d473e3a339

SHA256
f81095db0b6e6f81a60657a75fb55e4ed914932071b1ac60d787d670471e3c25

SHA512
e8305772ea74fbd49216c09f4c8d63277cf4e84b8392f60767ad3cc739b1abbc52d71f6a2cc0bcc63491fad88cfb09a2ce53a14135d5a847c1d6c2f8d9022df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\keYoQQoE.bat

Filesize
4B

MD5
50c30d67cb8d63520211974c84415c85

SHA1
6356ac90e38e4fe43e724ad2789a702617883ab3

SHA256
c76ed241fb4dcdd92e7c741b6aefe612a7c470340128b013bb946d38fc03a80f

SHA512
f004dba581f470646571cab0694efdbeeaf3c3dacae4acc7005e45856c614c89cda8f9f9b5c8216e4d5300635fb4b0e523a78a8be8d6988c860092a4545de282

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksUo.exe

Filesize
149KB

MD5
8c1f4732700f4a78fcc859dc1cc83848

SHA1
7ddfe86eb5eb9582ae5ec01fd260447855925455

SHA256
58699a14b974165189b81742387fa288015136bf419d33ef0b1328aeb982f248

SHA512
cf1a58c284943fa1312d33cde32e8e252cbd053be33fe04b0494132caf3c13b199370faaab5b0a31185d03f698e80ac9025eabfcafc6e7b79d07967d4d44f4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAsO.exe

Filesize
158KB

MD5
f11ae34573ed88c5ab7c87a4893e10cd

SHA1
61db104a4f7b05b82c1c86d2466bc3a4ac1b3904

SHA256
79d28536b78deddbd408669e9adc856931b1d9dca016dfe03369430beeebadd2

SHA512
bacdfeca88db7f3cb54cf16ebf9130a7f248680c2b263c89aab8ba744865dce2e0b16abdd6ba490947314ebb2cabdadec7dd6838017b777f3445b7ab3e50179c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQYG.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkoowYEw.bat

Filesize
4B

MD5
0668f1bce02f52a497c7b5c36f046821

SHA1
a162cedc9a4222777469c896c98fc4c41f10d499

SHA256
292c58bd61e133439471d2818b17cfe0d04ade51ebdc3899d6d9896a0c60cec3

SHA512
3e40fe231c76fb0de25c3bc71b7efc7d0aa45808cd962c0081782e2feceb90cf87a58ad29fb54077eeea2b7f53aa8823071ee0be52daae9227ff8b6a04d6c70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nWAAYMIc.bat

Filesize
4B

MD5
e54f753f88c87aea7b3f79d8f7fead33

SHA1
038ce669f6d749c70ae41e3e33d537c0e2aeba1c

SHA256
488527e9f8fec9a8832acbe862e5e976dde73d443eb13f59b17bd09028c98260

SHA512
80d5e35a6766756a78ab8ff3a4f20f0d1656adef274a2f650e0a4286db987384776adf81f4182b614d2c75a79f740b44732af8328f036422794c9f6172b79ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkgwAUsA.bat

Filesize
4B

MD5
d652b6c7fbe39dbc3687b3dd88825325

SHA1
b6bfad365fc70ea353b5f00546aabe82fbd93443

SHA256
5efa57b84a3bccdd2015955108b1499ebe80b4acf1211ad615c70387c4c170fc

SHA512
119f3e380161af1eb30440cf00b5ba9f175799c3b5878a414509e8c5f7392c8e18d98b7e3f13f65bb62d795f252e59e351e5e2ede869441a45bba23f5f23f6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIko.exe

Filesize
968KB

MD5
49fb5fa4e8e384b001b2abe69708d767

SHA1
656f3979b0a10a9947438a72a5290d32da375bb9

SHA256
2310ecf3072f6b27a748a29f188d8dc827844f086c42a3d372153b70f5ac97ea

SHA512
e8282c7d10aee4ca598c726c721bafc59481ea2de693f8549496ca53a9698aae530dc524411e3922d4ac2e9ae3159c7e0163f967240c36db24043b238cf20b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYou.exe

Filesize
237KB

MD5
270cae50648e645522b5d6ba9c5177e7

SHA1
73b65de13a259cc661b0d9e755d707eec5114b8d

SHA256
7cf281127fca05e166b1dc17e603c1a00ecc7bdab60c496db53b9eb7ae95d1f0

SHA512
672a7287ed4cd69a1a31ce10d6bd195225e4cd5cef4dee8c99963805258b26072f10db230a30f9103acb59d31fa19cc67f13f15bffd646aa146bc721e835afd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooEIQEok.bat

Filesize
4B

MD5
3965cde9c7e1bacc954b65f68ade99c7

SHA1
d5da517d0d1b3e37045c8acd6743899784425837

SHA256
7e99a02366148721a027598d8c2bbb79c6f379bfeaf2a25ec8df281f477d7bd3

SHA512
8dab18f810294c503873779029010d3ab80521a4dbe197ea3fedd9f8c724ae4bfc7e7f156aa9e284c41a46bfeb3ebbd4e1802290c7a5bcf0a160252b67a6d889

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooUU.exe

Filesize
716KB

MD5
92e58962a5c4dadf9a69e99ea91f2e9b

SHA1
33e44eecc63272d5a1a3aa479d1f1f3adaee7dfa

SHA256
584b4364a3cc7e1590fad30c2ddeabefbb094ce8c5d356482c43d5e0334698ec

SHA512
582c81453b7ad774b0546fc51454e4c497db67cfa02e28a1eec371fab9ffdea955c3906693e2ae1c27a7a0b19b3b24c6573e852803442fbdbec33aacf11e5a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\owsw.exe

Filesize
158KB

MD5
8b0b74223444cbaf823a3fe570a0a401

SHA1
cfb8512c70d9a5ee376e8fad842343ddaa7b24eb

SHA256
5f3df22678061bb6befaf1819ff4b13d10f43ff1d199c900c8be2e8dcbf6754c

SHA512
e83292fa8a39e404cf8a11cc07f9585a9a40d721f429eab820876d8ad837697203bf3c167d67d368cb47a89397d8a520f615e50bfc1f5202f8cb364a2d964890

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCcsMwUg.bat

Filesize
4B

MD5
165f3adee14110f98025b207b09ad60d

SHA1
10f619d4428229f3592cf925241f77aa4cf911b0

SHA256
0af14f08bd895c060f84b0a6c02014e582d4e66dfd98c786b9f1efa898af63e8

SHA512
66a67b3ddae65545a4841f9d9011d4eab995cc4ceeb7e5da3653558af6cb72141e98d8df92661172500c6381453e19ad2d6e8dc70eec00ffd7450baa41f50860

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYsw.exe

Filesize
159KB

MD5
e0aa4925965c34dff387953123957a07

SHA1
04a5e4c5107ca1d1fbcc9f9fc085c95a1eea9de4

SHA256
7db0d7a7164c977f0acf50a75e54a810052d86a37e76df73bdd427669d5f8434

SHA512
bf3fe5934fd83ecc418133a07cd14b41de4e7e5cd7f1bd2b8a4df9c9731b8439908b9a29cf171eb1ddae57d19971870d58e4b4029318bd75c22151c9fb74f36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rGUMAcgU.bat

Filesize
4B

MD5
e85562c5fba078cceda016ff734426f9

SHA1
28952b8a2a86578584e0fc35e8c7f02beb7157d5

SHA256
ba9150cbbbf87551f11211538b44aecb6d001a66f002231ac303f7b104fe83ca

SHA512
fffec677494cfe8b866e02081dfac5794ab92a02e3a3fa69e2a82a4b981326ce45fc48c18512de93e68e8b6ace5f2cd3efd1fd6f803f42478353f9488aed1c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sKMMssoQ.bat

Filesize
4B

MD5
e72d1e4cbbfaaaa6f16066fc634265f8

SHA1
799c896a0e4e2367d95c90ef5099748d71ecf9d9

SHA256
dbb4b626048f7579421e954de82bb6d517ded69f34b6683b8d635b812b080968

SHA512
df2c39c700ac76af4850cf9ade154a4648c1a97bc92d386357bd0eb037bb6a0e658a5a5bab1f2c669d01390edc311deebc5a5460ae4e147b672371f4783ccc7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUMC.exe

Filesize
160KB

MD5
b4fa6189c61bc641ad8705bf3846edd5

SHA1
af3728f8590e73debf44051ff17ed79fba8688f4

SHA256
e71c341ed6502d249de28cfb191ff160017b998ed756bd80a5e34fd93151bea8

SHA512
6354cad2f99317b6f1df990f8e58d14cd77f6b38332a725eed45eae1b3fa986eefdddf2cdee219b51c9721ff3d7bf000237de35af1ccc8cce71751cbf320d708

Download Submit
C:\Users\Admin\AppData\Local\Temp\soso.exe

Filesize
159KB

MD5
774b6496ac5e4dddeb2693a84c95bc05

SHA1
ba1d2229c708dbd2dec38f305a17f2a3a79e003e

SHA256
c44cfc14a81f9b758eb6f3cac9823a2c7b3fbf323cc1b0e1eb8a52b28d9f0cd2

SHA512
a8f5d11dc26815991282ebd7f43963a52a8e64f1be43327c2196f2074af03df355e36aa6aa58f5e8be279346621a916b2f0da387cc4db1a91a43875a9cdeec3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMQAswwA.bat

Filesize
4B

MD5
7e4319ff041dd8bc5beaa3b31135b7d4

SHA1
302433d7b31820f8e8a22a9372263f24b74f9419

SHA256
c37722cb2cd1e9adb197fb752519e36c84d0e89a2953026391f1a6ca5efead32

SHA512
a3ed0046d3a25d322e3343cbf2c622128c091e6ad0d0db505c92d3ed4400ef0be8a577c929f894ed2385554b65801a82b8b1e40c1d7fe11da848d111404ece6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vOoUgUwc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqIswEII.bat

Filesize
4B

MD5
2c6335fbe23fed4fb1ed50f13daca9f7

SHA1
184c13557cdf494c4d76c10a19205b440bf8f0f1

SHA256
7b11e184c329effd084b798009cca340af72afecb1f71904a2006b8b8e977ecf

SHA512
e75934f544abe344eb8dabc6c3c5d75a3f57df03e99db772d3c688ef210dc09bba508131bcc5807fe31b3f3ecafcf2453f5830e047923bc9d1add33f76565061

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIoS.exe

Filesize
158KB

MD5
92b9eac86050c410131fe7b88c57763b

SHA1
7c6c4f36d5075444ddae5b5211ee6509b6997bb6

SHA256
0ba753c9c64a17ee5df894f1e8a4c0f263fd94c2064c183c7c7e80a3ceec9170

SHA512
e908405c35914193dae7a89633c75131bb1fdb55d48ba65de4de4a2800a060e4fdcf15d34aacb4982155ad01848b6a1c3a97331e63940d558f1976cf885abdcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcQY.exe

Filesize
159KB

MD5
6c124ce1982ff07e56659f972206144f

SHA1
0f224c6bc9ec8bb44a5ec7a1f325ceb50bcc0b26

SHA256
3715ca885f432b534819e8a895af4ebe7561b4b94b615e23c48de2e14b075adc

SHA512
a1e814bd4aab4f55d9d22dc5cf87fc75e18893e317387106b23a690076d6960a3ecffccd2cdbf22c592e8cfc1dfab3ea21347ac0d2ab694e2144692fe0b033e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xaAoAMwg.bat

Filesize
4B

MD5
6f5a6ebd84c5e41ae84be98bd86d0a82

SHA1
64f55b4ae3042a6e4ff2e589230bdf090367d712

SHA256
2644886ccc7637575f3e978458a2b570e44e23f8b744bb7996a2ba35667bf40b

SHA512
1af4155a4e0402f3027f33d9069b3021b712e7417c5ca30a0e45a0aeadb6dabd6c79bb38fda612380757530169f8ba584463d9ded3981c9e1d6df41e012452bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyogMcwE.bat

Filesize
4B

MD5
6213ad5ad414ce53d48063a10410022a

SHA1
428966d7419453a92ca140fef25ff32a29b2107e

SHA256
ef0016caa8f6d6845308b2ad6594db4df83fd9b7885094de62331281f46bcc41

SHA512
d36b15e8f76feab11e92332467513a1794844376213da2202d1cf063d4d44d0ee27a1f561734b80c164f5badb0ae1134b7caa5bf420b32367ccf628ca5534ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ySEswEMs.bat

Filesize
4B

MD5
dcbded3ef5f1d057b50a446813f828e0

SHA1
3c2d8dab6e19708d47c4d48e6b0d5a1127d7d15f

SHA256
116a83bfecb4858cf63e71124c7481350a9a7d7918f421a9602ed368a11510c2

SHA512
04661eeaf121a4fa55eb6df8ca61dd02adca5b1baef6633c83351f5dcceecb9f08c7a7840d0786e0886ae1eb81d9cea073639582a836694724a699a30ca84bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYos.exe

Filesize
157KB

MD5
7ddf73e652d1ada6f820dcfa00f0dc51

SHA1
888fbf8a8bf1610eff79d24d32ee7f041937c4f1

SHA256
50629cac02704a0c69fe846e5da9166a06934b93d7a40609019082cf321bd8f4

SHA512
49e219623cce99d2d81b284e46b265b2619d0f9aa64726fb22e4276705324435acf709c96770a2c2b9fbc1b5347be0990693c354239db3483ed614da1aabf3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykwS.exe

Filesize
849KB

MD5
27d5d9230bca433e9b4f3cdafd52646a

SHA1
ffbcd264a7fca713847c7f884f0e79477d5ef097

SHA256
9b2c45159ad9af449d32ab2342a335c5faf561040b7916be5051267d9bc8c4a9

SHA512
641ff444bcd16fcbb2c8cbbb7af4ba01d0de8293dce61b65bf09b84ddb786f11605261d5962e47800f18d47a1cae5295ca2c87df324c3e81f76adf65a92ecdb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywUm.exe

Filesize
159KB

MD5
9f80d51fb631dc5a40f3ba57f8e57476

SHA1
f2ac7d71b51ab64f7285ed61eb58f618be9be7f4

SHA256
fdd3ea1c326657a80dc1b9559f63a377b70763b99e05b32de4b0297a3aac2455

SHA512
2e65f05ac699f785da5a53ace4c7af4f1ebb175ce7faa93579a48129eba6427a5469dce67094fcb96732cc4100ae38581cc229bc1174d73abfce986d4589f732

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmQAskUk.bat

Filesize
4B

MD5
144186a134f3777216388556c229b80a

SHA1
ff686c74b0e2669c90b37303e34b81862225381e

SHA256
2afb32ba871fb4e154bded800d2e3ba4c2374c260eb5691dc83260e17d99d00d

SHA512
c47c51224a5b6dd9cf10382528d8453dd1bc50902286b77a47862f4e685a7844fec915e2ff35e41246e25b8b4633b2bcbd869b9ff17f1a28b4a146e9ef93576e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyEgYIMU.bat

Filesize
4B

MD5
bde69b5b9356165945e30897eb8cd688

SHA1
0fd9741320dbc35d7deff6c1640cf4bbb0b769c7

SHA256
72ddcaf977b9ab380922b0418a6cbc6537231278dd1cc942d7ddfb5fa88e22e5

SHA512
f3a949d76cf94f763284ec06fb2899d8476cd8bed8f7fd3c009a9daab75675d1dfe4f9a14499c7ffcc38768405c0959271f6375d0b52ed3ff1698837422f195b

Download Submit
C:\Users\Admin\AppData\Roaming\TraceConvert.jpg.exe

Filesize
482KB

MD5
4eba362cc226f517057ede6857996921

SHA1
556c0e1b5ab72c998410832000bd832d77dcb041

SHA256
a65ce5497b3395e6a3882c713f0776dda93a4b2b5d0897be7e9c8fc9ac91743e

SHA512
7981d4b9279e886286e86065a64621c4e0d8ba5c86fd5e5352b8df8cf335db6b89c287b5a9ad8d3b15677db913e5bf4587b8699877d9d33149904754796a0745

Download Submit
C:\Users\Admin\AppData\Roaming\WaitRedo.pdf.exe

Filesize
620KB

MD5
37de11399bbb33864cfbbc8029fbfced

SHA1
1886697326cdde481ecf0b769aab43bd7c185cf2

SHA256
1ce3de9d0470f7f5e2cd206004717566428aba7b2f87d668cef957af32fd4f03

SHA512
3384376260aa28cd8b77d7cfd754a97e29007819714fc40178644bad220d20c9f7aa83ccbd03279d48cddc5a755e62ed2c2f7fe0633c4f3bc50ba75c36b27841

Download Submit
C:\Users\Admin\Music\ClearUnprotect.wma.exe

Filesize
306KB

MD5
72743b93b18cee64615e69e7de95ec0f

SHA1
797986c65bcf81e8ce33846c57225b3a4c645256

SHA256
42d9d5a76f5bc6814933a3c332c0d701b9f7006e48988d41d72052c481f578d3

SHA512
09012ba7ddad0daddf7d1725ccebaa6aad45439c31f5836dca02710af341bb4487dfd30498b8d5326c9260a709a0c2d2135566921eb97ca5c4ea4c44199f9bcd

Download Submit
C:\Users\Admin\Pictures\UseConvertTo.png.exe

Filesize
464KB

MD5
5b70be17f2a36aea2b8eaaa712d26598

SHA1
539da5094902b46e31dc37fe2bf42cfbc7414fc1

SHA256
b131db60e058ea9d7b5026d2019080ce16b3a60ee9832e970fb4cdd521dbdac5

SHA512
227b8be302b8eb2b21cf82ebb859e3272a439f3008cc157f22fafce7c48cd0c464f5474640f6dc0281b6db7b1f5a99d8f9908962a209003a7f6a8e2fd6428372

Download Submit
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe

Filesize
3.0MB

MD5
b32ad29f28a5568b066a4e4db3daa7ed

SHA1
b1dc51b165e0e3b56146c859f129c52b3f2259a8

SHA256
fed44439f2e393185fb77df6750a1cc80bd019d3afe87083a311f65a01503677

SHA512
391698f934c9a44b15f46de1eb919ae5da59003c6ca36d3c0be1edbb4a95ea30269ca8d418bd4f6747c978f36722dbb3fe41bfed418db337170988cda053c919

Download Submit
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe

Filesize
3.8MB

MD5
f182947b4cec036b334a517f26fa40bb

SHA1
bdfeb4e04348d8d3ec8fb013e63a23c332301894

SHA256
5f44b44ad9c5b3f8644a4db10504d7aab853be7ba3c19ca3b15fb221aa3a1ff5

SHA512
582983dc766a0bf9d953a421d810f02703b2665f89e281d12915707196a6b82922e1bf283b91beaaf506d06b717a288e25b2708730bf13ca01e8882bf9c3ed50

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\Users\Admin\TqkgIIYA\jOEkosQE.exe

Filesize
110KB

MD5
84957101615d42a1c580565015c8f991

SHA1
3ace59815b0d24868c2e91618bc0a86cc9c801b9

SHA256
3d0435aa54d2234cc63240ba616ded0df20d5d9df60658f42b5bfb16cbf68eea

SHA512
aaefb98ab1d1b40f93ed276cb09f1473506bb355a207ed5c8f0f2d784fb4b626b2e1a15fab6d09d4a15f654c9978625ac9894333b9c5dff327a78505279feb19

Download Submit
memory/480-244-0x00000000002F0000-0x000000000030F000-memory.dmp

Filesize
124KB

Download
memory/480-245-0x00000000002F0000-0x000000000030F000-memory.dmp

Filesize
124KB

Download
memory/900-268-0x0000000002230000-0x000000000224F000-memory.dmp

Filesize
124KB

Download
memory/1048-412-0x0000000000170000-0x000000000018F000-memory.dmp

Filesize
124KB

Download
memory/1056-398-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1108-128-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1196-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1196-222-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1408-364-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/1532-115-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1532-83-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1604-327-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1604-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1700-151-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1724-106-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1724-138-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1748-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1748-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1768-221-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/1792-388-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/1792-389-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/1940-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1940-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1960-81-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1960-82-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2112-129-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2112-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2264-92-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2264-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2416-26-0x00000000003C0000-0x00000000003DD000-memory.dmp

Filesize
116KB

Download
memory/2416-5-0x00000000003C0000-0x00000000003DD000-memory.dmp

Filesize
116KB

Download
memory/2416-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2416-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2416-31-0x00000000003C0000-0x00000000003DD000-memory.dmp

Filesize
116KB

Download
memory/2416-13-0x00000000003C0000-0x00000000003DD000-memory.dmp

Filesize
116KB

Download
memory/2492-351-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2492-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2496-57-0x00000000001B0000-0x00000000001CF000-memory.dmp

Filesize
124KB

Download
memory/2496-58-0x00000000001B0000-0x00000000001CF000-memory.dmp

Filesize
124KB

Download
memory/2604-36-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2604-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2612-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2612-175-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2656-34-0x00000000000F0000-0x000000000010F000-memory.dmp

Filesize
124KB

Download
memory/2656-35-0x00000000000F0000-0x000000000010F000-memory.dmp

Filesize
124KB

Download
memory/2676-174-0x00000000001D0000-0x00000000001EF000-memory.dmp

Filesize
124KB

Download
memory/2740-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2740-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2744-374-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2744-342-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-198-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2756-197-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2784-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2820-340-0x00000000000F0000-0x000000000010F000-memory.dmp

Filesize
124KB

Download
memory/2820-341-0x00000000000F0000-0x000000000010F000-memory.dmp

Filesize
124KB

Download
memory/2832-365-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2832-397-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2852-32-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2880-105-0x0000000000170000-0x000000000018F000-memory.dmp

Filesize
124KB

Download
memory/2928-291-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2928-292-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2980-231-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2980-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3044-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download