da00aaff8dca2b61281a2333efdb112b32ebb2262cdd3aaf161e8c845e523569

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 01:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
Size

119KB
MD5

3fef4e434a2b45541e882a41ea7e4a47
SHA1

79725b3df9f1858b117aff859ef8ac5c36d73968
SHA256

da00aaff8dca2b61281a2333efdb112b32ebb2262cdd3aaf161e8c845e523569
SHA512

93a9c5fc7217c25354ebcfa5c02e2e004055ea66c76ad1378426c54e08b66af3a721f4a7c525dcd3d99ea0da4f3d2557027a45ef3221b60aa322d3516ba46c65
SSDEEP

3072:wX5np3fMjagSRv2KJPwUDS7+ZlsogJ/WHUHv:W3UjbSjJqJ/kY

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 56 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 56 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\International\Geo\Nation	lMIUkkUI.exe

Executes dropped EXE 2 IoCs

pid	Process
2964	lMIUkkUI.exe
2644	sAkcEgYU.exe

Loads dropped DLL 20 IoCs

pid	Process
2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\lMIUkkUI.exe = "C:\\Users\\Admin\\WaQoUAMk\\lMIUkkUI.exe"	lMIUkkUI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sAkcEgYU.exe = "C:\\ProgramData\\kCUMYMIk\\sAkcEgYU.exe"	sAkcEgYU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\lMIUkkUI.exe = "C:\\Users\\Admin\\WaQoUAMk\\lMIUkkUI.exe"	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sAkcEgYU.exe = "C:\\ProgramData\\kCUMYMIk\\sAkcEgYU.exe"	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	lMIUkkUI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
692	reg.exe
2352	reg.exe
852	reg.exe
2836	reg.exe
1828	reg.exe
1328	reg.exe
2968	reg.exe
2520	reg.exe
700	reg.exe
1528	reg.exe
852	reg.exe
2532	reg.exe
2352	reg.exe
772	reg.exe
2372	reg.exe
2176	reg.exe
824	reg.exe
548	reg.exe
1740	reg.exe
2024	reg.exe
2600	reg.exe
2440	reg.exe
2688	reg.exe
2616	reg.exe
3048	reg.exe
2492	reg.exe
1784	reg.exe
3012	reg.exe
588	reg.exe
3012	reg.exe
2664	reg.exe
1516	reg.exe
2728	reg.exe
1324	reg.exe
2988	reg.exe
1956	reg.exe
2628	reg.exe
2624	reg.exe
2608	reg.exe
1272	reg.exe
1648	reg.exe
1612	reg.exe
2356	reg.exe
2448	reg.exe
1652	reg.exe
268	reg.exe
2316	reg.exe
2100	reg.exe
1968	reg.exe
2328	reg.exe
440	reg.exe
1972	reg.exe
2432	reg.exe
2736	reg.exe
1280	reg.exe
2832	reg.exe
2276	reg.exe
592	reg.exe
2824	reg.exe
1396	reg.exe
2448	reg.exe
2468	reg.exe
2168	reg.exe
2580	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2760	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2760	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
564	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
564	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2616	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2616	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1648	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1648	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1836	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1836	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2680	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2680	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1856	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1856	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2672	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2672	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1868	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1868	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1372	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1372	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1688	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1688	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2636	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2636	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1092	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1092	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2116	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2116	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1796	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1796	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2512	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2512	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2208	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2208	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2216	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2216	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2256	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2256	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2600	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2600	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
3056	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
3056	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1992	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1992	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
984	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
984	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1552	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1552	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2560	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2560	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1688	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
1688	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
440	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
440	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2636	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
2636	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
572	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
572	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2964	lMIUkkUI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe
2964	lMIUkkUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2964	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	28
PID 2728 wrote to memory of 2964	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	28
PID 2728 wrote to memory of 2964	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	28
PID 2728 wrote to memory of 2964	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	28
PID 2728 wrote to memory of 2644	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	29
PID 2728 wrote to memory of 2644	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	29
PID 2728 wrote to memory of 2644	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	29
PID 2728 wrote to memory of 2644	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	29
PID 2728 wrote to memory of 2720	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	30
PID 2728 wrote to memory of 2720	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	30
PID 2728 wrote to memory of 2720	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	30
PID 2728 wrote to memory of 2720	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	30
PID 2720 wrote to memory of 2924	2720	cmd.exe	33
PID 2720 wrote to memory of 2924	2720	cmd.exe	33
PID 2720 wrote to memory of 2924	2720	cmd.exe	33
PID 2720 wrote to memory of 2924	2720	cmd.exe	33
PID 2728 wrote to memory of 2664	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	32
PID 2728 wrote to memory of 2664	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	32
PID 2728 wrote to memory of 2664	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	32
PID 2728 wrote to memory of 2664	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	32
PID 2728 wrote to memory of 2668	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	34
PID 2728 wrote to memory of 2668	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	34
PID 2728 wrote to memory of 2668	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	34
PID 2728 wrote to memory of 2668	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	34
PID 2728 wrote to memory of 2628	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	35
PID 2728 wrote to memory of 2628	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	35
PID 2728 wrote to memory of 2628	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	35
PID 2728 wrote to memory of 2628	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	35
PID 2728 wrote to memory of 2436	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	36
PID 2728 wrote to memory of 2436	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	36
PID 2728 wrote to memory of 2436	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	36
PID 2728 wrote to memory of 2436	2728	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	36
PID 2924 wrote to memory of 1664	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	41
PID 2924 wrote to memory of 1664	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	41
PID 2924 wrote to memory of 1664	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	41
PID 2924 wrote to memory of 1664	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	41
PID 1664 wrote to memory of 2760	1664	cmd.exe	43
PID 1664 wrote to memory of 2760	1664	cmd.exe	43
PID 1664 wrote to memory of 2760	1664	cmd.exe	43
PID 1664 wrote to memory of 2760	1664	cmd.exe	43
PID 2436 wrote to memory of 2764	2436	cmd.exe	44
PID 2436 wrote to memory of 2764	2436	cmd.exe	44
PID 2436 wrote to memory of 2764	2436	cmd.exe	44
PID 2436 wrote to memory of 2764	2436	cmd.exe	44
PID 2924 wrote to memory of 2784	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	45
PID 2924 wrote to memory of 2784	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	45
PID 2924 wrote to memory of 2784	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	45
PID 2924 wrote to memory of 2784	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	45
PID 2924 wrote to memory of 524	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	46
PID 2924 wrote to memory of 524	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	46
PID 2924 wrote to memory of 524	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	46
PID 2924 wrote to memory of 524	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	46
PID 2924 wrote to memory of 2736	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	47
PID 2924 wrote to memory of 2736	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	47
PID 2924 wrote to memory of 2736	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	47
PID 2924 wrote to memory of 2736	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	47
PID 2924 wrote to memory of 468	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	49
PID 2924 wrote to memory of 468	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	49
PID 2924 wrote to memory of 468	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	49
PID 2924 wrote to memory of 468	2924	2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe	49
PID 468 wrote to memory of 1940	468	cmd.exe	53
PID 468 wrote to memory of 1940	468	cmd.exe	53
PID 468 wrote to memory of 1940	468	cmd.exe	53
PID 468 wrote to memory of 1940	468	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\WaQoUAMk\lMIUkkUI.exe
  "C:\Users\Admin\WaQoUAMk\lMIUkkUI.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2964
- C:\ProgramData\kCUMYMIk\sAkcEgYU.exe
  "C:\ProgramData\kCUMYMIk\sAkcEgYU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2760
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        6⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        8⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        10⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        12⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        14⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        16⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        18⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        20⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        22⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        24⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        26⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        28⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        30⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        32⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        34⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        36⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        38⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        40⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        42⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        44⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        46⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        48⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        50⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        52⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        54⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        56⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        58⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        60⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        62⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        64⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        65⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        66⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        67⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        68⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        69⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        70⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        71⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        72⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        73⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        74⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        75⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        76⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        77⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        78⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        79⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        80⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        81⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        82⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        83⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        84⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        85⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        86⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        87⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        88⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        89⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        90⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        91⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        92⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        93⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        94⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        95⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        96⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        97⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        98⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        99⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        100⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        101⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        102⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        103⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        104⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        105⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        106⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        107⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        108⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        109⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock"
        110⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock
        111⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\owwMgQoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        110⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hOccoAwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        108⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KawEUYkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        106⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oEwkYMAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        104⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rWIAQEwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        102⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HgIgIoUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        100⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DAIAwEkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        98⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VmksEUko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        96⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YKoMoUko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        94⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AkwcEUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        92⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgEIcscY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        90⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RwYwYscA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        88⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NaAogwEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        86⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\byUgMgwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        84⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vgUEsEIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        82⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oUYkAYsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        80⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VMUAQMkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        78⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kkscYYUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        76⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FsoMcIIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        74⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SeIUIQgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        72⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WogQQQcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        70⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EqskEwkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        68⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sKwQYsUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        66⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oWMIUYwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        64⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QiwoMwQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        62⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CmoUYwog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        60⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iggQIckg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        58⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KokgsAgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        56⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BOgMkEYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        54⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RGoAQssU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        52⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KqcAIYIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        50⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YeIAYkUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        48⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zuwUQgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        46⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OQEsQcoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        44⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KOkoccUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        42⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PqwcEkcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        40⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgEQYMII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        38⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xgkEoYkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        36⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qKggMcwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        34⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rUEsYIAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        32⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGEEIEcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        30⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EkIkIcUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        28⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HUMUIIME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        26⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LckAIMow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        24⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HeYYUQIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        22⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SOAIIscY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        20⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BCwEIIIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        18⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DMIYIwUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        16⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ROMsEUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        14⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ygUAgQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        12⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QEMcMsow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        10⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EeUwEgYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        8⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2980
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2624
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2520
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:2492
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GeckcsIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
        6⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2104
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2784
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:524
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\kWkQUEoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:468
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1940
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2664
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2668
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\CqAQskgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-694679986793192139-1464936601692034529625490459-713713059245377096-450084868"
1⤵
PID:2832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1011461263-464922745772110223-1398270637-1818309719-50913951711095001231585097392"
1⤵
PID:2164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-64850619-1927247870-7681146551948306322-14994509621865464565-869123304-1321781805"
1⤵
PID:2064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1866557097-309227720-257947038-101831610814446828341633583495472700031741025118"
1⤵
PID:1824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "393776846-1940380111-200556470-110740564910108648521331890894-11534087041271356431"
1⤵
PID:2836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-843350573-6695211991835242015-268132885254249551115493427-288891171973583923"
1⤵
PID:608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "992642883-152014810726356459-369443566-660168800-214767697-1852737403648523617"
1⤵
PID:1876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1396640415-188364372711625996852052614580-303839102-6363004031084920572-8174675"
1⤵
PID:1280

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1858462336-1222997814255821433-1007871547-29613791910225172012109935681-1576163456"
1⤵
PID:2576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12059843601448535331664279993504497956175210527115336165217550298891826206031"
1⤵
PID:2720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14093542101060118444-2754705011988375990427181247-956460144-2071838640-428312572"
1⤵
PID:1968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1661178039328808903-242571448-7949510981988912310-1216156933136904859-503156203"
1⤵
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16119684108037294381617291023-8194269431444008380-1012315290627905885-354788077"
1⤵
PID:1780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1331179152650255139-1883334483-1788719827-9079556511537483723-319727649-88964269"
1⤵
PID:524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17691330-17182306961792307992861481646-1622212614758849671706610251365892911"
1⤵
PID:2080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-942624922-19945969731030745158-1306721321-726987875103193413-450889029-694434521"
1⤵
PID:2816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1403412257-140374361884908280247420428870033779-5264575671179131451-1186175106"
1⤵
PID:1660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10934273871829550457525875774417605132-171305248215453695261265113055729866391"
1⤵
PID:2008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-836550028124907673916041765331073203664-1593223042-18184918761784234030-1448211596"
1⤵
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2325468171440650056730145417-1569977626-98502343-691716372-988308294-267371067"
1⤵
PID:2304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1959536544-628666748-1446821168214551821013933498852730824451947225362144431846"
1⤵
PID:1588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1052280902208393264420144864511208024828-1657370147-592747987-919398073-873563489"
1⤵
PID:2804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1670165739286968158-1863236835-1456090545-23795548215356932632073034772-879076938"
1⤵
PID:2060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8193370991779640077-232036624-48200302017445209182006308307-357592214-1281516304"
1⤵
PID:2504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11237342221816918821125448037-3452619131324259208721093549-1167812129-1420110790"
1⤵
PID:2340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6803291957204126161358684457531668316-223487598-902073579-7238297-1954860732"
1⤵
PID:1092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1771004205-1483071512-11272927432081488625-21392427201069496372162569704-1719720282"
1⤵
PID:1372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "836303403-209615705350759496-958022207-281328808-3721966161484762924-144935742"
1⤵
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1009730224-185162101215949727841926208266-1971783979179761728915627461041217249848"
1⤵
PID:2500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "977545525-1823072904304432794-162351297519507717491302978149292861660-1225184057"
1⤵
PID:2768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1407479197-1854617135766579226195466557-10011869520396437373807003-1803073806"
1⤵
PID:584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1157965718-561674430-94002067119204520251632252625-68303263916234391381748122337"
1⤵
PID:2976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1315437238-48497039-1369772722-47130414113357613642521918811791884833-238414432"
1⤵
PID:2628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "328245358-217986331164899408-277653460-1648556201-153963915319085349971057474183"
1⤵
PID:2276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21129811451768478894-1303843589-208053422228284281849768677546036106-1281945750"
1⤵
PID:2436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2916338791417058271-740203944-839977664207655192182107918720372281681059874915"
1⤵
PID:2740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-567891011-17861650711511789681-990352511637780407717839036-1746497990-123630740"
1⤵
PID:1384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1383961499-14226749831635023182-3142991086422125771983672463-1532889210648044229"
1⤵
PID:3052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1563920985438024277-2053607259100542286-1631325596-1176592845-717139753-1259763462"
1⤵
PID:2116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "796867326-1326852451563699011-1171572475-1305203624-72348011-1416599662917009113"
1⤵
PID:2168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6847394621675216871-474378653114368391768358858-7211967131314319413-1902359552"
1⤵
PID:2356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-362030528135404023714361949871332564545-182918895-1875821882-2017737601-577290389"
1⤵
PID:1836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1592310786-1735643644-1021301461512192383-1523426377-1133753757-441870524-154938056"
1⤵
PID:1856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-302248153525659534825470125-639145021-332436601223488229625439298356963853"
1⤵
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-961977278-4068875641646069509386624589245190473-595218632-1353631194-548998010"
1⤵
PID:2256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "204713104312815695616932489019207781131734614710700541795593008707-1571733264"
1⤵
PID:528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1210303496806605440-163680136018978558812065277793-810738758679198351-129401966"
1⤵
PID:2988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "422802286213736185312514698751313337563-1448925728347372412-11138721781486590107"
1⤵
PID:1520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-398109482-8862893731467572989-2538252691752278487552271233-17203455781152150809"
1⤵
PID:2604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "645489756442028761790205189174969741-136186927-340376245169533966-1177846383"
1⤵
PID:824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13503296901914459534-1671673886-19692615702089505445-38201996-17442172981356785381"
1⤵
PID:2972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1955418522-181306005628112996509746805-298284432241964458-1283309986-1178627493"
1⤵
PID:3056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3870241622120313484-729709266-1871961525-651379425-629463057-1985408989975382238"
1⤵
PID:2220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "300605389-1932735168575901985-14083013111884239594-1986581820-16624804441294792857"
1⤵
PID:2240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1634907608-1829048201742133589-2102852725-1889932300-6836170661878392981-683593621"
1⤵
PID:1612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4361255602441833081530787193396181664820373649-638982586-9388669951177956039"
1⤵
PID:1672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1853579101306023859-1338015531861947803-1726109463-18865362321910744471106503843"
1⤵
PID:912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "123965547212546556882017194386-1060117875397803138-383599388-1070307000357543662"
1⤵
PID:2548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "786230885203054996514271885610516523-1311314544-4583302362952732181283255678"
1⤵
PID:2308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-497352647491599409-173977283718130541802009758457-560535305-1793294811-1525537547"
1⤵
PID:2760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-507798384-1252990716-7365607901314003395-1927957829194662246016375777431821062070"
1⤵
PID:1756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1317522747-1551843509-772822286282400891547423721-5051912111529545640-1445475224"
1⤵
PID:2296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2070663132-140667202410286169201992670102-12565790511278395389-1214256678-2130765482"
1⤵
PID:2692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-819108651858278169593590505-1681979129-779728977-171824141615221151111270238784"
1⤵
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-708038141-493677438-8214331292033615097-5063369472068556486306314975-1325776012"
1⤵
PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

Filesize
163KB

MD5
bb4fd57fd2abf19c1544efc5f7a44255

SHA1
95f3048a0a4fc7e616889591088fab88d5a72c51

SHA256
8186ed313db327b21cba14612e5b31fd1ebb17b23b6d89945163dff1dabe157c

SHA512
0b3af7a8362a7b7988cc35ae93974a62e2e17426cd2749dfe41350afb9c1ef121a52e67bd8f2e09eb6b4853fbbe23cc9aea2e27175e3b10a615ab422d0aa3dcf

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

Filesize
163KB

MD5
85774d925da7ae3a1430897afcf768c6

SHA1
a4802c90ed49973b0ec8275966f661bac2d6ae4f

SHA256
60d5dd685f77512428d53a1a7c426771d54f56c9d173c771be16959bff342137

SHA512
f9c237c161353a541630022eedb3cdcf5343bd101ac71ba0fb08361dbd0b2615a428eb082e305150fe1fc0b204a5d9992bc3a919fda94e288f4650eb6c721bde

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

Filesize
163KB

MD5
cd6a30c1100cbd94b35e15013afe359b

SHA1
0c94ef4bb7b9c23444d43b0cd0cfd44ae47a8ecc

SHA256
031bc98e4e43b19d3b4470c37e0e7508f565c6f7a5edef678d77b197e4422d9f

SHA512
1a30142f7c9f9da99b762ea5ac675ca04a34bc76fba4db74408c8bc12de55ccf5bfb02809f74971260525534681dd531747f171d53f865a6f2b74be7d32ae842

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

Filesize
159KB

MD5
598059ed4033c7910e28b14252d5b75f

SHA1
39e34492eaed99a6a180a9587f8ac991553a25e2

SHA256
fa67a0c42382f652bae7f3974117bf8e68af5a7a5fd2aa862dee7bc940ceaf14

SHA512
9014b6511316db7a95173045c21f99c8d9818310be5e11c26e7bbff75b1b8ef2d6e151e80c6391675a7b751f2f848941f4e81a574c89092517bf4bdd39754217

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
162KB

MD5
36e357b5b1ddd202038bfe54bb6e15a2

SHA1
5966369b34e6ff686ce291cabef681452e61538d

SHA256
1e9a5b560765f480814f38ee25e5573d9eedb51a05d71e117809221340b8911a

SHA512
a88f6746e5fc8680e1302ab932cf6f2e3089a84c728dd361eb02a0ee586c66e91d8cbb675d123b49e59397614df3c8a4805a6f8cbddbc30f55160ae60d7126ba

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

Filesize
159KB

MD5
e596b2f5ab0753b9e1354a2c336c5190

SHA1
ee89c96b8d2fc059489746a81e39d008348c415d

SHA256
7018c99f968e778c83a9002c01c72b7422e9284d2049d09ab6dac0a15285643c

SHA512
397df2d399a6c03262dbe501e260efd2ff31cf03f5d032746a8037a0d8eb33d3270c62deb57c38c05aac968332e436460e44c915ecf633a194178fcd95bcf464

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

Filesize
158KB

MD5
672a501dc371bc4590c52965caa89c2d

SHA1
904d8d21b6e6362ab144761931a3a8e962dd0f59

SHA256
529b91ac61a3f7593e409cf24d4c777a600fc276361e6577b0f2abf6986a7295

SHA512
aeb9fd7d96ebed13cd77bef21b26fc7b92ceb40d9bfb8071cb0b0a979a23fbc00f6ed13a9c5e5a52fb19f6addda7a2062c742f5b34dc0b8adc030b7c16e275f5

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

Filesize
158KB

MD5
8d182bcbc3e421814c4bed8482c666f4

SHA1
f930e33324172f4aec8f5fca2007a611de720911

SHA256
009bacbf587de3b9c06297f0b09cc6af0163baa63c4ad36e3e6079c7193c86e0

SHA512
834a3af9bf735201cf181c1d6818a0f2a296c42670b76f82a2a872575eb942e775b6973f846d4044620078ce204333822d5d97f3c23ffed58aaa1bb8f042ab5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-03-08_3fef4e434a2b45541e882a41ea7e4a47_virlock

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcUW.exe

Filesize
423KB

MD5
16aa87bdc73fea08ad2d728170513078

SHA1
d831c0bd1eecf4926895a0af6442862ef2ed4e02

SHA256
6b9c93f225fa190247e0365ea4ab88353072204b44a2b5e5445ab9f0a3ae03fc

SHA512
51c6c6e0445e5927bcd9ce3777b68a5728f3b32c51caf1fc8270d8441fd8fa1d9948118301622edb43036bb3d29e7b725af45943aa1a5ad4713eaf45fec6ff9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsII.exe

Filesize
158KB

MD5
82dff2e87479e41416639de4a2ec7467

SHA1
4d1eff8b98dfe77a18d4d65cf2405af1841ea5c0

SHA256
3262c8de4828b5c47d982054d099a3ce8684b61212c1a9b9462f52b379933634

SHA512
d5e1a5050821e755601fceff49f80a1a94f583016b66a5e9bce18b4bd583335ce635e32f3e9fc2098666133970915ef2df3e1faddfb2d700844d576007c3d876

Download Submit
C:\Users\Admin\AppData\Local\Temp\BGwAcMgY.bat

Filesize
4B

MD5
b3e2a6eeb85b604fb592f20aeda5df40

SHA1
18e4fad15ebd9711dcab17f7e50ff0294506d7ba

SHA256
d43b481fcec68692c7cb90cb7d629d0da687b87f66c3e9f4c0cb8c4219e2d500

SHA512
126a53cf2f03c4205cf9b2b1e121a54172ea56f4915d6bf2ccf36305803dbe3a25599689ad9b0376ebb6c8617616309611ba90516a02abc84f602bcf067da68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIQIsMYo.bat

Filesize
4B

MD5
1759f8d30c85538d757aee3292df34d1

SHA1
53893ed5e38277222e787479fef6cf9418ef552b

SHA256
c985a79d2ce0a0a5e389bd5bcf7581b9b16265c399ec9aacfa1dc74303335641

SHA512
4c469ad3684a0b4d55bef0507572d73fdfe0e1a7c8608d0bf9b89715051e79fafc36ab263c7b689d20c397a100f6c5f2254484ebb494e883263d603eec669b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUUQ.exe

Filesize
3.3MB

MD5
19e53b2e9b07aa2998a9012bbe6e8c9a

SHA1
8cfda0d787c8e57954b24e8cbf7586f73107248b

SHA256
39d838c0a1d3e0157a9fd9e313939c0889f4ff216b9b08a907d9a19bb1fcefed

SHA512
71346e8dcd70779d1056eb63bcc08cd27e24bd9fef1b9d600b5bcc4a891897c27f341463cf273fdfb3fc64bec78f2c085f54188c0eb7758faa8460cdbfde143f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BwoG.exe

Filesize
160KB

MD5
52e84643b11a4d857fad4bfcfd092872

SHA1
249ac69e4d6415ffe16e89084ba3f87dc68504f8

SHA256
62a863c9e13c89690691e009ef073d99cdb084933b491aca2bcd35bee42cfe71

SHA512
a0fba22e7257bf542bb6b74e03c64e17fed7875c3b7bffde3a6b9d2e802a190ee4d020c43dc7735094356b3ee1ef6896b9c30b3565569056c6d6e3177c59e4b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAAwAkkI.bat

Filesize
4B

MD5
35f479fc5b541504daa5cf1c0f0f737c

SHA1
5817db554e1a90a4761615cb3e34b35d05abc521

SHA256
668e6ac62df70fa5c4ba702f1de6890f9c405659934c8616594f15f1f4bd7678

SHA512
d9d350084a5613658b088a320332a57a12900da934bd0d7616e97caeefb957544fa7b0dd360480ecabb8aa0a9e7970dfd0013a7084e102e94f73232d93540b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CqAQskgw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIIS.exe

Filesize
159KB

MD5
9e5a8eff67b0e5c6a53534c3130e42d4

SHA1
6c5d6b5638acc51c90c89dd2b5476e324c30e891

SHA256
1e8dce0a2cf7ab608df937fce29ba6517aeec6014062ad7bfe7685963a14c2eb

SHA512
e94912140c5430a4fcf5799760bd55921a71ddcba4864b8a8dbd64b05d99dea06d2dc7f99449fd2dc2d0fdc12e394e00a04dd894171b9f5342a5fadc439ab424

Download Submit
C:\Users\Admin\AppData\Local\Temp\DSIwcokU.bat

Filesize
4B

MD5
d57587c369db53a29c9eb162f1e70304

SHA1
ea8c3e5a0dd6ef2a73e7368668dfb535e6428286

SHA256
e493d49b6aeef79f5ce5a54d50297893fbef8e843e60e3ef4d1e4afb73503827

SHA512
58fecadb5fe2fcd65fa566c66c071c8a887ed7e6be45c76079d52c94ef13206577a426189b34f5dcf1ed60d16139fdbc35dbe550a7c4c77f12f34807f0f91944

Download Submit
C:\Users\Admin\AppData\Local\Temp\DaoIkkoA.bat

Filesize
4B

MD5
d2943d1453e38000053041036b060b88

SHA1
4393e6ec6d9f703189dbf37bb1b4cb4914f2e2e1

SHA256
3877d6191ae2a4de97f2523a97e6f1cc8285116ba34577a19614acfbdbe9f611

SHA512
c60dff5a3ae8e67f1b2a041e3f0301b36ffeb7d38e833a6cae02311654811c59cbd197ba56406f190e7bc89b7e2ac705f0b4fb81311eb2e01140da6498b0160c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DsAG.exe

Filesize
159KB

MD5
ae5d4c34b27b1018b882aa478c4dd4a1

SHA1
149484ea2354f7301e48600b0eb39740b05b5b95

SHA256
a46c86b3ee7d10fce2d8e0486841a885852e5cf6b56c69ea12f61dcb08c46563

SHA512
31d71572c1396d99084ef7b341644c84e9cb3b998d312645d618ecc997d70d2f59c71e1d9f17ef430640b5197c5502791733399791955793010250497ddc7598

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAgO.exe

Filesize
158KB

MD5
51d8281fa325175a87c0f8248b42cf03

SHA1
b2f01ae559e7c530ac05a10d0e5be24cce801906

SHA256
68bc0759ab3e1b998a5bc21674be0aa5e196b4f26b8f7f2f305fbc854367bb56

SHA512
0c4c8022ef1b1941010f1c5952712a31309ef3e5f0b35f0106609d2a451e8bd278017f7f882b79023f147a3510c4fe50a2653004309633e7e74cfad26a6fcbb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQkssIUw.bat

Filesize
4B

MD5
1d0989321310798c6530a1ce4c1370e4

SHA1
f3c5aff2f88413c2ae567df151f7fb41b7b42a54

SHA256
1a46b3cda860a72a40bec246c3ee0410fa43dc8a3ef4205b36784f2d4a2e52c3

SHA512
cae6cef53829cde2a3a56b27871ff37c5d8519128f88d2696df5920dd6417fcf292818faf031e1c6d36ffe208c74bd181765b26ce9a4d57ee150822556398676

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESkkMQAo.bat

Filesize
4B

MD5
24727010414347d969b1dfa686c29c5e

SHA1
c02efa9c3bb8b1c56a0506e6ffc764c1d266ad7d

SHA256
5061d1eabbea352bcf65432fcc6ff6b5763eb82ee95799cd5844a7b76888c223

SHA512
b547dc8623c1a56dad0d4681405c57393d53d72491f16f02517d5ff4fb87223f21c16f75f158072dd097474505a1314dec64bb7a0cc54f982b8353a556f9c3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAwy.exe

Filesize
2.1MB

MD5
cd40fd1e3a5aba53f54e055740d16737

SHA1
8131aae0def63bb38a4c7cba3b98b7464c5895b9

SHA256
5ae0cd0990f000af00e0ca64e3e5f353e5cdb45c3a738a6cac9a7c8074b4fc29

SHA512
8ed0eaf52118e2b7dbcf804dca169bf24ea077dde9bcce4e09d4706ad950c86b5ad7551e219cc6c4ac0c662ae43a6e491796b499a41bd0bc713968a9933cb5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\FccI.exe

Filesize
157KB

MD5
e0c9a4bcbd64c69b7f3a27dbbff698ae

SHA1
d2bb39ba5e67062b026ddb23675a6dfc211bd328

SHA256
67b5c9c694a26d4f46d5e8a4959e16db99816e35b23d70d79b4fe8690e17ced4

SHA512
9977d013f8ec7e44f5fda18895fd4d2aa940ff5fbb01c65a046ecf908f42bdaec02c2aba0742b2e3a0b291acdfaabdc3a98fbd2eb9b96d52d10afef87817ea2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fgsk.exe

Filesize
158KB

MD5
30081d0143840e50e3bd9d01eb4e1d41

SHA1
e854f4d0f5fcfd4de53052c172086708282309b1

SHA256
6bc1f42b7fa35ea1c5a507424109f17d7be41859cdc5a0201bb703f8f05e717f

SHA512
dd1f14bd950f34ed7bdff38a54d57e805065791f765555577b84ead504b0ab93c3b38b91b76e564a3b5f8f304b41afc54aa1785b86b38be64d8e36b5d7ed46a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEso.exe

Filesize
159KB

MD5
ae35c2370980f26a52c3f6a2936f9561

SHA1
166013631e1df4c8a19a028a89460af6cb098b53

SHA256
8488d95ebf96886770d741c34d35d2f4d20943dec36f713104893be1e43b0ddd

SHA512
2c70da1c56d1b643b71d058a206761ea87692acf136e013b06a6f98100d0f45551429c1c6e014cbea22c891774a3fbc7d582b6d3522bdbd4c40d6cd392f4981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIsa.exe

Filesize
159KB

MD5
04cd2ca1ad6ee91fb0fa3159eaef5d58

SHA1
a3334f8503095e3d8b4986b3f6f27469439b0be7

SHA256
d350f83e4597d8b66dce8a7ceb8e5cc319f9b1d4e97a8f72dfb8009dac120719

SHA512
bc91909d2bfe7f842182232842e695dee7ec8f6a6669fb944b16d2b57a0f461a4678d3df3ce9ab36d1fac5675af2d79ee8888758bc9bd4bdefc39f783f396512

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIsq.exe

Filesize
350KB

MD5
5c5a8ac748451bbde3473ec9cf270439

SHA1
cf53173d53dc143559db46dd557273353f48444a

SHA256
02a73efb70f63eda59cdc7c975aa5423a6c1812aab9bfb7c2b9f103705fef409

SHA512
06f04aec5301e92700a3e482d02fc18b8928580ccb6d651af7f5491e1d899cf31490a6a6509ac9ce3fd4b8f36d44853d8db51c85a72865b94a5dc681e5678420

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMsi.exe

Filesize
236KB

MD5
55768c41fa134dbac07fc3ccafe167df

SHA1
f996183faabdc01f6a4ed5f4f01932be6afb3ca3

SHA256
1277d63e237d92e439339e8037d42cb659b305aac2e4037f35381ab368734bd3

SHA512
ca8aa596d02749676540d83ab75cf97c75ef9a1a2e9b3a47532ba6fc94d4296cd392b80b8322576a3b9300b543f0d0f3f0a69780a52a1929d71e3dc8a73631cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUYi.exe

Filesize
1.2MB

MD5
573e4c08561434b7937975a67248b35c

SHA1
8d66cc5a54031dd269377ed644d47b48a2c1e6db

SHA256
c963c6638aa3f5159044548e30c06bd862d30090a65c1635e1b65d9e712929df

SHA512
56007b0636fd78e07f99f5ba36a353b789e14a15bef8b6c5d6194a612bd959a5e349cf69b68e453220762082fd34c523852b11fc376ffdefa584162581314dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAcM.exe

Filesize
801KB

MD5
f7dfa908a9818ea7f939b05e28763687

SHA1
1df690a1e686d4bbaec17be25f39af12b21f5a6b

SHA256
a9f65e3856b5f710f82520a0f0af4b067a6db7615f5caf05dbae22f2ee3aa076

SHA512
b8d08c35dad10a4b6df579b01cbd892466cccd3e9bfb7c3582bb1fed13d69ea72eca4db03a329d630bda3841f3d9e2b28dc7cecfd22f3a44ddbb4055d1a70d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMAe.exe

Filesize
236KB

MD5
7a5272eafe74051c95a830cb7dcda441

SHA1
950aadf2353e86fd2793eab8dcd0b0de524976f6

SHA256
97b5f673eae0a75f2714bbf9b2cb4812390ea513fd73d8cc70ec77eaadd8b641

SHA512
6c24ce72ba1c5921c67adfc4dbe8413559bde04b10d3be5885e6ccc28b95cf7a7424f4515f1e851895fc00844eba920f78904f8056313521fa825995af8f1409

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQQQscwY.bat

Filesize
4B

MD5
ee4132ec26cfd27e9c65fa6fe206dd2a

SHA1
1c2903ae284511a6068c1af77a0c348dcbd3fead

SHA256
655085d3705446229f6749ac62c5dfcf733a4f7a814466dad451500696d56ac4

SHA512
a14b20e6be2c93ebdd2b6ae05e9f0a0c1aa5c94086cad117da9d533560147363954d630a6200d4f49ac4597b45a184dffb1cc56b3878d722757a50378a62d04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISkEsQoY.bat

Filesize
4B

MD5
78afe7a4aa688ad64c3225ff6f49befe

SHA1
152edbec65e3e2c22c9bbcac2eabeb958a39c391

SHA256
4856ecf3e52271e3db78f2546307655d92293204f5e6cfa406bbf8c1207855f8

SHA512
a748937344b951df3763baee9e53ad24e7e884f52e2b627c2c005fb2cdec72ed88a687df2cb31c471ab9759b3165e8eb28a2c01be59a5531ad618bb379f861c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ikcw.exe

Filesize
158KB

MD5
d7c883cff854a77da877f6f7ad508910

SHA1
cce5924f279a36a82aade138e72bf5b120047c8b

SHA256
6b23b2cc8e8965659d8bca431759f761ae7e5fa034c79aef4d6e32c01d413aa0

SHA512
4b56e5a9cdc79d24b99caac147c7f8e68c813778b68831c468df808d4430b581167a80c554bb41e152e9036102ce582d78419c7b2b333f3d3a5f24752c025ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JAIe.exe

Filesize
158KB

MD5
94d46e9da855d6f387b9b1974a1aa76c

SHA1
ae11e94f0991b3fc9bb514f244f5e72d3d3e3eb5

SHA256
6c6b1e15ce1bb5d496446bd81c1236efe9f283964b678de025b087dd9536492f

SHA512
7a8207ec40f5f13070c627f46d29fb975d6e46bb476131f26f46e2d2def31453698daa3e918365048bdec2a2fe5c1bbd9581160be4741033309dcaced1cec1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCYcgAsU.bat

Filesize
4B

MD5
362a63a4b0f4c4f20c7ee95ad6e232ec

SHA1
f71a54a2f8672364481910ab377e63d7a2ec26ed

SHA256
3bcb5e371094a71b91f8f881ed4cc2686d1ac91619469ca47dfef7ad7c1be062

SHA512
b629da5dd4828e701ef11ba35c4be45bf603b881c67806d083d356a77c77d6392be9f0bd02a88d2ff026a2d28af537edf77fb29e4fbfb2cf9fce55f8d3d4027e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIsC.exe

Filesize
660KB

MD5
936db95821cc44fdea7b020102645253

SHA1
b546e29e22eac10aa99e3aa477d9c7c846ad9537

SHA256
4d9f38558b4240a763c9a560821c4c9847b1478dda2b4a4499fcb995c45bfdd2

SHA512
41d044d5bb15e3951269f7c7c3a6da0dfd7d38188c04f239e1b3c56c64ef0d6b971cdbd0088ec6877145edd39a25b4e5a8ab3261e3e047fc10b8b486ed18158e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUsoIEMs.bat

Filesize
4B

MD5
caff6cef9ebae3992997953f33c2c3c8

SHA1
baf367a56828cab9cf53f2e41d388857e181a17b

SHA256
95bf978de50baee127590003329e85f403dbecfe6a83985e7110c33ba0734267

SHA512
d0813b68ab375f066c1e63753c39e3ccf0321f9ebd3f5cbaf784975d49c5e449148ca0367014b929cedc5579322369029b36511978a4341e316bcc39d9c7663d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQkw.exe

Filesize
159KB

MD5
a6aec38852cc8281a7a821e4b311533c

SHA1
ee6eaf1a96d4f36be8a4814bb001d367cfc60676

SHA256
4a5ee6fd3f4b1727e4d2a8342ca5abe0f99b4f642258ba4c9c99b6d530098305

SHA512
73f794117fb2f2bfec87658ad39a05f01baca69dfaea2a38bd6c1ccc60a3a76ff4a31318289c2caf91f558b53397d8c966f4b2eee898fe5464028aac090f4dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\LWMoEkMk.bat

Filesize
4B

MD5
6dcae753f873437862591d2d13aa82cf

SHA1
46de51d65da34b7fb98f71096807f03f7e9b69ec

SHA256
ce04227c0e4232216b5c6208179a9e4740a4fe4149d8d8c3fc07c4ce64514ca9

SHA512
248bf51af18b007593f0fdbea0141058f5d53785191d124b811fda5ca8f85dfddf1079d81137cf9b89ee98833e04e60a49c186d93e3885e0434bbd7febf14e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYQQ.exe

Filesize
157KB

MD5
0e43ab9d8ba639547b58b77072dfdfaa

SHA1
d957bbd7b0add4f6198ec92127c8b2b6181df9f3

SHA256
b4aa1ab2c8c70bf5454fb07873a6cb89e3972eb54d032202b0457c1da69d4f54

SHA512
a40f5dab73cedf9313217d131a7e34992a848304ea8908ca22de47738dc2ee6cbdbd6c1ba944038fc71722bc3a0d8cffa9a1ea98263857c0a40687d90164d44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAYMwgck.bat

Filesize
4B

MD5
813257e6d6cf3dd689d821a8b9451d3e

SHA1
7cde09160b2ab3fb26b23cfde1e39386a7a8f961

SHA256
fcc5b86e22586159781a6dc6a7ab6e3d711895393e933061a331941e41159734

SHA512
3ec1d30aa7352799e3f846c9f2d71b522ee9ab03c5ed85e9c6752307911c74e24b609bde0102ea3cc91647cd3138db7352a944f551bb8c3a64dac8ec2bfa2358

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEQK.exe

Filesize
159KB

MD5
d547241f0a3e3103c7c690a3693aa88b

SHA1
2fa6d9d002daf5125c127f6ae8bd709f0ea7f744

SHA256
afc6a9494670853755769245575b89706b116c24b600173cb897da6644d51178

SHA512
2ecfd3b4d2fa05abf2b4a607446b9b0d6a0a8922984d3089e4a44e476fcb116d9045710431ba781da597497fe14070e94b129f5cad0ba4b00448878906aff9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYYi.exe

Filesize
555KB

MD5
a2ba5d79024c4240792438a4269858fe

SHA1
2304cc55473caeb697b53bcc00fe0a0651c2ada9

SHA256
75fa1025d1b66b4178101186790e04a0d77a1b5b7a9b83688403298522bdefd5

SHA512
c31c5cd6bcca6a8455fa378b3f916cc977ff8489cff2709bcdc3fd99d48f20f440856ad87ccc096ed490e257fec6bef67f971f1c60b096c71784ca2bc709608e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUIY.exe

Filesize
461KB

MD5
db123d3f3fbb187d27cc9a431a5494b1

SHA1
c1d6d3d992416ffc9e8f992ec5a4c82e6696a1e9

SHA256
0233e5b04f6e1684b5a41a986aec58fdbb5c36bffddf56630eee1b5d7b5ba9e0

SHA512
20bef1d9afe42913f1d2745e768b3ed5e337114565fd3bf04e3f0f434a7150bba3e7f57060ba5afdb737c729c0b4743df9081f3a51a0bf27e73b2037c5f03e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NcwUwccg.bat

Filesize
4B

MD5
d190d8219002993df207839d900b0ce6

SHA1
130a610bb42dc9ac363c829bad3fe3baa953a078

SHA256
0f7add9dc9bbb57eadc93bb1fb701ffdbd3bcd5b97091cfeb71d49cd22e61758

SHA512
0a25f66c1dd49f6f48c817228f519ab7b2cb19eba00b2e10cf0d10125cee61a6a88a9af66bb6440d6f7449b93167e1048eedf6f7e5a2c256f61d2c695f5305cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NwYO.exe

Filesize
4.2MB

MD5
496a95ae1210ee48aa9eacd289731039

SHA1
68ce47d470a5957aff47dccaa307121591298d00

SHA256
073c56a69df4c78e12eac6056f76f6f1ae54bfe7854149422be7b3e5938991b1

SHA512
702be1ef0b6e0efac0e5db75d88eaee211f7629f957a6e8c6e388743454287e68bb665ac1a704baa0b08defe0c0858e6c895329573d038475c260f4b1d41c6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nwom.exe

Filesize
1.2MB

MD5
e23396a772e1fb5ec73a70d52fce105c

SHA1
c983146f9948e47f471167f39c25daa1f4535663

SHA256
a2eecf0844f3e7000b707b094eb9232840251aa021056e35bfc8812e81b0f14a

SHA512
ee6d25ccb2d15bef56dc401ad3cd435d6242196560b630063b3e5f478d9f5fbd3c2f5c0a9130d65d87bc2216c889e863176a0ef9cadc38fdce70d69177a3bb01

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIQG.exe

Filesize
158KB

MD5
46353d6d361434d90b56c68432b9122a

SHA1
ecfff44d53ae91bdd37ab5eae84fa1d7e57e03bf

SHA256
3f7e989db4d2f1ca10745d45f7c82df14a9e6f704a772eb7df7737d81530250e

SHA512
426f32132ea89ed773b22497ce30563b332bfad99cd97690df542532646f0494bccffd4f2366f55ecc3ced33e8c0aa7f7ec4a78751f4300b958ad090deaa8aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMAG.exe

Filesize
159KB

MD5
28805862d4665311be4b890cbfb9e092

SHA1
6bd90451513772e8a540c48f514b55ca184128ba

SHA256
dc9746e0c07698540a50095d1f216a15a009cc491821179c63228866dccf2749

SHA512
9c45a332856b2383b1738b75a6d25bea585c0cbea44fedcb3bd7063c605e63c6319c7052e51fbd04d70180fb238040a78af5e9503e839b215d2a655b74f4e9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OckO.exe

Filesize
161KB

MD5
1b40b1ab69b98fe22c1e3e0e034fdcff

SHA1
c059f0f61ffb5f9c55f8beefdf75d612bd84c45b

SHA256
60f7f8f67a7955d275703f388bb7e294c6426d15274c054d4c47f574c2764591

SHA512
573aace9ecfb152b1f12370498bb0491d26ae700c9eddd621e8732b326c4d49fed3901b7d863699e1a81e1f41e275c79000439ddf30f0f1068fdd43950383e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsEC.exe

Filesize
936KB

MD5
1528e32d8ad4179adb2fc8605e31761e

SHA1
1c965f1b9ce6d80d3a9b0390c1ed3e318faf7460

SHA256
3d078a2523ff08c0ade0e4b1be7916cbbe5048f8d917e9b2dd8eda51446607ca

SHA512
ed36b9a75bfa5f1e6fa90cac83f190e1774a89f87b67fd9125d63e07ed08e0584ced3eed2fc3844ccf315239fe44eb46d14b0ff5ed4a7c6e15fabbc9991a04e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Owkw.exe

Filesize
1.4MB

MD5
d6393855e8780ab49ab16946b76e68d4

SHA1
3df1c09505e4c86b558e534d27f2cccd5c01387a

SHA256
db3b426f9c20ea46344b95402fe6f4dda7a4a09ab56f7a8769878046c8602b09

SHA512
386ad971e182995384890c3167485b472e084cc5706475a10d927e481b67619519d1f57ded306902436baf921a7618c191cb4b8d33d3374720da2536398bc8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAMe.exe

Filesize
623KB

MD5
7f330f8bd7477fc51ccf6b6bbb3e13d6

SHA1
c68c5db913426e3dcb9aa24eaaa86900d109b587

SHA256
b1242f30ae40faa9f001ad28efe4f4b6e57f1df28d524331639fa8f98de3a020

SHA512
8c82d7b8954a309c88e0e83874f985ca2353b7fb641c44e09aabb8a407761298671283deb8c67c842aeee05049e2cc08e2af46d89aef4e65aab6d2e5a2f591a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PKUcQEkE.bat

Filesize
4B

MD5
8e3e5c54ab845182e3e57ef059915209

SHA1
84289246c5bcb3ec8bb148e76aaf2139c231490b

SHA256
334a4329f163c9e881f9d9fd9d0ff74ce0442662f66854bfa1cd41b1c06ed225

SHA512
1a13ff4afe9e13eb34256a5957fe2d168dd4e7afda8ff648119f8df051efaa77edcac4d318c95768b71cbeecfaf229bb1810fb1bcd24bf44ab6fc19dc5266994

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMYm.exe

Filesize
157KB

MD5
f8b60b0da8b224c61231b8e697c66f0f

SHA1
0a87cbd2aaf7a45152e80b2864d0be8a1e39b37c

SHA256
5bfe22f3ec2920fa5d090df294661dc7ec1c7b7767d86f731dc673b6be7aa8a2

SHA512
76389d0e07a590abcc4655ec3cc3813bdec3ed15868d7d39c141e380f78304105f35c98ef9fa55379defbd7f9a443b839a74ab8bb7ad7249c123f812dcd4951d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSMUEQUQ.bat

Filesize
4B

MD5
0edd5162421bd9d2c97f1e307cd84c16

SHA1
08bd21ea6d5ffc7f65b410486787c75a40bc8b40

SHA256
48376acc76339e1c9d08a9c67af6a051e47e1ccf8b62baed76ce2654664830d5

SHA512
eaa39d395ab570fef63c5d20d68c4b90114e6dfd7c72b729cd1fd300ee6221b312a0734fc64a05f87d086fdee16dd9dab4813c6a86121e86e070d82f189cb7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\PoYcUAYg.bat

Filesize
4B

MD5
d36f9b3352480de3486ed78a3174da7c

SHA1
cf798f05bd511a790325f7cc80d0a9df0553eae0

SHA256
d71692a3b5a8df16558cf35c28c592414a719d656afada2366c32a32e55a611e

SHA512
2c150608b09d869ee284f37ce184b7d4585ec6123ce4c97e0bece0c19e7c25e89e5fecf83658828a82e89ec7a65f7318b2f5f104900909f487b2b5753266cd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pwoo.exe

Filesize
158KB

MD5
a2afaeb910bdfa5fb2a059e1a29bf24e

SHA1
74da09e56e1ff6fb320c894aefbf30a0cfe13b53

SHA256
6ed677c7a4120f2d607f0852ec1273654aa8956b35116d4ade4c3b9d855d47df

SHA512
bb627c6c3eca9094aa8c0859d3ce22840a52636874a2f70cedd5546e4732072d4d9379c9bd4190131514f4922f4a6ec1d1f105f66414ab03fa9404ec1da0fa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUgK.exe

Filesize
745KB

MD5
2dfbff8d5d5910a114f13dea2d6846aa

SHA1
4a843e29cc4e1201637732759934a470f95bf7de

SHA256
44494f420bd63ff0a5fe352eaf8a448afc26d7ca1a9e44ac20d7b555a2d2f793

SHA512
d300f7fb04865d189612aaa03dfee3033f8d0dcb7fc5b7e08537a2220db091e5cd731a74326970263856289f6a314719d3387dfd1a326e0d44c5d5f83f84b639

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMkk.exe

Filesize
159KB

MD5
5919e4d290bf6d20066fc8ad33a8d715

SHA1
31bf1903d0cecb386221c5b9f531ae92fd3465f9

SHA256
579c27c594a98d34837181468349e1f2f462763f597e36be54378fd83385fbec

SHA512
c968d4d7545b310226339bc5e84b10fd54899f07c6d5e65ea58d7afbfb8e6085fddeff2003514b8cdce1f5eaf7cc2780e87f044f7b6a53b9a086cdcfbcedc2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYAW.exe

Filesize
160KB

MD5
cd7f5f0832742d708ebd8cec2ed48b80

SHA1
31c02bd06b9140305c6649ff2acbd5c5ebe7284a

SHA256
717adc6081b5652d35379e4b4120478d46c13c483fa384f52614e3cffd1747d7

SHA512
8e4a19765869a767417cec12390d39b448a756e8c55fd0c7c86430bca0b60e03cc34abc13567c3f65978dc56164f325841eabaa059ef7ed0c71101c4a892708c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIEM.exe

Filesize
157KB

MD5
9e5d3e6d8c195638ccefc5d529f5e395

SHA1
fa72030a9dd98a090dae310ddd4633ea2c45bcdb

SHA256
7f5d77164c1626e8f46f854e090633f95f451bee02d8aaf0f4e8f0eced0c7ac7

SHA512
12d85137b5410b9722b15673fee2a3d8ed34194d60a160bae178df6fbdf3a7dabebd57810211bc6a51d5c1383f4baea8fe55b45f8962261f2d41948ecaca44d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQkYIEAw.bat

Filesize
4B

MD5
91cdd0a872d89707fa9c7621e15c26d1

SHA1
71fc0ee5a5cd5ce5a1e8234440a04673bd7cac10

SHA256
0d4525548909952f6138c08d028ca6228c9d86fab542d40b3cb9a02e98101af9

SHA512
390c9d2a5fbcf082d3a19ad28a880f3d71960e3f54b7bcfa37979a6b59559156213d68948550a4f06e7e53b58f33b875419795a1ce2b656ca39f7573425d936f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUMa.exe

Filesize
157KB

MD5
81f7d03dd4fcfd758a2783c2369a5a4b

SHA1
d47e8da38195ce2ac6cfad5425bb9330528bc151

SHA256
b9cdfc18e82f6560b28ed4dc038740bf9f9b7b62fd4b95851787a9b9d1ba817a

SHA512
ea2bc071ca0b76e26212d743678236dd2cc582f0be2574052353ebe8ed1a90088c7482fdb5aade8ddc0497bc8c9562ab8c4791800c5f5c24b11ed73b19ea1c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmUAMYkk.bat

Filesize
4B

MD5
885d0b6059dd5180f2627b77dd634741

SHA1
e76fee23c6617322295737c0a7f0c05ec953fb29

SHA256
71b74d2d7a9e47ab38740c521809e9c6f84d65f25cbc1943d54a1baebf3be777

SHA512
bb4e077cccb0eaa14ad683be4a7e2393fbf402285e992387d79292b5032b864c6a7a75c6683ed5247494000291c6b88d1b21ce19212c115e46f98d6bc6b71f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\SqMMYsoU.bat

Filesize
4B

MD5
eec8ad0817bd764c5d9afcafdc03beb0

SHA1
2d493c09e6de6e489b75b94b51dde6a256adf9e0

SHA256
e04c46c7014f336523d4b2e9d44f4b5d0b055996c7d3010c2e77dd43a71d7c09

SHA512
1024fb37b731ff210d9f9d1e318432656dda4af38619c478ddc0bd45f7d1742284045b189541a253bad3a7556f18479fa3024c942adc22fbc02f4047ad21dd3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TIgg.exe

Filesize
159KB

MD5
95cd141f41829467eb166d76cf502017

SHA1
1d4e75d84056bbf710eb48c01648ff73d513f387

SHA256
a058f33906736987c43c6f58ec414c7fe304fdf645e3d2645948b7ee19084ace

SHA512
d6350ab1e44a9c1f74701aabd35c0f0e01c7a06f6688048826708c76e6b52d52133ee917146d42d1b838069f4fd94cb37f9abdf696990b5b35448a6822fdbe19

Download Submit
C:\Users\Admin\AppData\Local\Temp\TcgQ.exe

Filesize
159KB

MD5
2b91c3258ff5de5a488a574c7e642201

SHA1
eb79260d214963f3dfbb9f52fa35a29a46540546

SHA256
111f450e79485f94ec2a6d7057ff610ad8fedd541e514a7b19c6d72df9637280

SHA512
74946a8e8d14a0d718410091f682bcf11217f41e5ca327228735f5bb89d7328694ddc3faada00099190c53ae3aacff752ff48e36c02fae1d2268728d4392a68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAYcsoQw.bat

Filesize
4B

MD5
7bc8479bcf47b7c6d08442a8bac1dc9c

SHA1
8b95d842e709d7481a420c297e762f1330b308b1

SHA256
80188fb241f0fa71643c5e584edbabb38b15a384fa33bc25d43d26c84098199a

SHA512
523b3d834a14230c6abdae005c3a21569d864178cb71c6542c62e3921636c2ee9ccf342073fab5437def74456bc1896f6de663c9c0e2b2b856a64e0bb4a90f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQwi.exe

Filesize
138KB

MD5
dee4a4507905dce321ed3e5a253668f5

SHA1
85dd37c951bd5d26cfc2940c55eca2e0609394fc

SHA256
8bf906836d905e4f407e1f08baf6d3432dda8f4cd028ee1da4bd9d861269c42b

SHA512
fcea9267557bdd6cadcf2e276abbb90af22d01f6c6c48a9bc42a0cc5f71d859699653ba7debf6bb8a47e78f6d8a8b5bd856fcc1c6e5f8f1b1ade55478cd34d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\USEcIkEY.bat

Filesize
4B

MD5
d1078f8f20d728d38df154ef5be7034d

SHA1
2d744b12f50592efd2bb249f294f770f709eeace

SHA256
c819cfd4ffddeb52d4b009b9d4fe2bfa726277dbd044a7de641e502124f8ad09

SHA512
1d4f082bc07d61bec68b84864dbe182ead55acb8e79b243955162426e7f2cbf366ddf9ea1e6332fe6ff4ae4bbe7f808b332bd1624d6bf52a129ae6ed5dd1d13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoQU.exe

Filesize
158KB

MD5
c26b96925b4830d51f63aa840cb71143

SHA1
3b8eb0050fb2a68a767c89e4dd6d4220cbcdd889

SHA256
7df64db36eb528ecd3621918f10764cd2e084e2054b81532f897f518573ed804

SHA512
edc0c54e7dcff8f0aa25261826e28ef8506007765107b3a68af2703b6535b66f12396847a3e8b8fcd9093e16981580bc9e5032ea42890e1e153f092b5fa9afb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uskw.exe

Filesize
159KB

MD5
5504c071292e6e4f65754c242e5e8b11

SHA1
fd99989d4946f4ca96afe76bd6a1408f35b7d06a

SHA256
323454b0b1a202f5cf214d06bc4d611168185eb6e754c7f304b389b707da071c

SHA512
f39ae79fab0695c3a6a476bc5e563c491f077656fa8431cea7c6f732bfde0daeb012a0ac75ce4456b20fe7fa42f05f3bb0e784553931073b383c8201a3e0fd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAwy.exe

Filesize
158KB

MD5
fe09798d6286b60f104af4690b50dc4f

SHA1
3d3e66e3590dcfba6f8d15cc1450ea32160abc06

SHA256
39736edde906d28fcd8a2a801ca6b344f974a1e371b8e8e486018a5ba5abfe0b

SHA512
5398dc7d1d258b48068d4706510349701dc7ebbd640080f596786021a41a97f23ac40ff992f8e34a27b7d4b2674669fd492f0b40b6f28f4f95ea8e7e150d9127

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUYA.exe

Filesize
658KB

MD5
2f27ebc8112b331495f19342222273a9

SHA1
75bd1a0fc87f405eb88a0d319e4e826e98d84993

SHA256
4307a85e8f66523b34bd0e5362a4795c37a1aa99875139266344eb46f93ad350

SHA512
8ee20e356cf82643baa49f81293383691be0fc47ce7a01283431cf30c57fa28c0e688afa8289fa4b4318ee4918492ca32b9019503086d7c50bbb2f8bc173d218

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoIy.exe

Filesize
867KB

MD5
3a0f04e946f9f5b4394243c451b4c994

SHA1
f725663b6a64d11b7eec41b2680c4bcb6662c5ab

SHA256
bfbfc52cd848e7caca13e5324ff1e31275cb0c5a9f16438a08382b341170b831

SHA512
116c7eb1a96235d9ad9274b09fee9b96241cfbfb0e56bae29109aff3bfbb26bd381fdc0071f55b2d862a1b172db2fb85e4e7a664fc09bb24999fe1b41ac52afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAggwsws.bat

Filesize
4B

MD5
9c237c5b00c04fe5edbc87b203fde0de

SHA1
d9335bdce9bec204e85cc789ab3e461b14cf6e71

SHA256
9a92ee889db6ea155b18e6c06ef885efae1a1de9b9ee8f7dd5f2f85f4806f206

SHA512
fc8e4fe36150dda389343043a623a1d348d7f10f13b30b20c4575cb480acb32a4c94c789a33d1ebfb027877b3190d00b2faacdff0570f5d534b9c2cc332f07aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WGUEIQIQ.bat

Filesize
4B

MD5
8919704b03999f369603a5bf511d0079

SHA1
fd99daa37ed29597343005538bed3aae611424ca

SHA256
7305229eb288fd10246a24ba205c76c3db2efe6f6dad6ea1416a58f95e36a4ed

SHA512
673335b698d83cb4595b5919024ac99b95c657a7c601bb518656a6ea0122fa91d9d22770bd1d39c7ecc6ad84ba785c9037933ffc8ec62d79802d47565a1e6be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMcwgQUk.bat

Filesize
4B

MD5
3f3efc6abf4c5929b61f6f05ebe82ac6

SHA1
c29bcc3b56aec64f8c2f45497e22ee277c08dd46

SHA256
72ecafbed9d6cb6891584696c08ca05909a25b87501516e45a64403596ef270f

SHA512
9475835757a04e0ed96dec03d62ce2cc5dcdc54ba775e0a8ad0d1bbe61dd7fb5b5210334d1e37f4ea83696869b0875cc5859c103e5904fd41089ef8f97d3b5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQsi.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsUokscQ.bat

Filesize
4B

MD5
9cd1292d7b5450ec95775dc05f5716b1

SHA1
195cea7aa7951d976f5c444efa9e7252186365a9

SHA256
febed6e211108da66ab977c5aec8df5cc7498ebe375df8e3bb7c03de1005fdfc

SHA512
7957d4ceecbd53d9d55711b9c37087cb478d31c540fa91b3c48d27b61e752ff39b51187c16a456d107b5348302d37808cf272aa107f337127e47118591b958f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wwsa.exe

Filesize
159KB

MD5
a07424a6a3bdacce8e79cadaefd9b45d

SHA1
eee066a731b519bf0f0e23d5989e3c6d945aa245

SHA256
b372472fdfff6f61281e225a164fe3672c39c5224d4c7f39b24e38f106c4a397

SHA512
11c1351fff8c85ce2c6d950e4f5de65d3264a40bea4b4d5950475037af047fe3114cc7cf668d2f0379646e8d22d144b97d0f1955dcf81bc5bdc55464faabfdf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XYwc.exe

Filesize
158KB

MD5
0afccf4f4cacd26cf9ec45d65cd97d5f

SHA1
1be12c82a5ffc48505e5fa2b9d9e443b5a0ac9b7

SHA256
d0edb289de2d14dadc22a22b11b8f7b8a26c4044e54471bbcd78424b12457e7b

SHA512
e679f0cf1a0628add8947e5dca29266546c8d912837514465452c503072e6897f3bbe494e60185fda613f4bcb3cdf7b16448e3d38e80f42d4bafde4862acd69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgMo.exe

Filesize
157KB

MD5
7b2cca04bb9fd6d70af8132305b4f9a1

SHA1
3a8dac85eed7a4a1dfe7f2bba576a6cbb2e87daa

SHA256
1aa0eda647a37e7c89c4e59ec73998e3b8b967a8dbef671b7b463cb29f406ab1

SHA512
62359bfbe296eab0d8e4bda082a2cd36d75f8cf451c7075af5717507f6c481bfdf8bdf10cac3ad1bfe96e679e88c94d970d9bfa7fe054d6a54810c3aaa53b527

Download Submit
C:\Users\Admin\AppData\Local\Temp\XwYk.exe

Filesize
159KB

MD5
72fc0eb271c1e43656cd016f2562b05a

SHA1
3e0a41b3a3d725232d0a50af3735472a0a7aa7c5

SHA256
d67b172b4058ea838362ae202e99d6538836164462c4fc3acc28c6175f45452e

SHA512
76d0084860b6ea2b3bd4ea75975a34fb3279f093866d25291c0fc20471d4d2bcafbb79c2ce7388876646168fa30b19428ebc48de689c77f9d131b85959ab7952

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xwoc.exe

Filesize
564KB

MD5
4cea1e3046f7b48791ad496835ef4f35

SHA1
939b38121b717c9db72c04d213f39822d370d411

SHA256
39bcb2c026be8c0ab946cde58e7061c3ce08590fa87b18f52de968ea8d17b1a5

SHA512
a2b56b440dfa5937fc3d439e638fc850b9a701aadb8e5702ecb5ef24e14d063b146169c7f390c225914d8cd2975904623fe4dc863a623b948675ba20d4bf1877

Download Submit
C:\Users\Admin\AppData\Local\Temp\YccG.exe

Filesize
158KB

MD5
350826bf25707663b1130fea58a219b8

SHA1
1f5179ccdad3653eb4d08f7261cd64026a6ee234

SHA256
4dd1161d1b36640adadbd4a687634fac834882f0787a7f6886409fe37e836edf

SHA512
c99ee65ff968b833c94319b3c2e630140092b9579d8787a053061a6f196ca92d01c344717d0beb81dc1b95f1a0f0d0737d1f0a6abdaafb21900a56c369b7ab7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YekIoogs.bat

Filesize
4B

MD5
6e33f6b7aa9f34d1d649d8e62c3e745b

SHA1
d987879a7937e09dabfc82919430b9960899893b

SHA256
79fc0eb356004f22fb2ad14d9611728eb1197637493bcf32cc138383abadb1ad

SHA512
3aa37247475d03371fedf08b7980496fd4d38718e9b908f1a5bd35fb490bad877353aad73ec6703c94c65d9206ac0a61c81266c6e4393cf20a8d49b0410baa15

Download Submit
C:\Users\Admin\AppData\Local\Temp\YuUkUMQg.bat

Filesize
4B

MD5
73b3b31346d37d698e4a956d09e24e7e

SHA1
69fbd4b24b1110602840f1a3246324a48c60dfd6

SHA256
b36c3ddae802a47d8d0421de6c41c7d10d1dde98d69ef468dfe5cdb307ddb5e0

SHA512
70e70a57f6b8e13d54a166e7e57854107f573f89321d4f556935d8eb50fedefca66546ca401f3b7254323b7a5f5db08aa5ddc34d5b29539c910f67a2ef864515

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZEks.exe

Filesize
157KB

MD5
fa6025b5a04e0cc75049558aa60aec35

SHA1
84a6ab3f31a6b95f373a4d00e31aa309a1909895

SHA256
c4e83baa59932b4330d26eb58266177c732daa4a65789f1ba78416262d6fd12b

SHA512
3d529baf6bdf112676cc0f5787af099c56effc1789002005bc96c635c3f5df3861b1826f4fb6623432a703f67015e5714cd86db00c69cdf5b4abd9f58ae724b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMgI.exe

Filesize
159KB

MD5
c5018cefb6bc2db1b2c8573d0f88bfee

SHA1
eec3e090a4e9b1251217c9d98bcd7e5304686660

SHA256
74a9d9fd6890d3477d9db4483c46e8b23faba5c3c3201dea419138848e29632b

SHA512
2cdb623ff0a7a6177d84f39bfc7797bd34c037fa74f203d4a60dcd2b43d6598194f88ae9a51db90839e26d8ddc2bd15ac6101ada3c307f318e0a8c28df6ae753

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZSkkcYIk.bat

Filesize
4B

MD5
f01fb349116b5986c8be7da6ce7721a6

SHA1
4fc1c440a573fe5cdd06047b7cdf9d0dbc7ac32b

SHA256
159336311f9363f39bb243bf8e948889733a00309921e1fadee397e9eb2f35b8

SHA512
973cf45558e6f7dfd6d8235f1d8d882df0aa5c639e58d5b1f9bc70fcb575366845b69777a7aef51d66236354878ea1d622f6173341e37aba864b6456821ec013

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZUks.exe

Filesize
149KB

MD5
4c21a9636a6a411a9d691331eaeed859

SHA1
89b9db2aee6d6da00d13ab4e0cc915cf64dcbd17

SHA256
35778700810f6b1d9435485f36c639f46166902aaf726032ebd978b2f9f39e41

SHA512
f7298617ae1d07504064d24874b9f9dc9361089829f2e5ae8c9f5b822dbaa531aad4ca0f51648cc4a8ad639f35c229b6b2f64592cce674f1bc13ca1abe58bd4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZkoUMUks.bat

Filesize
4B

MD5
3d859d40241c0ecf3b190275169ed014

SHA1
558860774a021c50d12ebebffd832b7401929dda

SHA256
543a87b57c4d4a0f274a4cfdfbc6711fc451e7aa833d9ab5bbb605ffd7f4f070

SHA512
12b5f9489d2e7612774c0175dbd7ad93d49e91c58000de6d31ac038f9880bfcc84ebe1b65deced26339e0cf0e5338291211c327c262eee207fed44e25f559781

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAYE.exe

Filesize
159KB

MD5
109ae8800175fff3ec1354f57ea98345

SHA1
6f010be876513c504c7380401f9ce3076bad68a2

SHA256
4a98bf68cc41c3d157de2e35c0118fcc00a3da883531d674355c49dae2ce8784

SHA512
d336ff99407583e0c0eca461a643bbc1a2861f9e47b923540969d4d64577bb6c05efcc4798927ca8ea0effcf735c898058fa1d3f88ef4636916c027cf6e8c28e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaMcMowY.bat

Filesize
4B

MD5
c6cf0a7c22ccda2171d7b9c800ff2e88

SHA1
71eb222f62c45579b8f1289493f5d39f68a355f2

SHA256
d99f2f1d09574452d51d5f65d692843f5ef04e45686d1db3b2ead6e00dbc98a2

SHA512
2012d434520047487c05f3427bc371b3529f229d488434abf4f2647534c4fc854b5f01c70aa9509b6ae7198890e73069fac6bcd499e67bca42db3ec64975864b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIAC.exe

Filesize
157KB

MD5
ab87cc032af8a1256d4a80e84631c19e

SHA1
1821fc2e1dec51e6ef085109611a644aad0baaac

SHA256
f3f262ec5f5d52783ee4ce4476e19c51963999b55e9d7560812aa35a974524a5

SHA512
275ad2aaa11b29c00819fad118c161d3a071a86d794f551bb9cca8a7a9b76a45b2ffe9a5ab2e54fd3ab1c91db2cede47c1a0e173a1938468d67cbc80a929ff04

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMQQ.exe

Filesize
716KB

MD5
e83789ed7f6c1c319aaaa39e58c67864

SHA1
59c187af254f51e1c4ff2b74895b48912be2722f

SHA256
43e2c67d3ceb318b483d3eecee6710cc614476634850e32b63698495de559c24

SHA512
089fc71b831665332f659d2aa47e457376cf0b1779d731e19e25e67bcce04f624bf7857a82f61917fd739f2eff12271beaa38fbf83e9afd11eeea6e1ddd0a914

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIEm.exe

Filesize
452KB

MD5
4983782c31187998c3d20e2605382d4a

SHA1
2e7f19f4fb87e52633486fa0dca0bcb46b4a6bcd

SHA256
f568ff243ed9245fb1db87a4c1f36f4c22aa9bc21cc41d2020a7d9635fed374f

SHA512
056880ebed55e7f20417490c48e232ff1a1f6478f175232a64e96af3aca80230d4da83a59bb479dbd1b607523bed0fd5f0fa2d2ee41d69d4ffaca86ff1033ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cocC.exe

Filesize
140KB

MD5
ece6596460a8dfb9f9c195f8c22866ac

SHA1
ba30334135b83c07dbd2c9fa37fba21448eec363

SHA256
3540c3c51cc0e04b038e46ee9c87682afff0e6208e755fe58a81ebd5c2f9cd24

SHA512
b430f3e41747477b38a053981abc6e33697e9ce9309ef3d4e5015e16ef3c9424f28ce4b8ecc154226880416d9d06e5b352bae8a48678efb562e23fe9baee59bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAIu.exe

Filesize
158KB

MD5
f041c9a42a792f45ffb2762f5036e911

SHA1
654ee4d0b9b393088008b7025671ba598e301c9e

SHA256
61d0cfd2a3e3bb01df99b875d991bbc598722a2df56d0fee1765a4589163a601

SHA512
03b8dac70be37b3e53138535b0d0f364b1ac9b75525b4adb5d9eb4245d050d944b4d037b9390ca6ff941f6ed536accc4b5514c871d1c4e6273e2902de9187dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQki.exe

Filesize
159KB

MD5
0e31327d7f2c70987e73e7b72fcd0ae9

SHA1
d977c46f3a99958db00661ee91cf7f1166deb32c

SHA256
fa2f1282d9e58d7e28c6bb6072e970d860816d5ea823ffb0b6427bca70f4edb3

SHA512
e9961a6df6d8a2479d2a16dd4c68b0544c214849789bd97a8db75369c723d8b90a2aa466a3739f89e4cd3f5d3453d9fa6f3031de59a1ec7749b183de7f90f703

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQsq.exe

Filesize
1.1MB

MD5
05bfb69f90a28ae0af0afce1c555b4be

SHA1
1bc99bd0d2ea39fbe922c783bfc1aedbfe124fde

SHA256
e397bce67bca4395077c30ac3f24bee9d38f03b9c321ba760766ac858bcf3c1d

SHA512
5187c54ac549392e41583872b2a43d074f11430201f122310c36d712728efe00c871e5bc38a96a2fb20421e260764f85332da36caa646da468aa1b80ef4973a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkcAkkgY.bat

Filesize
4B

MD5
11f14798aa26a6702aad6b201b72a900

SHA1
6a754c74a47573692c97c18d12e1a4cc7028a2e9

SHA256
a4455bb5aadb970040657fede58606286b85623eb436c56a83a0e395b784656b

SHA512
5ddb200b2805ba26166affea67d091b00ac443ab3d137397b4940a08fe248b5c502c4e27d467b347646f88b7624ea9200b7371e5889b27d2f562cbbef34c3af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwkO.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwsa.exe

Filesize
158KB

MD5
55ab71c1a580023485ff65e5736cfc40

SHA1
92d9c5d1e6f29b4967f7cc27da5e82bc6f211c4c

SHA256
09a9f9981c7247a02821d4a40954c36d39c234ec245d02b211f29c97699e1005

SHA512
428a918063af5e56c8885dce624000956b8be7bedcf19f1845106053407af1bead925c33886d9cce5156b2d87a815f390806fd59965c100364483b308e20a645

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAEQ.exe

Filesize
160KB

MD5
e5e3e7a7ef51379e9fe5e31b4a650e95

SHA1
9925d9600b448a84f62187824021b11a36038801

SHA256
553f90306f70f8998c4d2c729e2093cfa017fe9c4645eae1b7d021ed9d21dcfb

SHA512
a02c650844575ec5bf49fe240372326002a1859cb9cde970519b3dd1a1001e6caf720e7b80cd818f15b91e8928da2a803bf544f148d61d0656df0911ad7ba979

Download Submit
C:\Users\Admin\AppData\Local\Temp\fIgoEIMg.bat

Filesize
4B

MD5
53e585f439ccb73ee8dcbff07d61adeb

SHA1
6620f1c2642efa9d082f67ce21e50ff0aeac4d88

SHA256
81a99c82eb06d2dd5b781a75c6c42f00a66120613bd2512d855ecb85861011df

SHA512
d1dee1a4d102af2f5873a94345a504d79271e04f43a6d68e2aaa83ba13d3c9264bbb50022a869d5cf22a028c28b2310939cc12c0b270bfe6a5092a39d40bacdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\fKYoYkQY.bat

Filesize
4B

MD5
159f92a556e878d5f3308e134ec704e1

SHA1
d5b8e6f2eacaf32fcbc2a3a4f47a605b9d1dca12

SHA256
299d6e31fcf137d562ffa1065b3578f68af88cedc6b054f1b7ee67d732f01cd6

SHA512
5f38c8c2c85488461f7a965a0a3c532f85c9d42c0b95fcc4b4f8d20b9fdaabc0c0859e2416304578679f1c2e9bd054f6466b60e8b401718a556bb896d1b417b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQwe.exe

Filesize
160KB

MD5
b30e5a5a8607f28e463b738e85e428cc

SHA1
6276e8db15bdf0fa69a5fbe93f80c3edb415bf94

SHA256
67af0161dca108b7e0aab4766bf84b37ca42027ab7656e70f47961d6409892c2

SHA512
7beca83faeb90a5952175d6a0c1b18867f4d4ff13b9b58be41ba25c1a419f415051b64a64f86420b8d6af67584016d010f0e880b88122ffdaec392e466fc406e

Download Submit
C:\Users\Admin\AppData\Local\Temp\feEMAwUg.bat

Filesize
4B

MD5
5195c6420356e57ab887c72854a1a080

SHA1
a431f9e8b4c154ba8238b9206c2650f65a20da44

SHA256
5f0c0e93cd71228333049ad1edae022080285eb4f8f524e2909647c01a402e0e

SHA512
ab6a5e80c2fe0343d22db9c410d7ed5146c94959929ce2c7fe013d52d43af88e85b0d1f8ad7fa0dc4658ce76f81d46807453a43c843a18abee240c345323824f

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fksQ.exe

Filesize
159KB

MD5
3b07ce483ef1bd4d5d27b881136b6d9c

SHA1
85db3e54bd85f9fc4647390b181c3525f9c82b11

SHA256
4f63b013688498998b50880069c87f63816115b28e5b83aab2f5c1f398f21b77

SHA512
f6a16e829f236f60ceb7ef3dea2075326fb373cf4be745e0af8b9f39ee03b9fc878404d4e62ec89805342b47289fc8ca697e400b7f4777778453b0db492b4b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkwk.exe

Filesize
159KB

MD5
9cd5fdb743933bd062aea924c8acbe1c

SHA1
4c8275abb65a05cbc8b2c651cc53c7a8aecb28fb

SHA256
15f2f887fd2d849db1d4d21c2f564599293eba3c00da3cbbce48775d84f53d6f

SHA512
9f5c71665395a1ce138088f0d31671033152e84e1b6681117b420f35ce7d0985e4bb426bdbf96ef474d76bf5779cf7df602b0375e277ceba87aac7917f6a8ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwUe.exe

Filesize
153KB

MD5
a51cba1d0baa58109b0bcc18e539f559

SHA1
5320c77f4c99926407f189ee13fb759b5f176dff

SHA256
f74b2b3f8b780591340e1daf4b060ea43aefdc72fe3e78f0278f2efefda4fce6

SHA512
63806efdd2a9bba7f37b4b515a4f682c400488dda91c17a63461e313b5cd46699572e1b8a153eb8ae7697db88b80b368d5317b73b6b227d66573d384b4ebf662

Download Submit
C:\Users\Admin\AppData\Local\Temp\gCUYMwII.bat

Filesize
4B

MD5
a08356829e6c5f2409f5ef610219e28a

SHA1
18a95d17bb1c621571504a217654142144713223

SHA256
11fe5e087aea50c6df9e0919b21439028fdbdb6415c61d77d2a0ff8ca3b85cb1

SHA512
c64a2e27634c075a22978f74d089b0cdc715b89a7338f7ced789b8ae38b0cceaa8aa39e57e2b9b3fc4801f5dfa90ae8178bd37bd04764e141a16728fb2653ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hEMC.exe

Filesize
158KB

MD5
50b0614fbb27f916ee42904268e8abc0

SHA1
8fa363a3e23d24eee34588ef064d302fcd111f99

SHA256
933b62b49665eeb560681933e877fbbc4299cc0ea356bd8bf305bc9b57f865cf

SHA512
3dc18dcafab3a2b5b18414a2887d54ffacea6a15152f9c9ae546516aad34c24eabfdf46a54151bccacabcd9c45c7803bdc77eb425463669e9867874d6c8b6a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\hEccIgsU.bat

Filesize
4B

MD5
d55da16c4bb92e7ed4dbf0f2695fdd45

SHA1
5a604069fa9878a3223530aec86fe44e5f01049f

SHA256
0f14be3ef3531397c24f336863d22642aeae452fe1237e2c0874ea41a1436bfb

SHA512
6c343a5d999013fcff3f6b89b37eeb972ccfef6d312f3d0c955b0d11ae8a5733e59fb561c1429a3dc98bf1d14a19892c5a5a09f66b5f510ec33ef47ba98af9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\hKMgMssI.bat

Filesize
4B

MD5
bfd597644b94965acaab9764a237eb43

SHA1
09e3b341a413246fb09903f071b0bde3b5d1fe65

SHA256
cf534d28a5335dec784edd8774c20bf00bebde4b9b0a3e0fa744df03e62e3354

SHA512
dfd71aa8fa9d03e3e40f93c0af58af80a9837ba94d47d7f998f90971773f5d42087bdfd0aa6324178bc46852731e8907da5b94ec34b6bd6ee992b145e8eff9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iKQMEUUQ.bat

Filesize
4B

MD5
b764cf208cf2294a6c1419c56e158367

SHA1
a96fdd5b666e0fbd7e33c51818e9b54237ff19c5

SHA256
c2e798b2c9869ed23543a398a5bb668ea40bd7e63f5a60c3001b106a426e2534

SHA512
1e38ea9d98d37d24d3faddd6464bf568f35ff30231c22fc73aa4c71d3be97a7f98d3b059fe95a03a85ed7f0466f1d8ed982f0e0f602a4e40f9e04827fecb7332

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMoAMgss.bat

Filesize
4B

MD5
bf0f6b368c99919ae0686e63ab3c8edf

SHA1
a4b8f41fdf06f3cb87069b0995cc7f106c605347

SHA256
847ea452cb6bfbfda709a26f3c2db294789aa192446f042a31edbc54b7e66ae2

SHA512
6d3e406f42d64d02330bcb25b0f70153e29c1063b243f2d6943ee7411f26b5379bd8e340691df4666caf8d44a6ff70ac4f1c1620347c4e9fa82b50867d75e986

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQIy.exe

Filesize
678KB

MD5
1f021c94deea04eb5b3d7761e862c396

SHA1
f3e30cf56973a7f6aea52f3dfcc7f67030e60f0b

SHA256
c17663fc46d176892ef5584f759191fecdfe74e3fe820f961e61b7e2ae9fe911

SHA512
6d6b5b35c3099ffeebaa4d9dda9fb48d33b3b22750b5c1cb81a54987c0cbe514c6b353cc953ebb4daefafeba42a29e98f8dba2e24fd9049b86e0d699f1fd6650

Download Submit
C:\Users\Admin\AppData\Local\Temp\igUIkoYM.bat

Filesize
4B

MD5
503721c47776a12eeb3211b6279c1bba

SHA1
ca02035bae2b3f969b94811b30215f2c36f42471

SHA256
4a15605d2584b21d90c82f1547284e8d81161351fec2602976ed57a1435b4167

SHA512
05f178b65896f7812e9aee4293018289f56f2ca1e425f4d0535a64330634445473c50aa41a4f22f67dc95ed6debe6b10499cfebff4fc12a99dcc51cb3b1ffad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioEK.exe

Filesize
159KB

MD5
7ec2460e4b6184d0947c359e26951204

SHA1
efd9fde54c7639871df838974f2e2fe60de19255

SHA256
fcae0e89f150f2a3301664320f99127f7887f4dbe28b7584187d4b5d8aa3be10

SHA512
c207f59db85cc4b337138d9183a2c231e20cf05c59467cc2cb9b4ea5b85a55bfdc8ef8af90d29bd77a4d99b939e03628db82de5935834af36a065d728f69044e

Download Submit
C:\Users\Admin\AppData\Local\Temp\isgM.exe

Filesize
567KB

MD5
59ed576a185bc9a6c7027cb2fa55cf60

SHA1
c3e8642202ddd78eb4b3b6c32cb9e12d97102c5e

SHA256
2031ec28e0403e0bd27ee1b04747ea1f71f6bc40d5cc6575506807671bd998a5

SHA512
db5f921952d6a1707cf5e874f9a80de216c7b2f61eefe755fa71b8e67015f4a6a31315f8383fc31b989f35be3f88ba01fab601ff0cbf0928bf2faee95a40ecce

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIAW.exe

Filesize
154KB

MD5
bb0b61a3bdd6e90fa9705ddab5c0077e

SHA1
cf83e7c2cd98b406f3511236c0104c53b9d2f0fb

SHA256
14234ca3368a1eeef1fb7f9f9f9a4e5a19d142542696a6ceee8e3ac2ab5b87de

SHA512
1016bda07eb19e18dc4f8bce83b3550eb10ac63c360ff233721eb3ecb7f9b78dd6d5dec425bc9cad0b8ea20ae35eb5be5c9418b074680eccc7233bc1794a4846

Download Submit
C:\Users\Admin\AppData\Local\Temp\jQIc.exe

Filesize
160KB

MD5
88e9862bfce79b53b67238d73f56cd3b

SHA1
ac66e1709e203245b395a407e9a5d8347de90706

SHA256
07ba563694a69ae04de24951a3de48dcbdb2ddac1ee70fc09656e5c93ea64d36

SHA512
c58106f63467d0a3232ac9ba2e83e7104106a1a0e5f179db8dbcaf63461febede0ccfb69adfd18e2961c113b0ae532194ffbc1727f3f3d140d9d549545401a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\joIK.exe

Filesize
157KB

MD5
34dc98ed202f951554de241f67e53751

SHA1
1f4581b9bfcca6898ed595307e8ac51f95d65990

SHA256
bce533762891dfedea1b9c8dceac3a645c1c5ab2f476c5d12137315f2bb2c1c3

SHA512
e08d55cf6fe59b253ba7c8eff260d22c390660f0c43ac3684e0b11d866a58c6b0a81b2d74409abce1fe55e599cbd0f66385b999a249d3b919a9ae271020b5974

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYgC.exe

Filesize
45KB

MD5
054242947d7063582bbeee5a37ce3f83

SHA1
343b55358321cf636716913c7e714cd18564792c

SHA256
6210f943d14b2ee48d81fdde4a99ff61572de4d0c4fc994c37472e8a06f014b8

SHA512
86e35d5f4327bbac2c85aef210e34d786b8f6dfe52e2f1fc83ae8355af3d7fc12fd73203d82f0e0c7f26daeb44c5f7528ff314b6bd1efb123014e03603be5bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\kccS.exe

Filesize
159KB

MD5
edfc497c9f928717e622514627650b53

SHA1
d31730b9785b3965951e2b7b08dee9921c705435

SHA256
3f4012c51e33751514bcc8941e845f2b36fdc521255a0d4eca599fa78fcc63e8

SHA512
3dfc999012a21ef3315e1949ee669e220d0165946050d37341bb73865c143d539afb6b32169a495e09ec686d60af999defe395722b060244ad7d7d5e31950269

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcoI.exe

Filesize
874KB

MD5
a6a96e93007bd66b6426d03f7746b473

SHA1
dfa2cc17bdd64fc205df5603b1ee61770c60b37a

SHA256
4641b541e2327b6613e4d69840a69a4e99e851e95fa1a4390af2ae46d3540f5e

SHA512
252233d66e6828c5d02c15ca74280bf186af2e5fcd5b2ad77d8aceec13f7f4b55fb2426ebf716015c7bf9c1dec4e5c9155d2ba31fbda5bb4c1834b52c0553174

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcYw.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgky.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\miEcAAUY.bat

Filesize
4B

MD5
1a6702a7561f2609f6416ecbd1d54534

SHA1
413ca0c4853350978cbb7c895c0b9efaf635a989

SHA256
12ea9453f2cd06040d9dfc2340356c5315374ab1e5d7a240be536f0c1fe16de7

SHA512
f0706d9ba81583cecbfe2265d4f7be37faddaeece170ab058c4c1d58d1927decd307323ebf5e28d511b3a82b2f70219b09d1c2469a6c6dc6e2558d3ec7e28858

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkAY.exe

Filesize
149KB

MD5
2638f9c8e4d8fd4d5bbcc39705ab168f

SHA1
a6cd1cb6f6cba5557440c0ab2912cc73483312ea

SHA256
17e8032776a44e2bd0f1c091bd27a1c85d946526a80c0ac36a1c12e9b9a2d44a

SHA512
4cb743949f654c02b7c7e959b9e5e17b35e60a797f159e4333a37f88daebd0126c18efa592361705bcd36f4ac536f4bc9fadf7378dcc60c928bdc4fc5ce66522

Download Submit
C:\Users\Admin\AppData\Local\Temp\nEke.exe

Filesize
159KB

MD5
82a73330b926bd00d4a8cde909f37c67

SHA1
9ee391aefe3232928aac4a826019598dce005098

SHA256
e769179ed4d77b2dbf8daae4472fb32407a804d858ee039a2f14af11df439648

SHA512
675f16cc4b6bc9a9c74b0d6c6670df5b6e9e6c5d9a856c29c6e05a07879a9203d551570a70b7e2371308d7ddfc550bebb3b20a6b5ad5e07483e33a71c6f5f46b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYIY.exe

Filesize
158KB

MD5
5cb9948b5109da2e726bf77a6211e27b

SHA1
65925f749a461c99519528450cc158792d17a751

SHA256
7f95ad3a2ef242319f65a44886c7fd435537d3cf9fb4ad253d773cf6c10ce75f

SHA512
24ec33aed68a200aaf022a42ebe5a82ed287080af3eb4909ceb01db413f0f24fcebfc23b74efe6d304b11665c117605d5b8b08d9a72f7dce9cff6d5d586e5c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUQS.exe

Filesize
555KB

MD5
6cbf781d758047c3276c3afe164ded6a

SHA1
98be4902dd911a87ee53ec8e1f6de9dfc6d2ad84

SHA256
dca78f4fa4211a01315bb7c542b6e73a5dd290f6d66f69a92dd647e76ae4cedc

SHA512
b21bd094c68f6b02361c5d9e2ff59b98b845dc2c28a01f678b6989fcd29bdd00debfe185e23be0c4dd2c16e294e8234a0b67715bbf7734ddfec072f48a641917

Download Submit
C:\Users\Admin\AppData\Local\Temp\okMM.exe

Filesize
633KB

MD5
6ff028ad0f9218855f1093441bbf8279

SHA1
511400944cc3c10bc86c4badb099c94283a86352

SHA256
95b6ec52665b999a46bd6785ddc256ceac73bf2130e065ceb2b749ba0b7dbbac

SHA512
e4e5bd18de9146bd529e17547d8cf93f5a936e6f7b1e127e69d085ce3b0f98d018d7b85932ef7dbbe217e70eeb186d88bbb2ef926d5b03198f7471979b3b1477

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooYwkMEk.bat

Filesize
4B

MD5
92d54e60c1c344456e24eb889c0c33d1

SHA1
98a5dc0073f681c536f6cc4408680350a4401efa

SHA256
5d5d4639210a9ea8d24ce4d80016dc5b3130b7a536a84af2053249d1324eed3b

SHA512
088ebbd3d63c6dfa2bd778fe48ae5706c848e1c53fd39319be88b535819c7dbeefda09efad049d9a0763832586fd98a78a30e35cec729c3f729b614097dffc54

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQIsEwsg.bat

Filesize
4B

MD5
1f77ed97914d66754824b6edf4d28342

SHA1
49839ac8bd97223b296022250b87ca5974373073

SHA256
54a8a9a0efa9d88715d1d6778e921f05ce2d4e1478e075dbb7184c14c83ae796

SHA512
4b3ff16457cd0d1daf1b63ee41dd6c76dc60d0d762e50ec8ab45fc84a6e371ba9b8e47c5701c1e81153bfdfcf41c623a14ef10539104a310009df03b94e183c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pokk.exe

Filesize
158KB

MD5
13f93182548ee4560d69c2616932acbf

SHA1
d44f31299853155bb01b3cb0ea6ace9af081b8ae

SHA256
4ce9adfdf22aee25f121ba56424ce989b868daf2c0518c454f86ce00bcf23b28

SHA512
f0e52cf8656f2682b4460e133063c30de33febb4abf2be153cabd28da26ca74e54b3d0a4cf61557b75366aaa22b8b0ec4ae1a54c3a6129d523246c8800a27a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pokm.exe

Filesize
158KB

MD5
55b80a96158b3de9babbab1fbb3a5094

SHA1
ef2348ebb5b2912864784769a9b5eb5b3a2ea77a

SHA256
498bb0b6c04614ca15a65feee328b3c9ece08a00f308e4838bfb2cba02570fba

SHA512
4942580b79a59ec949cb889863c3e1767fb04d4d47918fa250bc1ae518b494a2ccf67f75caae16de08a2052de31a7635df61c8650891cbb6f530e3ddc0447071

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMIe.exe

Filesize
157KB

MD5
efcb2ff6171fbb2a88e81d2457ce76c4

SHA1
52ada3aae6f867ee60331fd5e469716d96bca853

SHA256
edbaf9872ed25b932a99c254254f304c035ed759c4ef3f762b80a42f52975970

SHA512
9828ae14ac12fb1e37ced4ab9ec61f6a3725a8c2508bb0b11972d669b5cd62778e97cfeb9601654f117e8af7eedb3f9f94f2a3d57990cd930a4d3c3fe777c392

Download Submit
C:\Users\Admin\AppData\Local\Temp\qOYIgMkk.bat

Filesize
4B

MD5
92cdb765b9e4f51b8c60c29d993aecb0

SHA1
f34e15ab01a52c0a15dace3fea09e98026165dac

SHA256
c65b8b049100486211e32bc50df5f780f5e3bbb1db46b925e7a6934f962f8257

SHA512
e3b17a1e3039c624ad8a09b043c05318f25546f01a024c0d958595cde1c822b11441f85c6d6d5dc288ae7c4e55ba23b11282d8a597229d5873792f8982a5cd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcMgIEsw.bat

Filesize
4B

MD5
f8426327a92a84c28efcaa5add7a844f

SHA1
63c70a4f6064618f055be02e99a0bf86a54ef206

SHA256
efedd01b4ddea9c2df8b017954fa29338d2da4e2da387f7f83182217972b38f7

SHA512
495e8180319753fe754baf1899984cfaa059d451e9bb07c5d2e27a0057eeb728ad9219509d6990271da88801f65e60bf1042b90239537f389b3cbee0d0de25e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgcs.exe

Filesize
388KB

MD5
3f34ba6810ef23942f04af593562afbc

SHA1
4edf99efe81a8e83e43a70833e6b31b81ebc6448

SHA256
6922f6a6c11a9c0bfea9318cbc05edc7816cd341b26399b83f055debc9d222af

SHA512
a5ec194e558c2616985fbbdcf632940d3474f09fcac44dc5713114649c473996584198b09cdbbded943ae4b8dc760a3f7279b8b6cdb26d86f381ba62e0a93ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rEQe.exe

Filesize
159KB

MD5
561b191773247b0a75af6746c711ae3d

SHA1
dd583b04046cfa1d47f5743840ddada0a873d25e

SHA256
d678bb83d6fae7c5eb58426cdc33b883f6ff31f67a2225f559659bdb49994665

SHA512
f50263a7522b34a4b934febc5fbc9d10a0670ad467a114051ea88b366dcc1efdb4c18eec8e4aebaf5573daf14c2bd35a79df7f27c75b290526f5da17600d419b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rEocMEIo.bat

Filesize
4B

MD5
a184803a720309a84ca0ba7e856441be

SHA1
781a716858d496069bd79e0cafe2b0038208ee6f

SHA256
99c4753eb851a34fbfd985fba80711c771267c48b76479a1c3c183e8e985f29f

SHA512
f0b90979bc0d56c2d4d0a2e108383022d20d610f6fd266ec7018afb49ba6953c3bc2f851141653ab0fff237ec3f76f723c5a20b495e8ca5df0b95576c4f83233

Download Submit
C:\Users\Admin\AppData\Local\Temp\rYMo.exe

Filesize
160KB

MD5
3a7484aa137ce20fdf5cd98e09927d8f

SHA1
e4406860966d2bee04364a7eb34c6c6c3fab3714

SHA256
b0bee3182b2cc970528c7f600c4b5b9ee58ef435f7e491e2687660f11a86f7eb

SHA512
f3c68317eb3c64f8c44d2659642754746c5091ab6221f3e4499cd40a2f22e106286d04d497297b39a85158cb75ea0af841546c97bb5e54d03389d6e2a1de7b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgsQ.exe

Filesize
158KB

MD5
1be7ebd247c2655e1bb0366c00a6e398

SHA1
5a66cf4eebe54baf43e6fb34f998c31c94d9def7

SHA256
9238a5d70326002dc76a7b69ec0b127e6ff7fb09ab470e9d5c588290611165ee

SHA512
68fe05f7b1b16b6975a676334b0d2ab308dda63f6835d5627c068075f01870d29366aaed7d9f7375022b9cce7db42aa9a462175e8eaeeee3022e4f168fd6b836

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkkk.exe

Filesize
397KB

MD5
724d9354dd3bb08061fffa11fbfc32ba

SHA1
4b1dd381c6c1c0bf90a919d7a4f7262d3ab15fb1

SHA256
16cddad77ca740bf54e691dcb6b4c09fb1b07bbee5a19a250151a6ddf1ad456f

SHA512
920f8a0a6df5e3b8ab9b4d8b7704a5aa3a7090cf709851318ec6efd134c9fe03343628ed9a104cd44ebd3077c7f1f8689a5938632687d54daa4ca9398fa46cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYQo.exe

Filesize
576KB

MD5
4abb8ef4c16a2a0d1d693700c6e0cc9b

SHA1
063fed3b8caaaa3e7d171e8878e5f952babe5623

SHA256
64a524d79bf5b8c605f38b359409af1b022435aa90f2220b22aca82bb1274d55

SHA512
0e9860e86ac970600549588efd041cfd39fd9c2966d1748d5ed4977d4c6ddbfd2789dd03977c6344dac2721a9b7726d809d354ec2ea6b1bba3a54af6329d93f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\swQW.exe

Filesize
140KB

MD5
7d0ce94c2e0f7c3f6d8fb1c3cff47dea

SHA1
28ec8cb63eba3a8cdb86d2804acb5d36ad2915d5

SHA256
3335c9cc591244af0b7c2ee26bbaa9f6df49e4d4f6f9e1da9e3fd019752c8300

SHA512
ad3d16ba0b0a613a3971ebfbc596936ccfa4b3630dc835c6d545e1bd07c6cb7efd28e36cfc6666996fd549687ba41a8c52b5941d7d5950d0a72efed6b693d0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tIIW.exe

Filesize
159KB

MD5
943e6e733cd731728f3ebeea0fa1a175

SHA1
a1deb442597529b35aefd56476920ad59eb1c1ed

SHA256
a4e344ec88005c78bbc4af5f8679e0d410a8450138ed094722e22bb045abb73e

SHA512
6a7fe616f743c5d0c439ca5986db85bbb138acc7733dce1936fde50a3a92d01b11ed76ef865e6416c9b3629a46663670f5d4350321411bfc4efe50946e112fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\twEm.exe

Filesize
743KB

MD5
66806298e1cb14427aeb4b8552231634

SHA1
8a8a0d7d5f980e57aa1c43c0b2297be51de780e9

SHA256
e7403811987dcbe6f154330bb2d56eeb0a55d28338e740edba1f39317e6c4f06

SHA512
89e833d571d1a37845661ae97f9d36bc68fb68ba8f1d0da15d8d43de116ed7a988a5707117ab3aa4082522302c7c6f38d13ecf890ca10fcb15147b8069b3c427

Download Submit
C:\Users\Admin\AppData\Local\Temp\twcEwgcA.bat

Filesize
4B

MD5
d1c2b04c2fb2403ec1c250e36c094980

SHA1
70075b26738a195f907a87c2ecc1254de4e42be9

SHA256
8781ea89fdc9cfab7a2ca917f38629fe5e4e425781f8299fe5025075f41035bb

SHA512
9e6cd64b59b6b14cc6e9678657c76ca07ab37a05f18b396edddae529cbf9f95511f5f38bedb25b51091c83d0b139e488722de2e696b823030c70c7b4ca1673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEYK.exe

Filesize
136KB

MD5
4ff7684a96bd6df7602b7ff6f0a62153

SHA1
3ed0e84a02affb75071479d2d878cdc0beb3efd0

SHA256
57cb7973d6419e65181301b7ecfa298814ecee09d16be9ea043b1d5473e5708a

SHA512
3eb48194a4eab8fd52ca7127dfb4a7bed6b2c092a8994b2bd18bf5481aac842c1b2f8e9a9a66d77ebe281300d92ef614be9f3298f3aa26a20cbbfc5c3c6a8e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYIYIgkQ.bat

Filesize
4B

MD5
52691f04f88f8af4556b84c9ba9ea997

SHA1
386e2efd98951bdc10264d1d2202b03bc50599fd

SHA256
e181faf1bb280f23b190205d0cbae2812f97f969b2bc24b6f59f97b5aa760438

SHA512
edb121d9fb4945d83e9f78e5a5ca5062f5d93cd3a7d87c37b32ebe537bfd7804e16f34bc63e16e731972982217ee48f8133e733a080d6c57592a64da940a2621

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukQE.exe

Filesize
970KB

MD5
bef9e09878b7ef6a3efab11abbab8f4a

SHA1
66435772587b58df79d1aa731a74ab698d80ec79

SHA256
a48889a6e2d176302d2588cafb9ec26ac31b310bb4883fdaa48ddca95fd5fa38

SHA512
28e1339c378aefa181fa7ec14edb00d1565c9c95b8652eb15caabf497627bef10cedc7ccc102d60b4e15441b2cbc7625b40de0767a0785fcb73752f2b91d553a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vAwQAEQU.bat

Filesize
4B

MD5
2bed0394ff3a5acb43a3d7cf08545192

SHA1
8667bdb6a9a6e90ef3cbf8d22103e25f761298b6

SHA256
f10d8d6dd4bce44e385d1469e7f268e8059ad3f137f678d1232a50c2143f158c

SHA512
55abc42890ff8df31cc01ec461f5a60056b2ec4221027c575023762040f86aaba41b028c2e5fda230c23c858b69773371afb689798cfd885132c175edac40077

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEYM.exe

Filesize
237KB

MD5
84a7ecbf7ee1e86d96c26902509276b3

SHA1
97110f3623f44f75b36cb757884bfa49dc461aa5

SHA256
3da327dee2e9e292811f3135ca9f0ccb3979c01d3811b2400005a762ce584abc

SHA512
684b55bd0c65b4986877fa23418501e771fea6de0b52898f319b03dcafbbda4c4975b7607b26715581ad234ad3f5cc25a40cca64d864f6163666daa0fd66a9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgYE.exe

Filesize
237KB

MD5
a3a2a8296be995ccb72aecdce3e9627b

SHA1
018f858d193b23f80f1a1853a53ca51ad64c3f37

SHA256
b1bf5b5eac17e853c50b2f74bbc87e62024484725bf3c410ad23e1d780fdeca9

SHA512
2b457c97e132cfce9009becb05605571f62ebc27c946c3883ec84aac385166e0c526b64dec3c608c519fe43f0125dd6dc7dbf9da48f7bf161792372487804e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwgm.exe

Filesize
158KB

MD5
052554348702a0ae7ff84c890a94168d

SHA1
f3fcc3693d3cc150f563fbe44e96e4314bae6c2a

SHA256
05af77de6b8b9be703b547ccb416aeab36dade455c1fcdea7552bd13ff9eb5d2

SHA512
cfca0f80ac6ac623a9f4d328b4f185b8b1234eddddffef82724c87925d7659435a07b8a255658a982c514983bbdf3e1b0ad82f40f762c1516a4ed1199bc18052

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAAoAQMI.bat

Filesize
4B

MD5
1a478867f044f9fe635af5acebbd6f53

SHA1
d70555f0dcdd6d4636896821d5c3e5fb9c7aa210

SHA256
95801b665bbea72eec84de54326abf1ee141f5bdab990ce66dd92481e9e307aa

SHA512
685c99132e6040714d18b4d26e600310a471fff7aa0177f33c427afe69d6b7fbdc53877e07f17744bfece4a2cbec479e8ee58e33178a41551cc214ebb353c1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcce.exe

Filesize
690KB

MD5
ff7d87d23c6b0dd55a890f9da12a3e06

SHA1
caeb6e816f44727c84c9c44dd142ec8dc0f58e95

SHA256
8e0d2a0d6690611039875ddf0c0d8ea729ed26a7f21ad0cca2480ca3bb1a73db

SHA512
92d3501d96a45dd680bf3ba5f366cd9ca9483bfa88fec4b7c1f4eb9cd31c72405400f3b878765b5e8b3d636347cd08b0ddc04a97c9a4aa0232879d6e05c40c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEww.exe

Filesize
138KB

MD5
d0422a46203836b4dcd8748c9001b31c

SHA1
0bd655c4acda22c4caea07c5d0d3dd6524edc2ae

SHA256
19136f53ec35bad04f76f012a08124fa3ede2308a9ea7526eaa7b91f8d148cf6

SHA512
d8586724e1f57ea91abac4595d869262e1f4ca2e3aecdef972a4bede8636342d24d78b7a6366c9a91e72ac53f1d8a3eafbc778b518aa297a13b85366bd41723f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xGQAYIQw.bat

Filesize
4B

MD5
ed68c92e6a52063fa5358babf4e7093f

SHA1
f1454f33c269138092be92a38a688dd2f253a417

SHA256
c8c149298367f2b1bded10a15ac57320284136dbbf4ab35f0a00062eea4af199

SHA512
37a727b5f3eadb52105492c5baf9865da80334d46baab9c973bb60c75a6ec04d711da7560a15d4c557c1e7985dfd0368d7b77d139b24c2b4e5ecc778a5797b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\xOQgkgEs.bat

Filesize
4B

MD5
2f003e5db03524c4241482f6d26f171c

SHA1
d39c7d10cf8467027bdd627c282f3dfa628f7bd3

SHA256
176d1024ac71dc43f392bd47e0b13c442ac86f6ee41927c113c4989de867a2d0

SHA512
c38f65411421bb4dd6cdcc6007c29080b59622c0d4aaa69a13eed5be33cf287e9c497a774166a3604f5cb318e8eadb642f78cc46683095eec0009b1175d8442f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsEA.exe

Filesize
158KB

MD5
8f606a4bbd82920d5b93c37f254347a9

SHA1
3e63285839e5b6d6876bf2a4fccf6d7c35f1ae29

SHA256
d5f02d231c32df36c073162422c43cd14e4249645b81069eded95a52b80e291f

SHA512
04152fdaf0bd969c1c2ecf0b358054875802e0e90138f58f87e56837dcd33ba1128fada787d1f5a15d8662aefa4588ac7bfc323b5cc2769f9a10aefd9c632d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEEc.exe

Filesize
160KB

MD5
3a92fc29b1566160a97e992d118306ad

SHA1
daef0585723a7deba7051049983bba97d6b74e52

SHA256
4bb007d9dda58e8eec6b54a5c3bae5d15498210c3a618d4eaec4ad8f159527b2

SHA512
02434bd1ff41597ab8c766fe3d89422fbb96f187312ae1491829a0a053af17a4cd2cdd1f81540e943538b7b2e67a95a6dd96e060cf23920233b508f5e6bd352e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygwe.exe

Filesize
158KB

MD5
e24b9d879b68afb7025483f8442a4928

SHA1
b5b50ab54e2f95a5a4ddde4fb1ca5c1b164348aa

SHA256
1f23dd9735d852b65c0a292a90163b73cda50d68b93854a31128a58497e266e8

SHA512
8629e4ee4e22aa67fb50c8d28d5a1a6b33bee3a03a375e929bd595e36fd217a83e90ba7b1038a8a8fded6755e69b75ad9cb447c3623fbbc2753ab5383924638b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykck.exe

Filesize
159KB

MD5
655d80289527141eeb001399b4a5d743

SHA1
9c893b37de7e0ddea649a758539e6008404b3d0b

SHA256
e7f596bf9ef6e88faffbd64acfd44b5bd08958cce580717ab2ebadc36576aa82

SHA512
d52b6ee6382afa853c98ff7ff5feea267dd6c6df95a0721b8bf2de407b3c7fa02afc0554a9db23ca3342ba4b581199721c6f347fb6321a7f258f98a68c9ea3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQIssEkM.bat

Filesize
4B

MD5
e1895e13ca9f80d6f46c4ac10742d38d

SHA1
87eeaa37fc1c29a6ba5e0dd68f5d008e5a65587b

SHA256
132528ad05d465f1242918f1c4b381e3d68677d2eca9d99c856733a17e56290f

SHA512
c1631f6e19cb46ec2103ee5e0ab115cd93cc956fd6503e593adbe703ebecf05c963c7e7764fe928c05cd3ab7ee7b6839a1c7b55b79d8dd81e1e3b5e3d4a00f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYEoskEM.bat

Filesize
4B

MD5
a2cdb3882788b552ddc3db671b101c93

SHA1
700b9731b05dc28eda5825772a6a12773a3cc729

SHA256
8799b86cc594e03a2fb68557610559e313dd882d8968d073a25a2f7955d14198

SHA512
5be49c8e7b9384dfaef6b50281a9c34f82ad14274ddc6a3c903e7145194da99dc2411bf2d2fc27f7e19ffe09a198f057ba2ed90c2c53f4bad9f966c167413129

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\kCUMYMIk\sAkcEgYU.exe

Filesize
111KB

MD5
b6cb3088194b19b07a68f54c68a64e03

SHA1
c20533306ee672a3eb1801eb78db601d435236c6

SHA256
a6e164a1410fc44205841cc0e3c024c03c3c57870dbe7758c1fc96152e2af0a5

SHA512
9e58b91669b4259ae4a972997d76e0a673bb684ccb379b63064fee340b52e8c337814bf85cbbd4e17d9424578b30938840683e0442d806432ce98c53d067df7b

Download Submit
\Users\Admin\WaQoUAMk\lMIUkkUI.exe

Filesize
111KB

MD5
f7eedb85b48ba70a0909d618e0b836f9

SHA1
83e4565da548acaa2a0700d21ba24a3e0f5f4864

SHA256
f5a8e69b16ec328832e7126a7ee163fdb30131bb05a5face21c8b1e3d476c761

SHA512
fc7acce059448025eddad2b16a9549431665077ee55650eb71465998cf13969caf5b11cbb1c6047ba4fbc80e2a19fa29698b3d206753fcbc147d7edf738bce30

Download Submit
memory/564-112-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/564-88-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/652-87-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1092-398-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1092-365-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1132-243-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/1132-245-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/1372-277-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1372-300-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1384-276-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1620-220-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1648-157-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1648-135-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1664-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1688-301-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1688-326-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1756-363-0x0000000000280000-0x00000000002A0000-memory.dmp

Filesize
128KB

Download
memory/1836-182-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1836-159-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1856-230-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1856-198-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1868-275-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1868-246-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1932-134-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2064-101-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/2064-102-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/2080-317-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2116-436-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2116-390-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2144-158-0x0000000000170000-0x0000000000190000-memory.dmp

Filesize
128KB

Download
memory/2144-149-0x0000000000170000-0x0000000000190000-memory.dmp

Filesize
128KB

Download
memory/2208-196-0x0000000000120000-0x0000000000140000-memory.dmp

Filesize
128KB

Download
memory/2208-197-0x0000000000120000-0x0000000000140000-memory.dmp

Filesize
128KB

Download
memory/2252-299-0x0000000001F00000-0x0000000001F20000-memory.dmp

Filesize
128KB

Download
memory/2252-291-0x0000000001F00000-0x0000000001F20000-memory.dmp

Filesize
128KB

Download
memory/2304-437-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2616-104-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2616-133-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-349-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-318-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2644-32-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2672-254-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2672-221-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2680-207-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2680-183-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2728-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2728-30-0x00000000003D0000-0x00000000003ED000-memory.dmp

Filesize
116KB

Download
memory/2728-5-0x00000000003D0000-0x00000000003ED000-memory.dmp

Filesize
116KB

Download
memory/2728-13-0x00000000003D0000-0x00000000003ED000-memory.dmp

Filesize
116KB

Download
memory/2728-31-0x00000000003D0000-0x00000000003ED000-memory.dmp

Filesize
116KB

Download
memory/2728-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2756-340-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2756-339-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2760-86-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2760-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2816-181-0x0000000000130000-0x0000000000150000-memory.dmp

Filesize
128KB

Download
memory/2816-172-0x0000000000130000-0x0000000000150000-memory.dmp

Filesize
128KB

Download
memory/2924-42-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2924-350-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2924-373-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2924-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2964-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3036-388-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/3036-386-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download