868755a7eda59a0b5db15a58df3cdc78c6dec111e28c76a6928eb4ef3df7cafb

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
Size

117KB
MD5

13f6d8509b9986f60aaa5d2651a02594
SHA1

92dfc39cb34688bee66f7b28649b79c3f7903bd0
SHA256

868755a7eda59a0b5db15a58df3cdc78c6dec111e28c76a6928eb4ef3df7cafb
SHA512

b42886a64e5a07bdcb9c9086bedffea02941b6d73aeb3856a4a1b0800e400401b639f94be53aef9e991c0ae506fd819747f0e4ce5c93f5bb4751d695cda9bb02
SSDEEP

3072:0HQdeI28ZZtEAJLj64a0FSs6o4NnVrrAUUQ/iC9:HeItZnjVFN6oaVrAUB/d9

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 54 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 54 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation	IqEYAYYM.exe

Executes dropped EXE 2 IoCs

pid	Process
2508	IqEYAYYM.exe
2292	xisosAAE.exe

Loads dropped DLL 20 IoCs

pid	Process
2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\xisosAAE.exe = "C:\\Users\\Admin\\euAMAMMg\\xisosAAE.exe"	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IqEYAYYM.exe = "C:\\ProgramData\\gEAcQwwY\\IqEYAYYM.exe"	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IqEYAYYM.exe = "C:\\ProgramData\\gEAcQwwY\\IqEYAYYM.exe"	IqEYAYYM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\xisosAAE.exe = "C:\\Users\\Admin\\euAMAMMg\\xisosAAE.exe"	xisosAAE.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	IqEYAYYM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2456	reg.exe
2180	reg.exe
1892	reg.exe
2780	reg.exe
1292	reg.exe
2744	reg.exe
2064	reg.exe
2804	reg.exe
1904	reg.exe
2440	reg.exe
1500	reg.exe
2960	reg.exe
2612	reg.exe
2384	reg.exe
2744	reg.exe
1740	reg.exe
2952	reg.exe
2308	reg.exe
2400	reg.exe
480	reg.exe
480	reg.exe
2208	reg.exe
312	reg.exe
2328	reg.exe
2756	reg.exe
2936	reg.exe
772	reg.exe
3056	reg.exe
2680	reg.exe
1064	reg.exe
684	reg.exe
1248	reg.exe
1432	reg.exe
1628	reg.exe
1692	reg.exe
772	reg.exe
2960	reg.exe
2708	reg.exe
1668	reg.exe
276	reg.exe
1564	reg.exe
1560	reg.exe
1212	reg.exe
2776	reg.exe
1748	reg.exe
720	reg.exe
2564	reg.exe
596	reg.exe
1452	reg.exe
2436	reg.exe
2096	reg.exe
2972	reg.exe
2972	reg.exe
876	reg.exe
2672	reg.exe
2728	reg.exe
2228	reg.exe
3068	reg.exe
1416	reg.exe
2536	reg.exe
1060	reg.exe
2916	reg.exe
1116	reg.exe
2756	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1728	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1728	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1472	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1472	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
596	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
596	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3024	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3024	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2208	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2208	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2160	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2160	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2712	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2712	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2344	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2344	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1284	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1284	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2672	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2672	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1928	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1928	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1624	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1624	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
528	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
528	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2344	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2344	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2116	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2116	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2420	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2420	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
312	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
312	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2584	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2584	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1420	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1420	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3064	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
3064	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2704	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2704	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1288	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1288	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1964	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
1964	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
844	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
844	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2148	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2148	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2428	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2428	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
300	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
300	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2064	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
2064	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2508	IqEYAYYM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe
2508	IqEYAYYM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2292	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	28
PID 2452 wrote to memory of 2292	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	28
PID 2452 wrote to memory of 2292	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	28
PID 2452 wrote to memory of 2292	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	28
PID 2452 wrote to memory of 2508	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	29
PID 2452 wrote to memory of 2508	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	29
PID 2452 wrote to memory of 2508	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	29
PID 2452 wrote to memory of 2508	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	29
PID 2452 wrote to memory of 2476	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	30
PID 2452 wrote to memory of 2476	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	30
PID 2452 wrote to memory of 2476	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	30
PID 2452 wrote to memory of 2476	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	30
PID 2476 wrote to memory of 2500	2476	cmd.exe	32
PID 2476 wrote to memory of 2500	2476	cmd.exe	32
PID 2476 wrote to memory of 2500	2476	cmd.exe	32
PID 2476 wrote to memory of 2500	2476	cmd.exe	32
PID 2452 wrote to memory of 2736	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	33
PID 2452 wrote to memory of 2736	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	33
PID 2452 wrote to memory of 2736	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	33
PID 2452 wrote to memory of 2736	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	33
PID 2452 wrote to memory of 2484	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	34
PID 2452 wrote to memory of 2484	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	34
PID 2452 wrote to memory of 2484	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	34
PID 2452 wrote to memory of 2484	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	34
PID 2452 wrote to memory of 2456	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	36
PID 2452 wrote to memory of 2456	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	36
PID 2452 wrote to memory of 2456	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	36
PID 2452 wrote to memory of 2456	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	36
PID 2452 wrote to memory of 2412	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	38
PID 2452 wrote to memory of 2412	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	38
PID 2452 wrote to memory of 2412	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	38
PID 2452 wrote to memory of 2412	2452	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	38
PID 2412 wrote to memory of 2816	2412	cmd.exe	41
PID 2412 wrote to memory of 2816	2412	cmd.exe	41
PID 2412 wrote to memory of 2816	2412	cmd.exe	41
PID 2412 wrote to memory of 2816	2412	cmd.exe	41
PID 2500 wrote to memory of 1756	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	42
PID 2500 wrote to memory of 1756	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	42
PID 2500 wrote to memory of 1756	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	42
PID 2500 wrote to memory of 1756	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	42
PID 1756 wrote to memory of 1728	1756	cmd.exe	44
PID 1756 wrote to memory of 1728	1756	cmd.exe	44
PID 1756 wrote to memory of 1728	1756	cmd.exe	44
PID 1756 wrote to memory of 1728	1756	cmd.exe	44
PID 2500 wrote to memory of 2340	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	45
PID 2500 wrote to memory of 2340	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	45
PID 2500 wrote to memory of 2340	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	45
PID 2500 wrote to memory of 2340	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	45
PID 2500 wrote to memory of 772	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	46
PID 2500 wrote to memory of 772	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	46
PID 2500 wrote to memory of 772	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	46
PID 2500 wrote to memory of 772	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	46
PID 2500 wrote to memory of 2560	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	48
PID 2500 wrote to memory of 2560	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	48
PID 2500 wrote to memory of 2560	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	48
PID 2500 wrote to memory of 2560	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	48
PID 2500 wrote to memory of 1220	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	50
PID 2500 wrote to memory of 1220	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	50
PID 2500 wrote to memory of 1220	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	50
PID 2500 wrote to memory of 1220	2500	2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe	50
PID 1220 wrote to memory of 2016	1220	cmd.exe	53
PID 1220 wrote to memory of 2016	1220	cmd.exe	53
PID 1220 wrote to memory of 2016	1220	cmd.exe	53
PID 1220 wrote to memory of 2016	1220	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\euAMAMMg\xisosAAE.exe
  "C:\Users\Admin\euAMAMMg\xisosAAE.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2292
- C:\ProgramData\gEAcQwwY\IqEYAYYM.exe
  "C:\ProgramData\gEAcQwwY\IqEYAYYM.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1756
    - - C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1728
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        6⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        8⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        10⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        12⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        14⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        16⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        18⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        20⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        22⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        24⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        26⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        28⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        30⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        32⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        34⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        36⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        38⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        40⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        42⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        44⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        46⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        48⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        50⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        52⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        54⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        56⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        58⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        60⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        62⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        64⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        65⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        66⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        67⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        68⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        69⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        70⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        71⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        72⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        73⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        74⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        75⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        76⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        77⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        78⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        79⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        80⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        81⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        82⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        83⤵
        
        PID:360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        84⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        85⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        86⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        87⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        88⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        89⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        90⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        91⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        92⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        93⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        94⤵
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        95⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        96⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        97⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        98⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        99⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        100⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        101⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        102⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        103⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        104⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        105⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock"
        106⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock
        107⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        Modifies registry key
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ryUwoosY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        106⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tIkQAIwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        104⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TGcswwUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        102⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EqUAwQYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        100⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uasYsMkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        98⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FuwoUcEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        96⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bMsQIkMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        94⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tOgMUwYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        92⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aoUwcEgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        90⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SggokcQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        88⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LGQQcokU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        86⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jCcMswsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        84⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kaEAoAkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        82⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WcccwEEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        80⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zgwEEQwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        78⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jIkMIIoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        76⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ooEYwQwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        74⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dMwcUsYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        72⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LCwsoAsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        70⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GoYoIgQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        68⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZWcQgcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        66⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Jscwgcoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        64⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\foEsMEQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        62⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bcoUIUwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        60⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PEAMsIcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        58⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vYYoAcIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        56⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eCcEUQIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        54⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sQgIUsYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        52⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QcMYgUog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        50⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\agIwEEQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        48⤵
        
        PID:300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NWwowkUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        46⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jgQwUsUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        44⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RqEQgsIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        42⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zkIkEUYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        40⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwAsYIwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        38⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KMwgMwUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        36⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qusgAIoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        34⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yUsQAAQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        32⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QYssYokg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        30⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gIwwMogM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        28⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vYMgEAkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        26⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PSYQAssI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        24⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bKYgwsgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        22⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAYEwoQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        20⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\peMYcEUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        18⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wMskgAQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        16⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WysAYEck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        14⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oOcEYMcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        12⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kCgIMAUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        10⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tqoUYEIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        8⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2336
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2548
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2044
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:820
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bWYUokAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
        6⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1268
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2340
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:772
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\HmoEgwsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1220
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2016
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2736
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2484
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\jKUcAkUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-50468838-768829845948759343258438541-4090422901739701428156253475-1850099200"
1⤵
PID:1524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "519122181-1666973831-1624677640848259499-780749783-512202281336768049-173213669"
1⤵
PID:2136

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-270741480596397917199200694-1847763752-1270541223-363359258452047110517667200"
1⤵
PID:1552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1743440984586362638-5524616212886938531208640836853796844-2030504918-1179890151"
1⤵
PID:1764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "191322099345033301875533567519779985083672690031341754461-1996372245-444076148"
1⤵
PID:2648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1894241730-1781710893-1625469137-6696503032059355609-2132256924829960498-235096426"
1⤵
PID:1984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2007935219-33498840832109140-14915289871362457644-1098729104-335681154-221026375"
1⤵
PID:2472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1030301587-1308881655-894692601-993604788-2054308393-11951837881122274280-1730946920"
1⤵
PID:1972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1929744688915223839-1972803354-651438455545267227-793657517916750654430110116"
1⤵
PID:2728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-59943428916975970115327120061626224250850475494-152431706-455913141703719218"
1⤵
PID:2932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-408964534181739782-856808715552747517981601501693026327-100250294-626523473"
1⤵
PID:2708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "532767309-1877285209-183171416-18938784331817642409393060625-1901808634-1205456078"
1⤵
PID:772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1385643665954539719-1186786004-952182559-137639687-4833593601536458853-1308521551"
1⤵
PID:2372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-21322770993014893001376364633-983094567-35607797-2304911241452179608-468385399"
1⤵
PID:2960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "480650903355118779287766724607625343744022992010605802-1215502307-610473301"
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

Filesize
161KB

MD5
76dcb245757def24f67e1fa9da27911a

SHA1
af8b9a3ef318ed160d35cbd0a04fe5ef9cbb1212

SHA256
6a714d399f52627686f41673d10f4e3501dbc8c4a715c8a0187df99f0efee62c

SHA512
a6e5a4061f0b4af6909393c1d1b9e6e2acbe49efeda43f92db3a9c8f2ea53a6ca82f5f1858af5539d93ef7c646c66190951d033d3b33776bbd140c9254e8a637

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

Filesize
158KB

MD5
6b2957b2ba6c2de97f7eff625300d254

SHA1
3ec6dbdf99c86f095df760fccb6806a02eb16c44

SHA256
5e230a225302a1b5c779619f98c1718079d7c4aa5caed9c6a857dfc962faf70d

SHA512
662479b036044087c45f4c6e6bde0d583c736296a1db755db2c1c530401f21e32ca6f718ab73ee0c8019eadb86fbfa973829e9961d0808cd899d7568ca12c769

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

Filesize
157KB

MD5
efb0c39cf72792ba9cd96119ea1fc74d

SHA1
cf0e12eefe2f72d6ea970f5555132a64d66db713

SHA256
32972db3b3bbe399d5a2e507dee3a8282cfca359d7b4f098e9efe4c5b674e03d

SHA512
a319a8e6df5b8d523874ab31ce9c99e912e8c75d9851adc27e4bdc9e2c6f6e9d5a2a6658d44f1ce93b93886fd696103571c57d9c0c38827edf66502a9ced238f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

Filesize
158KB

MD5
55eaf5441ec883946d9da759c39d59f4

SHA1
456c2ae729454d3ccfd3094f2dfb628ee1554592

SHA256
ea4cf6f33c4948a65909b997d35dbad16f2f3ced29223a39477e4fe673d8eb9b

SHA512
e848222d1afad7210cc7cd6bc0f1efc2de13d36af89fda13ed8a9473baa337f7d183dad2efef5141908990681a255bff347572f49e227de39a044996a545bd6d

Download Submit
C:\ProgramData\gEAcQwwY\IqEYAYYM.exe

Filesize
108KB

MD5
fd5cc08346f954724d90095992f8d803

SHA1
861a1b410af58c039ea83373dbfefe19276d1801

SHA256
4754c0505cd9f862ca8d4cd1e8c81481d0e51eb010dec10aeb9fd6bf45050ec7

SHA512
fc52f9489a7a3ed407c2b519dd545fcee4067ddf15d9afa65fc116524ae945731e1bd29424f41d2e31e255f811bf0e951a413097cff6bbb41f11d726842026ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-03-29_13f6d8509b9986f60aaa5d2651a02594_virlock

Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAEQ.exe

Filesize
158KB

MD5
b3ebe80d46bff22baba6aa03456fe50f

SHA1
eedff0510bee8d2a1e6a42d8265cc2d2a1645393

SHA256
fb31b9adb2170f2911ac095a97a0332912e6177a742d5f47626330d8fdb7b57e

SHA512
3d70058ed87d7989051c6d0569e2458b37a8dfaa16f09d697daae3d48b9b16659d5a0f634c24a1bf29e325d0a53ffc4c6f75e75a53b049599102f428a8e98c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAkY.exe

Filesize
555KB

MD5
172a5a3e90160df345fd79dba76ed295

SHA1
ffec8443e9c6800a709805f9729345bf1f13c82d

SHA256
1a4b46ff1e21813f77e968ec113c8e4307c2db86c812ad74fe4080c847c9bd37

SHA512
3b79b4a8c6607fc97e15926176531e8ff639adeb4f1dffda45c80713ce4688a736f1acedb641814688ffd578e5d0e1d4b270cdce6d5b3aff1845ef9d33ade864

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEcG.exe

Filesize
159KB

MD5
e98c494a2e8f3ac7d8914dccf8928ee0

SHA1
cecb253a0108d320067a5ebf9c609f276fa0e4a9

SHA256
a9f9fc70cd546617dcddcddfe00ec7d894016015a0f13b4a92809e7af66bdebf

SHA512
5465190ea174ba9a14368086cb86e7882998fa7b64b57c20abe29f7f15c90c1c2210ee7fa2c0a633749fce55c419660025d2117f78a4087793b541899ea7bbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgAI.exe

Filesize
157KB

MD5
bdb223d3ddb678e4ef493e2caec765c5

SHA1
27acf7b56810b17e5610116748055545263d6a51

SHA256
9044dfb3695514c2e459eb6709e4c001e13e4ee2c50023d05f4d6eddbf9b968d

SHA512
e4305fb50cda5f28102a395d5b9223f134558013c0c0e42ed29313a2ff74fce3be3b1f13b30990ef42392622da4363f72955790a2a960dbacaf9d8710f06e67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgwE.exe

Filesize
743KB

MD5
3b3ffdbeb718a568dd3398fdd305acd4

SHA1
eb1db77f23f5d4c6a4a0313fec32552b1c1afd6c

SHA256
ae40f89cd2895aa07f5488fdfe706a057167126899038a0bab8c077a98756357

SHA512
fa06d754715f3c3317b7816cbf902eb3ffd297b8b19bbbe37a4a1c2198b81f4780a95ab4f3a06e35786a11b99cddb5bc5ea7b5015efeb05c29599c064426a084

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwcG.exe

Filesize
160KB

MD5
c6b0f82cdcf385377e738408977bda20

SHA1
2932c60a8f3b0ef39885f068b9fd9f4bc243b0c5

SHA256
49f34e884b02f8e1a67a4306aef4d61789e335e58e94608797f8e109e934cdf2

SHA512
f8fb172f3324f6b2df20b4b6d575a66f0e8755eb9e6923520c8ce3d0dbbd0549eb43d7d1ff083464156dfacca11b6ac93ad4a2a9061194b04e7d247d72d0d973

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMoEoYgI.bat

Filesize
4B

MD5
09d47697bba8af44fa2b4aae0e13e7ce

SHA1
3f1c72f5e2bbce62d10ca9421b543a35ac76af1d

SHA256
bc3c751cc23c1da52abbc31b516f7af7e817bc71dfb7f7ef6aab9e5f75283f10

SHA512
29fc29060e79d24d6b5553f1bf5ee861f67651b4ff42d68005bcc01d07be1b2c1aab460b113ba5a941ed51ef146add09e5f65eb7c17e4ad67c632cebc50f9fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcEAQIEQ.bat

Filesize
4B

MD5
83cf2d635bfb035a4e0a096e0b2c7c06

SHA1
8afbc8e0c665af017aec097cbdfa0a59078b69f9

SHA256
0f6c93eaff5b525b063335ab209cbdacf3946973a0fc91a064b1d6ffc6720893

SHA512
a8a06f87a8ee2977087c06aa5e517c078e5bff454b3cfec501b679c9cbe5bcb021919c75be4f000875e209c54c98d00d49f3585e55baaf4a824bb3b7e9c61c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BeMEYwEM.bat

Filesize
4B

MD5
d29094808e6952b0d78b2725944495ce

SHA1
85ab76eba5a5d5a845cb2feea785bdc2e31ca28f

SHA256
9d14d67ba570c15e68001972f18243536eb0c25abc00f860c9734f3dd42b4c59

SHA512
729cd835f0b686c46d6ce4f6e9bfeffb809e479da9139f8340abfddce7f17b7a16b4cd5c299c6a7d46c5055c16ec7ca5b19f06974f0c94d505da190d0bd22f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMUu.exe

Filesize
238KB

MD5
94b0028bada72d53f785854218cef51e

SHA1
8f38341814200062f9b88de2fb80b6856effd8e9

SHA256
bd9c6bb8104e75fa70ccd4fb8795b7e5b17338a9b2886be28217b50af4fbfb77

SHA512
311b720f676e6f7a30981602222d0694c210c876062e616740e17ab5489c7e4f0e84d3139ccfaacc8f3d1c7c17e1a6d02e551e7a530c0a7b380dbd210ea5e154

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYAUAcEg.bat

Filesize
4B

MD5
871a95d9a2a75865e4101797240e40b1

SHA1
ee2575a517a16ba9b3598a12719b79ca21076362

SHA256
c169f3be1834f2436713ab3f8cdb3afc6c41fb21cab88492ef4594eeacedb5b4

SHA512
5213c0c231e2af6e31bdec1d982ce3085283070a11d868f4af71c58aad078762c6ecce809a4bb2c006f2c0055040acf2e86ebfae9e4e11816d51dde438bd35af

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcQQ.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DGwkwUoA.bat

Filesize
4B

MD5
3e9c10638a8aa05c44ab48f4eb9f3868

SHA1
0e9e71983bbf8014086d30929bb40bcab5315243

SHA256
305cd5d31c9e1e6788f660aaa7e5de29117f47dd78c6e177c7bda10f65fe9613

SHA512
70f830d8e47a125f9582fd2a199580a16d5da64cf3225f11f210f125440d0010dd6a89a09e87e6e8e0732037f9643ad49258d82f9b15e7fb8b57fb47bdc85f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQEcksMY.bat

Filesize
4B

MD5
dafb59476cd80ab6a62a10f1ebb99c6a

SHA1
c1b78d17aa3b5ceb6046a747f84b0b4d8f169420

SHA256
78fa78c0b3a61e3fcf62bde2ac5db8f9e783ecfb439e9080dfeea3d4a9a2070a

SHA512
b8de52bc77c9a4777680dca577a1cbdbd51ebaec5011d310b11d6d0d17341c5303f6e2faa2850dd4dd560ef4c67925aded2ee02d5476e0f255d42a5fbc94714f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DckUowUM.bat

Filesize
4B

MD5
fefa12d4a48dfcbbd45e7192c6078d1f

SHA1
f08f4ca833dbf1eb0fc59525fa5b19546f2eb9f2

SHA256
43de90d4257d6440242e9615e65333e882eb9753618a3beb205ee0bc74a5fc7f

SHA512
34e6fe48da9776086f86c25816bfa985566001abcaf6c5970e3500a46109c7fd367d7162cc51e16038539de57eafc5994fa55b89eaa1532ebf8001ef846ec1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DoAogccE.bat

Filesize
4B

MD5
b0f56df42299cdf4cc7dc4f36d029f0f

SHA1
101613c8d5718b33464b5bfb9bbad4d510d6d4a0

SHA256
5db4d016fd86f0ac231c3819de827186ae9e1f0d1034719ac095bd8258293aa9

SHA512
1e04dea07b6e7eab0cc44340bc2db0dfb48025bc40b21a73f8ef1db22a632a063179068599dab4beaa96f1688032bfe4a0463668b729bdc4577e73e8efb3a45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DyYcYsQU.bat

Filesize
4B

MD5
d547c49fb4555c4dd7ded7566e864054

SHA1
2f753b93b321b90b77cfcd408e75401bfd36e93e

SHA256
dbb4f2c87906a2ed02e887eeb37cc446654dc7b3fc5f33283908b996e1b11c76

SHA512
b662670eae6de1e6aef111df5f05dec072334d71d3530b1c9d2fb0e1f5e3a9b71fe80df7b2ca93eb5aede0a235030471c0372c10d349710c2f49d9a3ab299d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMQG.exe

Filesize
158KB

MD5
f52c654857c6ba5c22905d0388aeb8a7

SHA1
a900061005209c6dcdcd34fecc8f09fda44fbf46

SHA256
2ccb3f2dba8a5d9c6a955f86d76babb1a6757a6a65ce7d397b76032f602e2eac

SHA512
554292f5bb6e546ac8944100cfc1cbeeb8f69036d0d35a0db6fe1245b837c2ab5899342b924088f1dcec49eea94c077c8d8acf5c4f22e43b0b91265e6ca254d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYca.exe

Filesize
139KB

MD5
16ba832a094022b56b13c13ab2d45b45

SHA1
663112c314a11f1bf06ff466a7164ce4e30b09bd

SHA256
d03fdcf20d5d53da4ce8ea991fb97c66dde919113db7d6b61121f79fbd805310

SHA512
2f3692e43d1b543f153de988616b7af43ff6e9d250fa930e50a7f5e08036caf9a4c9cf9335b2089fa2c76d476483a886b00e4221f3035eefb7d9af631b06dbd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYcy.exe

Filesize
691KB

MD5
94f998741c3491ed692da06a752bb575

SHA1
cc76fe5e884f2a99db57ae03cbbac5d87e51268a

SHA256
a74c2f3d1071adbee79f0ba0f2f6d40e10dcf0beeffdd5678f6ef623363484a2

SHA512
b4021a1b33446a18cf769d939ceb9e7f6a9a038bfcd5ad3ad046ebe49e2e41acbf04091757825e1edb4b0c256fcedc36f143a823334151dbb32f388519e2578e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecsk.exe

Filesize
158KB

MD5
600cb36e7d59fb4b74f6625d416e54fc

SHA1
0cde3bb8b921c75d65beefd6debbf36f0831317a

SHA256
2538332882264bf26c57eb1c537b46753ebf3ae17f95088459f2936274bbc9da

SHA512
b157adff505fbfd60097b0be79b989f1db84528cc93fc44bce1fc1759b3e2c26bfb103f7603bd9409f3da1ca6f941608ec8260fcb1918efb579d9884214846e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkYA.exe

Filesize
613KB

MD5
72a0f5fec498389a36ba7382bcc4f330

SHA1
0b4b675cebdd182e9c041ef03e6dae64edd011ec

SHA256
05e356a42ad4c42c9486029154f643bc3adc65b00abc3f8bbee87cfaa7694d68

SHA512
d946aa8d5f3612119216b14b7959f3a538b60be6502200ea5f6d505c5c76c2d7a5283474d15db44d38349de81233c1526bc247e4cf44b5c765103f58e11dda42

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsEq.exe

Filesize
157KB

MD5
d318760c60d61a4d05f4af264a69c910

SHA1
603059cedad3a48cdb2e4c3b49f27e0e95fe4b87

SHA256
efb8fe3dfd24a1edd5a2947d2a3244f054ac86c7b1098d5f8a8a590f4be2f71e

SHA512
90b2dec2c03cb60b35e0a4fa48311e9a68de1b7b633cf0c51cbc0011aa8fe945a9f7f6ca3f6d3ff62f4b4cec0cccbe8456684ae094f6e3e15ca2c8f61352a74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EuYYAcMA.bat

Filesize
4B

MD5
c007a1cb35a4d37d4bbb77ebff7a9ff9

SHA1
50579daa9ba0978ab2993d3e9508c67ba47f0a41

SHA256
32179bf298e734e2e46f37f441f85f8317c7a857c92547e11b6a60016535f2c2

SHA512
21be44228bd512a0b4f39c34ba392f6589d2140f21f488d68e423574095b215f2f762cfd39a64ae13dded3442d64b1ce20c1226bb6c542a1ab3c538908fc53d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAUY.exe

Filesize
157KB

MD5
727d0b1d9968934335395a47050f5507

SHA1
ce4d9022a1fa3753e25ba4499b318c0d230a9bf0

SHA256
6cb3ad62c1afc7942b35d5ca50a56e05e0688048cf8440410bd7f0465680599e

SHA512
a2660f21b418b33a11477d81e42d4d65f1105099556f70c3cc2178173ae750870392b0a67c8bdaa479873e7ab67d827920eff7dff16686cb01c79282a75f7870

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIEc.exe

Filesize
611KB

MD5
ae23fe2f7698917cfa8aec03f4d0436a

SHA1
f01cb5f4da426e14eb472cbd8e1bf5df6231de0e

SHA256
63e925a3233670abb1e3c4ac8b50991723f2f12f585e669ff2a3246cad250e8a

SHA512
a0ba41f8b996ca11e8e9e334b517c34cf802dca8076b8ff688cbdaf4536cec5bc72ae85278c1d9215da51a4935764bc62aa15b0e763369217738348ab7dc3d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIss.exe

Filesize
4.0MB

MD5
77a457322145ac251d5cb42f5a3d3260

SHA1
4d1f311f4b66879563f0f730b37b49d1c3481042

SHA256
88e679a19228d88b6d5a70278b13a277bd98a6dd2bfe39e06dcd1e5183ac14ba

SHA512
b441991807d7af32364955a7aa2881ccbea37430c4ccd6937c94b414545f5961915ceb9cc222322f5cb4b5b1cd2623606087afc65badc11e66261fb9f454a333

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgQg.exe

Filesize
1.2MB

MD5
cdb2e9f51da8da378bc030f2cf60f34b

SHA1
f6ff8356fa89fbf2a23b3d1a06df3111a6f8baed

SHA256
df18496ef24b5e26209d966dc8cdd91654d8fbeffb7c00147c1808d7eea5784b

SHA512
d96af34322e2f3abe6abec1e181a34bd158e340ac85636f03195cddb7a6f8406f3fbc0309604078c349a04a54446bb5a4e8a92bd9ea5696343a141984304c032

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwgoYIcg.bat

Filesize
4B

MD5
d1d7899e5b9ffba14992bcf55d71c86e

SHA1
7f59480f6ba39bf8d7c9f3289ca052bc65284f89

SHA256
852085cc3370d4c69d5fbd44c8ed9433c1f25324d4e755ab0267ae8218d040fe

SHA512
7987a3ba6ef6bbc3684e1fbdc8d2743e7771ea8b709eb474e49d349f6d48a535760ab3e7207563d8dddeb16f6235e22b71f442fb94ccfdabed9069814b2df152

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAYc.exe

Filesize
658KB

MD5
f84e9cd9abcb26455e8b21d6d375beb0

SHA1
ecf079baf75071206e668d3d038041f39e00decb

SHA256
90c7a4668dbe7b6777ca3831893e9e98856b40d6450d854891f06e7dec43122e

SHA512
646df924a85f42c81a13a827e38a4c683c28c7146a7b1c81d0d5d1a3cef034ef8255ae1dd9c5bbe5a11468c18def61b6ce6d9bf9279d433300986dae24a20c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUAM.exe

Filesize
150KB

MD5
30006efd28c42a5b7c2bd4d687c67970

SHA1
1ac8a7c19dc36ca5464c6ce2c44573cb7c00eb75

SHA256
1e20db4f3cb83eca08d13849a9c72891ad762203b12228a0e1a5339e7f4f368c

SHA512
1fe9347119aac7ae9502eec0bda9446c7901444817cf69107d6f9a21ea59940cda90c16dd3a360476e67d9db2bfd96db945477922c3418e0bcdc09ace5c3d3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYIa.exe

Filesize
158KB

MD5
c7e406f1ed6c9afc1ba38ca0dd5613eb

SHA1
02ccce5095b73a0b7d19cab623c5c772900d44df

SHA256
40a4dcecd63c71fed2a881cbeca3a3ca130ce8ff6b1400085d60d04fcbff885a

SHA512
aad82011e3f16ad6693f980b4abc4e6724ac26365beaa1aa8daf7a9204c9bd04685f35ba1babdfb57c8018bfc15a0dee8f86e37c6e37176c6a4e4522e494c86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYwK.exe

Filesize
157KB

MD5
5e628c2c887744d6b78f807155b12951

SHA1
d8072b0fb2bed74e309c0a6e691e86674921fb06

SHA256
e95562731babfa65354e67a2d88cb68bf14e2d6a755be5b8e89c663d1319ede3

SHA512
248e586922cffe4aa8740388375c17766163ab7e63ee101252507d94e62e86d7263b0b0ee88bb1dfefa250db7cac1c2158b008fca4e0d9f39672850602b44a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcQw.exe

Filesize
566KB

MD5
b353e12ccd8d9150e4c608d87eb1a8b4

SHA1
5f714da7c405adabae387b1780057d9c753c3970

SHA256
3c1c9f040bcefacc63b67ecc211ed8670a1a273d8ae209236f9846a98f880d3c

SHA512
ff07c1a439528dd4a52a1af76b3c3d3765a4026a98c233cf6188df590c34e52f28cf6f5e0078fec0d6a43b77677f327065d93feec02a8bc87a6be518f6daaba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IowK.exe

Filesize
159KB

MD5
932a65aebed3aabb6893d8f7b809144b

SHA1
3c2d7e1dd2df562348da23a0e4e2f74cf50d9f0e

SHA256
1fcad6425241d936f2aa96fb400659138a5006d6ddcc5dd928ebef552976668b

SHA512
8f8e8454d4d26e89dc24b44b04148c87e0cc0acad374f11591703de7e8be1c220bb8c5fbf7c14c00fff4319f30af2356b880a438830cdb4aa51a51e0dcd05055

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iwoq.exe

Filesize
157KB

MD5
6a723682ef855d0217893714d4fde785

SHA1
aeb9fda31a5e2021c0788b113b62218be427b312

SHA256
71407e75e6f9146190a1b2f6b5f7f21432ab2d2994fdeb9c403506e5ca6972d4

SHA512
95a2d2160503b5bafb58f39311df3b40f6c8d22e6eb5abd5a3cff0b3c4922d76ae35ec2fe242e36c7cc5d2009c962b0667aa7cfecf2d71cd108667d96e229030

Download Submit
C:\Users\Admin\AppData\Local\Temp\JSMsYoIU.bat

Filesize
4B

MD5
fa0ed52acbf7320a145aa4ac0bcf5c15

SHA1
5945c0509202b16277cfa3fb02a0920008f95b43

SHA256
ef4c6579fcbc0945acfb2ac673861cb92c0c5633d5afc77694bec837a475d9bd

SHA512
f73db95d80afdc76c34f10c729458d0615902369774bea9cbde76c9b6525490d8236d3a8a5254e61a9d81053f468316e8a1075f54f75267720da5e3d9bd077c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\JuUoAIQQ.bat

Filesize
4B

MD5
d9c467957392d719f61e33a821c2b92c

SHA1
effde44084df6e44c13739c8bb47a637e365bf7a

SHA256
fa25a9606edb1476a4d1e2f26ee12131c93f71f2933ff1240d1b8f4a09fc8d6a

SHA512
cbdb36cd50a3dd13fc459bb3b02e6e0d2e3b5ab362da3fdcaa31cf171c09f091f5f4a695ee56d7009c09a89ca1c61ebac2c2eb66be32c7581cb1c7c033eb3307

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIUa.exe

Filesize
8.1MB

MD5
a947d88f7b13da1f78f83ddf5f172884

SHA1
9a9df97a7c9f635510679d0f65b975288ff041da

SHA256
668ab6ad9ee62c720b84dcef83e9306b3b1b8ae56412aa73ceefe451c0eb9376

SHA512
4182ddffaa34ad83c7107862c715321c2cc09cc23a8e1e37f0f304dd458e8ddfb637cabf4cb6d2ef2728ad531a09e852e16cadd707aa0d06bfba0fd571c1a161

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMgm.exe

Filesize
237KB

MD5
4b78024e6a50f53cd961584bee90d3a1

SHA1
4a292d5e8b3b7f1ac584fd462703260a6afa1e8f

SHA256
e43eacf873adf151907630dd71dbf176ea4e8b092948376654835caad51bfa46

SHA512
7d023d1a6cc0b8b3a6255935304cacb6e0edf2c93c7f0940f78ebd6f01f7ed0a2b2eece52f690618c616519508d595fe6676972c27dc9cef95f2271bfcf36236

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQEs.exe

Filesize
157KB

MD5
18af0323de2eb4d4ca8404a65efbc566

SHA1
4fda2191cd76de0b7c9a8d14582289ef3fbba6e4

SHA256
c5e4b4f8f21c2882e3c54f16236e3ecbb28452366f7059a3c4ec4c791f1a4c78

SHA512
a0d06b85fc37fc69e6dd78a8ce2ebe646545747e496f27b80f1d555e344462d98149d2b8c45b4e375d3daec731bf222dbe2390dbf98c7f783d7bcf4f14655486

Download Submit
C:\Users\Admin\AppData\Local\Temp\KSoswEcc.bat

Filesize
4B

MD5
c43560a572e9f419bdfbcc65ed1a1e0d

SHA1
3b658ae430893c3b492b09d50318d3afaf5bb78f

SHA256
060b13be01fadba0377741cf0db6d4848c416ba5f4ac8152cf26762f9120d7b3

SHA512
61d531844bcbc2c949d37a983677548feb3c9eac1c2f4fcdd87590c1e6211815f876dd87df1ff9708ed601b20e6a9529b9ab27bbb2e09eafeee97ed3256b44d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kccu.exe

Filesize
790KB

MD5
4bd0143c7716ab012a4669e0667fe045

SHA1
fbac3213de8bd891325e54264f111884ca6b7d11

SHA256
8810d9ec22130f0192f23c741c8b16ae7b7577f5c7fd0446306d3870e0e29466

SHA512
e078fc84035623ae7f54834eed64577e80dbbce6b3d53d70eb3850b9591f1198cb691d678283c7871f023761053d6736587cd60a2946bd1e16d99fb5052b94d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ksow.exe

Filesize
566KB

MD5
ef119d84a0cd2412dd15515ae52cb942

SHA1
19c8a561cbe6a4c6a6ef230f387df77ef70c0122

SHA256
56f3ace752337a286796f74a38b66aff83e8eff6f632f1fa20e41eecb20f3bcc

SHA512
1b167755bad0775f994b2646417f7af5d04cd375ff26d74aa3826e12ae806e94fcc435f8ea944926ffd3ea626c7c442c7338f14cbfed5726328a36d14078942e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LeYEIYkU.bat

Filesize
4B

MD5
eb2414078d12f99568f19986a5bd0261

SHA1
4461addf6010850a579e87c5177b03ddbd907f87

SHA256
55dd0e4010819bb6f38cd61acac2f57012be8e832fd3cb71d9239e4b286ff76d

SHA512
ce310a8daec76d2c839fb9feaa04bff087fddb666e059769c43becb05965b555576e1cf047860ef8b15a02ee72c9a208d2fd80fa078a20297d31df1200f4b52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsgQAwUY.bat

Filesize
4B

MD5
00a918807d021ea3918d6325fbf2e038

SHA1
019bea81d496981b59e9cca2d29f866320cdc209

SHA256
787d92d9ef06a5c39052a6adc890480d5bfc81568ae65d072e68a2697208c863

SHA512
3dd1567091d75b2919e00c2f8ee6ec447854c3759dbcfb3be97ec55f3e0da65a0bf8277e666512ceb4670073b2b40bcb4aabf5c5f4b07fc8cbe4d7a7332d2bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAgMIUUQ.bat

Filesize
4B

MD5
a576ba2f818ff44b679bf72c12e734b1

SHA1
a4379130af21ef5b050b4b866e66609eca28d476

SHA256
afdbc14202c8665f7ac764fa711a069170295f652bef346c85374fb94e33ee23

SHA512
fcaff958424f545d41e95163165082c4f97da382d855ed6529d010d0242d2d47a388df69fdb22ca693e8287069caa54e25dfed1cf8c7de2df71d3a4db672590d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEEK.exe

Filesize
158KB

MD5
7c894587c543970c15db74e18166c207

SHA1
7299c95f9f2233c1a775a2fd7c79dd88f040302f

SHA256
4bb8dd5faba00708b49eb705227a668feb0ab2309a7f2e92f64f03c46f8db75a

SHA512
0cf1ffc4443f06afe9e5fde26bccbae5c5aab9b0a10ee480ded532c5d9cea09846d76019277a0e315389a6018d3cbfb53a006bcbd3ad435440e91284c058fcc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIkm.exe

Filesize
780KB

MD5
86763cd086ac5d63b3dbc1a96a8a6fbe

SHA1
22e4451c95f1adcf83d8dcc71da5ce6f8b1c0f6b

SHA256
0c563bc7d65ebbd04a7e31ac919734276edce514104a108b41a2317c50f9fe25

SHA512
2b445ad47634e99ed33bd60b10b9db01224b5e7e4cce0fbd922c49b0d48feafb83e5735ac113099556622edd242b4fc1ad825c114e4c84da158e08138dd82475

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUMS.exe

Filesize
739KB

MD5
94bb1f50ffc6297a92c28f9f25c1b0d7

SHA1
11c550feba763548f3f8296cb653cfd33057f3ec

SHA256
d3d3e1426754c6014be9306355dbdbe68629c921a726815e6d8abece14ecb1bd

SHA512
d454366e9e8cb179a7a948633b840fea9c4485aec30750641aa19a719bb007e0eae26b82ea7c4227ad274addc86c6cf3d258eeb8a97358a46cb9666900494c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\MWoUEokk.bat

Filesize
4B

MD5
c31b4d5aee5fe17b2b44b40985ac60df

SHA1
a55f7d996187a254b187ab12be85a94652d5275a

SHA256
71a7f9c52d757782cafa1fd91c412739600ce1fa139f44b701fd6cb8ff8c9d44

SHA512
4e5bc7f97d426a59fdc5ad407ad3e7bc9f32da75c708261d7d98886b64088749f4e5210366fd134fb781508b8dd978a9ef7f0579ae22f1d264b4587bab628877

Download Submit
C:\Users\Admin\AppData\Local\Temp\MckK.exe

Filesize
158KB

MD5
88d450f209fba4d82d778193b8ab15b4

SHA1
4658f49b1d008ead7eb9b493a7b2e97f173f138f

SHA256
4693b3ad9c8d4c283f64769eb90aabb5abf93b0335c49406d7357a1bd1946c3d

SHA512
16bd785e647e530213b0a81d0c5828f0feca0b62913aa268e8d8af863d143498ca0b9f358b0112efb1a1bc516edd745a058310ee5ea3878ceb46cb92bd64e273

Download Submit
C:\Users\Admin\AppData\Local\Temp\MqYgMAAw.bat

Filesize
4B

MD5
ac12ca96239112450884fbe89a7140bc

SHA1
d860517eef6b9a1751fb716befa918f0494e89ed

SHA256
53c7009129dd49e7b41b3cb23e1ccea0d8bbad1b13caf514b8af3fe78f79a66f

SHA512
cd733728dab466924f44c6bb7fb1fd0dbd223095080f21804c99e11bcfc990cbc415e1165ad3432ff110d2cca2999110642da927cd70573d0ea6f8b60bdfc762

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsIE.exe

Filesize
873KB

MD5
7ec91f51141df8a180fcd8e3ff4bfff0

SHA1
89f9bd9036be23b0b53facf329ef5a13b4fe0d53

SHA256
275144fa9f7025f76b6027413171610a4cf9f19e2b121485567bdef3d708e54c

SHA512
703b48a5381c83f507cf0b8ca26d24f85b5816a9ae306b0ac75a2fb5fb9f074d2d7ece6a9c3f2a72b0a44d87c8027d0a08f15177f2b1a954217d996b4f47dc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYAUkIoQ.bat

Filesize
4B

MD5
2520a373cc4e840b0092568ab970f8d8

SHA1
9d9037555b3f0353d1a37077f2c9462acac5a429

SHA256
04d4a8cd2234656b06259bdbfc3c6a09627a4765502116b4fe4e148c4fd865a4

SHA512
a52fc975541333788c596cea4788c693456c562071b5426d3d11bb0bfe9691e6196e55ba6be98c4b8c2e68601a59749c40270b9c033480711c6365440b3bd6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUMEIQsg.bat

Filesize
4B

MD5
9de71c992bd20f029b323a6e11b4b052

SHA1
2e3ce9c187d523223b52093f5bb41dc27317df77

SHA256
2a8a60863a0e6d482af55fa11d21138f48defde20edeb45922afc6afd736f11e

SHA512
c5ea4d3917b68dd89d7d537d6bb4ea1e42d7be3196de4e4660bc25ec29fd7f6e9e37cf152006ce91ada475b602170ef33cd4c357dd6652a2813d5aa6253c5c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYss.exe

Filesize
157KB

MD5
f401e34183e5b72c8dad8fa43722672b

SHA1
7243c86957421f16cdee14d4a9d3fec3540b3f76

SHA256
b1c763bf2e54f8eaec61991c1378c5a94e93014dcb9c778523bea5e26b1632be

SHA512
708b092af8ffb23c9626bfc9e08dce5921b00a5b2d61c59db8aab4b774a5c55ec162335403a024c984c65083bc4af26bce84ab1e58cd7b5ba1f8684461738690

Download Submit
C:\Users\Admin\AppData\Local\Temp\OggA.exe

Filesize
160KB

MD5
2cd5fe13edd3a93b09600279015078c4

SHA1
8e1c02044cbddf9177359b596d170669d79a9616

SHA256
56224a0dacf78446367c9b0720a0f5f33141615bc33770473d36af728dca7764

SHA512
e091c7c9d3a633630f97163360a4e195b93bbbb5912240fc8a82778bc50ac785377ed391af9c6c7695fd47106c3a5e9926ba53d8434051f6f1ec71b6a526aa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ogkg.exe

Filesize
447KB

MD5
cdee302b47df8fcd89d15d75dc7cde6d

SHA1
cae5125424c06f1de2b4c49f362af948d308d5f2

SHA256
1c7f64eae60d4c6b46ab7a5c6021bca1e4634a845515194147d66393e1b18c30

SHA512
66192213b7e818d7af7fc6e9c0d77b4b92a6a715d669a68879f1fa6b4eb2dd3d3a646ba12f7655f470e4c58fb64ecbf71401f7de4b53e642f82385640ba123a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkIC.exe

Filesize
157KB

MD5
2516d83b5ef5d851bf19640b1ee0e9a9

SHA1
15d63cef9b280e208b0ae330fa8eccf28e15e2ba

SHA256
437eaccb95e0ccaa9f8afb549aafdecaf2be89c16b74752a5e3d6d0094013492

SHA512
87023e7e3661d8d058a8033829e90366599bb9127157d4ba6bdde9b7377b734afedbe2f1ea29fbd9d4d25a6566d5ad5efc4bc9e3329f088a00e33fb140a119a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAUe.exe

Filesize
158KB

MD5
bd9e2098f9ed4ae5b6956434bfd30be3

SHA1
c45e5a1f0d26bee41c08525362d7f82a10702bf3

SHA256
a7ab3139cafed400179e1ae046f7f229e60f75277c937102d5213fcc655b6568

SHA512
bf5dea4d1cc6a479c5a571c2b65f01a5af5ad18158ce4fd873c10dc68c7bfc52482fac1829c78dd078dfa3077574d9da569049c9800a5fb232bfddaad37fa777

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQAM.exe

Filesize
149KB

MD5
ff8b24009276cad78034a4cb9130cdd0

SHA1
45848a38f1cc42fa6e7ec059767dc4e23942f5d1

SHA256
2fafa6e3b038b768e3d0366c16d8be557641c6db277198752b91c1a7be073744

SHA512
46acbfa4e0e2ce0f052b2272f15dd144931b7c0829fdfe6ff79a6e632841968cdd13f4f64c53b42be6da6be111ab60b3150065187a07ec15a35e026860570b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSgwwYww.bat

Filesize
4B

MD5
e03eaba4945345f5912ab653c5c90298

SHA1
735955e0995ebfeb68ffbbc8e44b68d47cb478fe

SHA256
319f85a9dbc23323f1fecfc90afc5a58d163f116e7c92ec9a7a01f359c694966

SHA512
6da03f936feea2dc80ff5f9eeaa12afb27dcb26d99dfe82b5b54e73349068a8278e0ec73bc12e1e71d1c128114a662a9b37c66e1fd6313947c852a0c3bcaa93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYIk.exe

Filesize
158KB

MD5
4527eb1dbe5204030fb6d5ae4537b4e7

SHA1
8c1e6bbb8a8b65fe847f355de464941fdd821545

SHA256
92e00d06487e3099dfa1e8dc2c9516a6ae0e2a4054c9489f626d3ad0a8165a0b

SHA512
9ba8120b3b8dfbe66dbf672c32ec266c7955f25e7957ea0388e2331ed08bc3027f47927c986f258515b7698215b5de5d9136f7da461cf90c6b693d02b43ce909

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYMO.exe

Filesize
555KB

MD5
52789495120f7959affa2d5695da8387

SHA1
482b0e3781fac160204fe199c13f1c28ed300d49

SHA256
a5fccece305faaa15628922245a3c3c8992f84ee96c054307390ce84a95de411

SHA512
4085552cca01f11b05de2541632a4acc9eeea287afca2e8b9dac6910c4d31aea31c157146f5b882d12b2bccfe1ff39e6a83b0aa3187950346d89cf055fdd75e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoEq.exe

Filesize
159KB

MD5
6a1114f44801ca6bf836cf67f02edee7

SHA1
39c7e03fe79656397b8939efb48909e861578b4f

SHA256
b0206f5588a6290597d0cb445dcd1e2f544b4e901741d1e321d9f41034b1451e

SHA512
dbf119ef6fa2ca9679df74d5b88260d2759a6e0dcf97cdb5b1a2097b7fdfc19f339891e44e2e20c4bebf7b234acbef24a54e2b8dc16e65c8ad14212eba4cae97

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoME.exe

Filesize
1.0MB

MD5
7da988eb53d5afe788e6a77fa738dbd7

SHA1
56b1750b85cfa5f4c216dfbb079dd9b8d762542a

SHA256
a5bad05f924d1f5ce0fa72add82569ca593d7cae7026cdf1b50a7a59f68f790f

SHA512
40a2b5f0a71f08110ffbed9e4810bd594694f3367af2c9b32cd1df011d82fa246fbf9ef40f13766c94c872eb2a31698c53e16b0de5a9c03920ad5be35b46ed36

Download Submit
C:\Users\Admin\AppData\Local\Temp\QowQAgcA.bat

Filesize
4B

MD5
e4e94bfa5374ac03d627a4a446dfe2e7

SHA1
1c18f3fdef28e822e790af5a3e683849f2f3110e

SHA256
cce8dce7078edd409f8614659c3e006eb2cf9e722c09ccf2c3ed08202aabc6c7

SHA512
239ec356c06bcafbcd24eb170b48794efe5066d4ea1d2b9d4e58ac5346d1d613b457ba04e1876a5a1242a964dace78ebd4a79165881a2633783a495f9d34cf56

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsIW.exe

Filesize
1.1MB

MD5
50bde61d1e8f24e09c9a340126e2eda8

SHA1
46af046e9644fa333c0f23bc1efc1406529296fc

SHA256
58b41cff4ab26bf9f471d09fac00b557a39c9b20139443ff09805dfbc847bf6f

SHA512
af796ee0313ff0ce38b201ee2db9d00346e663a37f14fcdaa1442c4c777aeab78f5bd05a622edb757460602acae2614408e254487b0bc02ca93a7fab29bbe5e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SGAcIYkA.bat

Filesize
4B

MD5
55ac2249675b21b20ee6c568c23b5035

SHA1
bf2124790393b5126670babe441d80edca46506e

SHA256
5e71ca7e2ef4be0f64cc3862e5520bf28a220aefc21af38ce3caf1207d0bc47c

SHA512
ba7aefbd63f17be3f94e74f78c6874002debed7156f9bb5bca415e6c11ec5430fab55ce34a4ba513a6a913d8d40fb562bd279af2eb9c34097267815ed330cd67

Download Submit
C:\Users\Admin\AppData\Local\Temp\SGEIMsUc.bat

Filesize
4B

MD5
1947852437f27f208aa7f53c28b5763e

SHA1
9c11c61a2c9525cfdf0ebc8c3e949ccad09e7681

SHA256
74cd7cb9fa1fc59b098532fd1c749869c28ec5ef3557842a83fd97465d147e25

SHA512
6f9f72da661ea493d2e8fb429e853ef09f39d1390dd69ba1a15a2cf96187c09f9970241497ad627bee7c78c43d9e4500cf103d5ed826b9745364924352278411

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQIu.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\SSAkEEUg.bat

Filesize
4B

MD5
0e027cb642bb0193a400ca2645f7adb2

SHA1
d746c6e9f33a156d01cf4c698a781b76b47f758f

SHA256
5741358e7b79d12da106d8fb7c31c78ee5224513ee667ca75b53912ca77f7863

SHA512
865a9ba9c28b091d70906b9608f813db0d408e7ecb1f7a11c9b7ab4acce4dd62ecdf5c36715c071aef5d1d2835ac1b1a5550b136657dd14c65c316405440fbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYoI.exe

Filesize
158KB

MD5
5173e257445d4ac76e27ec0b1a511b9c

SHA1
ed52a99ce56af0c9785f78db768a7ad8f56e5a84

SHA256
d7a73fc178271b1afd43f88f26f2a9eed1366ce7c6161b9a75ddfd710bfebf90

SHA512
8a77c737d6fa28065bacb367929641e0c327f528a9684d90fa11b4e65c8e31d042890ecb50d001e797234b7a6595d0a8d43d05824dc26159d442af9a490ed58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgUm.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkgM.exe

Filesize
159KB

MD5
0f3e29d58e899be4d4a8962ced97b999

SHA1
53f43463eb46a9f4218ca385886e7f11676551f7

SHA256
2c9bcdba1272c64255c43216d078441c8d2139a203e7fc061fac74d61d9288eb

SHA512
08046e82e57d31bec214448d99b5822d0d31c5c60938d8e46ca95b15eb0f0ca8565199964d9bd7b898377059a4879fa8cfc495c4a591e09c41c5e2b3bc9ae03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SksI.exe

Filesize
160KB

MD5
c3776abcd9ae96baf2cb0c1b02fa62d5

SHA1
24bec37703925c270c101baf444aaef9dac001eb

SHA256
37e20fd945e465e88fcba1558b57eda1631e8d9f380d94596e97da7c3fa64473

SHA512
77f6b6826a1f9fae5159975815b8c368ae6d617546d5e3ce96e930f5b0a6d0f58613d843e37ef014e99f6f19041826bae2eb9349a3e7d3d7ab943f1b9773ed03

Download Submit
C:\Users\Admin\AppData\Local\Temp\SqwwEwsw.bat

Filesize
4B

MD5
1c0fa38d6908aa2af9573f3512eb6cba

SHA1
a9891af0660ce0d90eba746292067b1d874d0372

SHA256
3d3cfe95cea898d332584ad263613285f2a94512d9734e0600e34576572636e8

SHA512
a3e41dfbd41220ca39f8bcac1e4c6def4dcde2809a97ec731e8a19635727e7724e550c5c11dbd63f5fae1ebdaa4df53b0bf810c9f539bcac79f8d1e4f6af3f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMYG.exe

Filesize
157KB

MD5
405faa800440e54dfd0191837eab934b

SHA1
ac26b7f7ca556a1af9cf937b6bea1c25529ff42d

SHA256
f6d416f8b35f0e7c15fc6c6c3a760c90468611619030b1c784dde61dc359d811

SHA512
2f39a45d07bdcac5b9a99d9f8d296a4015a1d7ba6d8a722f33afcf1b354d1e06316ef25cc28468ad21190a282ef4609f83dc78c33c9e8fbda4edb5f7c18083ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQsg.exe

Filesize
666KB

MD5
82b2d61b968a5a13bdc56bef94fa24d9

SHA1
8e5f37db3d86910fff4c446d4584a4f69f077458

SHA256
00ffd2b60265d7ff096a46893351ca2e8dc2b5d6b786305509195677e26fcaa7

SHA512
cb61b773d10c8adf5b74dd0200d28e9d1995c7564f4c064233b66d5cfe0595dbb73a0f12ce88c8aa66f310bc972521253703b4947ac848f326725ccba2f1697c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkwE.exe

Filesize
869KB

MD5
9dadb6130ead2e0769fceb4a7617575d

SHA1
28ff73dabec97f22c18fead9c704727df41f4b95

SHA256
491f0239e81ba004feb29f9fa8926060ad488208fe18b408e5294e431da038a3

SHA512
2db996d3e0649d46d57819176b9e257238a103cbfc2e0232f3a31ccad8fb699eada1d72a46cf964564dd703e82a205391125beb234f7c08acf77a7cb3ef4799c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAss.exe

Filesize
153KB

MD5
12a751424fbb5f2a87df17ae489c65e2

SHA1
ff6e12d672369bdd4ff876a05eebde7f2577512a

SHA256
4a6d69297dff2ae95d9b0d10eae2d439e7f995bad8830f7886a383f919d4abd8

SHA512
2c409c7fd6ab6362747b49d339ef753c4b5a71a24871d5031d3736d6dab576b087ea38ae99078665998b1633123b8132263ce1ef1f15582562f7844fa5e029f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIIS.exe

Filesize
158KB

MD5
fa5b8560b68abdc93e2efedb245f1a57

SHA1
36312e5b4d7060514086632309564e057fd64d63

SHA256
bc2f98ed9fd0fdb9da5e00cea8c365420ff3137443c08e2b68950919cd0918ad

SHA512
1e37894296ed5d9da316c84eeb4967d891c4ef648305c33de626011d6d6e34387c156932d25b1492dde5082f84efed779f38070e7ce3f33d3822e8b9855ae95e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMcW.exe

Filesize
683KB

MD5
9f83c2118a499c7ea5e46c9460057875

SHA1
bfb895df55d26b7dec8a0011f169664b9a2bef28

SHA256
f098b11a2d914e4759cccae06965107291092bd649ae9c7756a6bf41ace7c770

SHA512
81dd65a6f5c13aeca4587be39c9081e90f4979a94fef1b1bf964e9307aeca5212a404b7f3975b5ca4231c08b35cb5301ec0364de5a92e59f7ef98df4095d12a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQgm.exe

Filesize
365KB

MD5
cf8ae05f6b0a6f92054c31788006b89f

SHA1
c1056ab558ce16ec689656aecbac69a9949f5f24

SHA256
2b5f2fc88a342916b35f72fae5e496caa0ac696851a0322d73bf537d21469968

SHA512
bed43614f46f6c29b9de31a3fc8783d185d2d8045ce43939b0013ba365571a230587ac63be8a1bd7b8364a90ac5bceaed03154bfcd306a7b75d776590910108a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WagQkMYQ.bat

Filesize
4B

MD5
6f47e54e7fc3376a68a25854be36521d

SHA1
949f8b690a3d05ca4b632d88261ba5bc6d42a546

SHA256
39dce84fcea8fd76952594fbfa03258f18c590269fa8ad3d5fc171c16622bf23

SHA512
1e4a7afa5e2954783509765d718e12a026be242fbeb6897cb8b8c845b6b072e0d73303e16401889847ee4d9a20d62e0d094c86622a729169a80b2a1e6f5c9edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUAQMwgw.bat

Filesize
4B

MD5
2baeaa97af5db2b4c9da0a604b1efd9e

SHA1
234060055e382d8d9326fa955763cf4e7151481b

SHA256
792876525e630c0fabd1f8e86089715488b2dacfa42383e0106f346e67434bcd

SHA512
03ac680042204b93c2015f178d1c94f01e5ea4abbcb7ba24df435f3092c736c1370ab30a2483a530bf99161f6cb208759abf20456807ac97453925b3469dfa77

Download Submit
C:\Users\Admin\AppData\Local\Temp\XagEAAUg.bat

Filesize
4B

MD5
f5bbced2860f31663325138c68e189b0

SHA1
e11f3a883b4c5d0a2724d6d185f7939c24d70cbc

SHA256
8949b140a9549c632d196dde0304a19547ab33f386e88f264b096040d4dd81ad

SHA512
2a55dd52369d41920adb49f644f5637c870256ac74a6823194cee5f287a0f60bbf348506d568ad82df3b04a7621508cbc2080ec183e47d9428fbcd3bb1396792

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQAU.exe

Filesize
361KB

MD5
1959aa00881fbca9209eecc2ee70e318

SHA1
c3cb5a5f1c31400986c9b1e0165632ea96eade50

SHA256
499f9b3a75ec2d2c660bf66a28668a914a917138c8d18d8187e3a676d9a9427d

SHA512
1585586542f96cde3e7f458dafcd29837fac9314ea5310e8b1048174763cea9ba30e41c8af6522288b002db087d6136a4a0f0a956ffa2d2e5ffe5fb83c2e335d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YocM.exe

Filesize
134KB

MD5
e29440241bc9457813d610d8923b85a6

SHA1
04b034c038d1352484ab6cb14ec4dc18ecb137be

SHA256
a55576b3dc0b866855b67c60ce7ca48b0e9582b4be6c6bfc8ce1cf2f1fc7de8c

SHA512
987e0bb32b197f659e73e433a0ff812feb93c42641f0e9dba92d91a689b5c25cb709c350b2a31e9e62b489368b8565fda1160ce76d540612fe9f331c92d8cac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YokO.exe

Filesize
158KB

MD5
a6cf22237f197c0390b0c9611a76c656

SHA1
48fa6ed6d7ec23654641b57ba3c2ce25dcb08a4c

SHA256
69a445d3e10bb8eefc0730752b1ce8db98374290aeb4988b3ae31b17c6a8f174

SHA512
0c28bfcf13e0fbd82c78941b82be700e7b146386844484e4b941a1fd7752c896db277be28a70e93618d3271909bc5ab6a530c2a7a11743a9cd2a4ed9074d4f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZywEQcQQ.bat

Filesize
4B

MD5
d0c8d82d8d1d14da3524eedf3e095e21

SHA1
5056a0f695801d95121bff15bdc454d81295c0da

SHA256
816d916f474345b679f3cee5b74e9d91a78347f7ad9efe2edc6db57528d6b1ef

SHA512
4cf3b6022ee5b2f56d992b5110e197a16c4d482eefbb8ffa0cf9513f310f434332f8ddbb364887007b08e18bba9b8fa711dcafb85aaec33e96381e4b732f5920

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIoG.exe

Filesize
158KB

MD5
e3df1cd36d637ec62cfc8b88c4b47980

SHA1
8996cbb43fd6b40c3f971d5652c032c763a451d1

SHA256
3e3be2f60605c38ece300af3dd0c8c019340917222c5dd9e90884cbad626b9dd

SHA512
2a11e6820ba7612141eb91f1eab10b23b2957bff2e0547503e87bef3ceb97f753e4b2f6f5e0ce1b7fe10085f0f91cc1a2b3e725e71611adf8e42154796739ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\acsM.exe

Filesize
158KB

MD5
f6c266a7c70b88d477718e7b9f210a6b

SHA1
f14fd0b8dcb88749c7851400045681e56aa315b4

SHA256
69d7d12d4bdf4561acdd4a736a79889db98bdafaf469c675606f6ce15ebc0810

SHA512
afc0061fa3fc82b52998f598555e1dd0f81658f2d24f2f8464318805fed5b41487e964cb0dab6cfb27b1d4274b0d5ad712cdec63fd85b939fcd76a0b65071280

Download Submit
C:\Users\Admin\AppData\Local\Temp\aiIAkMwo.bat

Filesize
4B

MD5
aa4d372cba9ed00ee6541aa581639af0

SHA1
d28b8b232712ea4f344ca734c190c08d0524b7d4

SHA256
70dc9ccaacd814091e391661c1560cbc2b34ee685ca6a3139fbeceb04d12df5d

SHA512
c85d328942c0ea66c23872d3422112891803d673acf52f9db2b0dd4819220bba0b070b1a8a30d2ebef86057fc32d87fcad37184c73cff0372579a4cc6aa8e42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\akIK.exe

Filesize
238KB

MD5
9495e5a9351eaa68e8c7502c2134488e

SHA1
1307f7b956b4b7e17c9f1fe227ddc3c4cce6c106

SHA256
c3db8f62485ee1af42e10a22464be1fc233d59edad5defc0cd3bd94ca3188e8c

SHA512
976d808626f9d929487ce32bf0ae6184b2f0ba435c1297404000177c6e5c719c8d0235e573b671f7a3357a3e1addc877861a72909a498200d3d951d97b07443d

Download Submit
C:\Users\Admin\AppData\Local\Temp\akYu.exe

Filesize
159KB

MD5
1d0fcfb568516f0cf116c981c2370771

SHA1
7430f123d4ab88271d14c8220092af69d9ed27d6

SHA256
ea12a20c22f7ca869dffb93f71b28c2ca26b828d795a8cae70150ddc6d785f15

SHA512
10667584f7dbe4774484294a0e479249aadbe968804744437616545082b294e1a20ca1ac5e4a966daf3fa75627a3d5f8bcf1d4a5668ef8b543aa785ffdec05cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\awIu.exe

Filesize
157KB

MD5
72dd7d9caa937021aec7dd69a6deb3d3

SHA1
fdcead926ae7521149dbca8f5cb219f6077c17ce

SHA256
8c4f931c8e24e0f8cd295efec841795f22dbaf6cc8d46b3cbb45193a0a199b66

SHA512
6a9443c2adeb39394c88397a689dd93719d9c0b1e127f8510c8dde397f18e59b4e0dffcf2f073e115436a0ed073fc0cec2a5dcc98ded5774d4fb93f0c000bd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGQQEYQw.bat

Filesize
4B

MD5
f292439be33e80e2d37341a6d118a353

SHA1
834c9adc3e5ee597455072323df7e50626c08030

SHA256
b77fcd76982f3b0ea3621947ef46332e45515b6a79b2fade7ac8c02b4bd936e7

SHA512
384defb83af5b27914ad1586988dce511c05a8187042260cb5f0bf2c3a2253abe770f93d4ee45b3342c3b5aeee873794158b09e97fc5f5e8d93a3f573acabf32

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmQUgEIE.bat

Filesize
4B

MD5
0e3dda25baeb6e714678cbd9b9d5dc0f

SHA1
1cc4f80e62cf0377a7fa27baaac4872f83bd8973

SHA256
b2c4beea9da94345bb1c6a5333e6593cfb2929abc2ca4501494cade2e8a96ec9

SHA512
99f7dbd616a1a5b55facc83be7c97713b9831c13c2365e5f3db2ebd6f786b2716f9dc6c4811d3746600556df9798d7c9dc561f1be2ff2687860ce6b77c116c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAUy.exe

Filesize
160KB

MD5
75b02099f56eb9baad9a42a4b2dc4c6a

SHA1
14d061d2617f413e92f145cc2e6800f710d64a06

SHA256
d00167f33f96ec13aa24ddcecebf1034e1b342b84268fa5ba125c6fc0548cba6

SHA512
3b3478eac6a7896598745511ec8499656a8f7395450cd5aebf906020da886b23065fbe6a51f3d2cb5fb8b0ee6220458acece0e653b950ef32294ace846d76a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUoA.exe

Filesize
159KB

MD5
99c000e2b4a7c5fa1f16cbbdbbd54f8b

SHA1
af9cde9125d7eeede735d709c611a9fad0f4c730

SHA256
ef121e90800db3530478f8fefeb7c164bca27ca6c6ec9e873584898a08e020cf

SHA512
c3ce7feb50122d190de42d444802faaff2f1e8f1746958944f2ec1ed71bb7f6f7da9e241cb9dd032bfda3154dc002e8b85adb550f4181fa19e4d4a7b3bc74dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYQk.exe

Filesize
158KB

MD5
bd4b08ae93220bda0faa3ec777bfe77d

SHA1
ffdeed42e12c016d5f10748ffd1bbfe16b5a84d7

SHA256
b790ae04b7537f59c9d556e406ce5927b7c677ca492c36ea31919f4fc5e0f4d8

SHA512
1aff6d41fbf42b3a1bd34f7b984f12c22cb67b8a6187a32f442fa3908215e38e481e8e47c5c931b196959b0c06ddd97223916346dcb3b9a9d271ec3400179314

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccgE.exe

Filesize
415KB

MD5
2b77524f7b092cc6e01e99012682beb4

SHA1
88f441e09d74b6218a88e77b83786f30bedcff42

SHA256
31ca984690666036ce0b6ceb195c8386907c8516b5c1e3490a4b9fc3b3aac8f4

SHA512
b9174c6343658af270ac43abbe7084b212e731ad0a13ecf85f41e48eaf2a5130d52b653d688e9176919032392a4dd5d4b8cd1c79a7828f8e22874e63226e8b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckQq.exe

Filesize
158KB

MD5
291f0606dfb9021f9864fe29f650a311

SHA1
76dc1dcc9d581a0aac0d1919a2c009a34bc81094

SHA256
754a4f4dee3f55db90d256d8c72c497cdf2d022289e7de25e516f987a7aa6365

SHA512
beff75a42226166fc0860c99b18353181aa2d0b0f1b0601fc4094ba6a6d2ce9794fea0ccb2726eb1d882029e690db1be8d77e0eabe59896f380531b8bc738545

Download Submit
C:\Users\Admin\AppData\Local\Temp\dEQMoMgs.bat

Filesize
4B

MD5
cf4688d8914a79dd6e4400e63b651bd1

SHA1
2a348554c395e67bbd838850e913e87d54aabc0d

SHA256
d24fc44fae4b397541c35772765012e6811ae2074a49b6457701dfa9605f017f

SHA512
7d433ce7c0909d192a9967f7cca15c3a2027fc93c1ae406cdcde82556243f31c2aaa4e166fd7c17cd4c9df4afee7a90817a101884394d19caacd639052065eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eCIsEQUY.bat

Filesize
4B

MD5
f0a97db7be26d1939d731e1deae26652

SHA1
af4677159622b65dbfce89972ff6df5478c0a3e8

SHA256
f8286e5cfb49c695c9711f86e47e1c15854df05faf2c34e9f1fa57d09c4de777

SHA512
1467a7670f1a42b772e5012c36845405517ba2dc1a56e60cfcabffeeae3e95f5955c34f6158aed25a688347c2d44bd471e8ca4ff8e871efa225ca378b50352fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEMI.exe

Filesize
158KB

MD5
d36030d1013757e4167345d7888381ff

SHA1
2c1358762d32d06da30c879e0893cf2b733c7d36

SHA256
275d71d95f4c2d58f844acdc0542f7df06a883227dc637660d11aeb610facaeb

SHA512
8cda46870e767333408b8645ace22eef8bc57d7b3e801bab4c0f2e7a1eca387fabbb51e36008ffd96096d315ed555dc2ca142e034f4236e221f21572b9394f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMsQ.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQAm.exe

Filesize
158KB

MD5
b278c32e301cd0dcb3e0e87d4d3b154d

SHA1
25d9e4b20d4f21bfafc15e7cfe926f78c277a993

SHA256
185ebb37ffbcc3eea4eed3e570353c4ce81dec5e736c6cf9a7d54468f41b7949

SHA512
b370ab044cf8c886c034b13dd1e6ab5d753f680a0801aafd6fd7417c5bbf0d14faba6cd7faeae9db9cb2658fc64ed5fbdd374f9f5eb6518bef08ae580164eadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYoq.exe

Filesize
158KB

MD5
947cd65d91aa98da7924b8753ddce30d

SHA1
f664e623c704db9c075a68e57d6050098cdd2dae

SHA256
2d79a1fedc714090ca9976a798fbee0ce39212bfce95566662b74ba8aa995ce2

SHA512
c2a9f1a6c9592911b1fcb970cba6a9d0592b84d9ada1c489573c655113d2fa631120abf4927c674a16ec76c6017dcbc3579d89b3c06ab0bb00bd19b561bc4a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewga.exe

Filesize
1.1MB

MD5
9dfd521483dd06eac0a37f1c963155af

SHA1
8f5dc3d0b6bd728a309cdfc7785dcf8ae9f7c7bb

SHA256
4eea449b9a10ad04cd7e97644caa17381f340247067899b7398eb00c84764c5b

SHA512
caaa86f235a748ed7ddda716196bf05e29d82d68f608258fdc8b9d5583963d12f80914cea18baaf0fe7a96f1428250d5ded6c503782b3575d3e080933c5bbfe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEAIMIww.bat

Filesize
4B

MD5
88d0b1049419ad73f3558a1c220abc78

SHA1
d738c1c6b1196b1b77b0f569e0276bc69be27f88

SHA256
2baf5c03379e256c38e9626978d2a89d19d5beb1f2797a05bf13489df14eb5a0

SHA512
d0497e5f79820123e0e03dd6cea5ed1d1e6c474532558f719532b7530c187357ce6905eb96d15ef7785b76c784b5b3ba662ce6d5df0fd23754e299df36dc7e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEwc.exe

Filesize
158KB

MD5
82cb12ec3ec5b34e4b768e132a7e1c12

SHA1
06714fb79b060096578898caf2965e3c758766d6

SHA256
65cb322d4e47d38129f916b3dcd7a96e66a2016799a623325ae7898fd65d10d2

SHA512
01a8e721a75cdc239c63172744779e837a6adbe10889227c93574ad722802d9e9ca62f090107f253cf3077bb5441079982ed8ddb5f69844c81087ed8ea9ceb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIYC.exe

Filesize
159KB

MD5
67035a2716c06c1f2ee9347d2ab9230e

SHA1
c648c0c1227f7e3bb5ab18ee5ea93867d1ee6cec

SHA256
fa9ee3987b30bb1caf7c57558d72265716f8e83ac50bb8b7d9e08028cde5ce9f

SHA512
84b91824cd0d7fe3c366edb7e29c79fbc0c1e17be2471457628ff4692e49b3cdabe5ac376474736b08d284ed3517bf321153262c37d19a0edf35b3ed63c174b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQIc.exe

Filesize
158KB

MD5
879325416619b5057aaeedf2f9373b0b

SHA1
d73fdd6abadd58e5f6d01e93f95e7fb733e4f188

SHA256
fc1b203d47cf18031878ce726c451874261469274e18c0e4aeea055a3af818fb

SHA512
70e4d650bcfb54a13270d15691fe1a3f16cd67a9727e601d5a3af3638318174e7198e5d1ed911305a7130a6e2a0139921a932975708a901a04cd293130c43b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYcwQcIQ.bat

Filesize
4B

MD5
8ac726ea49a2310774b0b6a225051442

SHA1
66b5cd60142d05d46fbb06c4d1a349b9bd0043b4

SHA256
a2f3949b703b8a09bf50a0e4f6d244663343b0adb6c66fa0eecd6a8812b8f123

SHA512
200b5c6738b148a98563322dc1ba824e6994478c33c2e28ba7934e9f8edd6ed312381af067056055270aa74126f3d26f2cfa52eae0aef55180e97bc5f6cbae26

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkkG.exe

Filesize
158KB

MD5
fd077fc5c1b0a292260179e887ee6b3e

SHA1
101c7f3bbf3008d51d7fc7a4b7cf15449651ed95

SHA256
6f0808bdbd1821dd1d0734eca7aa5b1125bb64c42ff5cfc95f0f671b8b79807a

SHA512
b86cae9c10018fd21b78c44212896c561e2af34c88e49fce4d2a1f2dc14cc5b8e55312f7d0113ff4ecb0d339fb1c9df866d7b7c6b4d1e0de7582a51c3bda2a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAEu.exe

Filesize
376KB

MD5
2bbe70f653285425c246e0ff9d0d9c5d

SHA1
06a4f32357903a60640e3cd4b6c515bf3f9e6ff6

SHA256
97cef48736141aff75cf79a34eb20f95c708186448101a2f32e596adf4b2b5c7

SHA512
b2a7d6a25bba62e5b0be4a4f397f5de5d3fa92553949014a22aaccf2bffc459949f9c9c2cdfd10f3b383f4622184a6704c3d57bd11d2135e45580ab85ed7fa78

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEsA.exe

Filesize
152KB

MD5
e03460d7bb99bf3d31b280552e7e57e0

SHA1
5242a44023efb308dcc2ddefe8b41c453e6f6696

SHA256
910836584591635ff117c942d4782bfb768290ac350cefebf18024124dd79cfa

SHA512
6d79892f6a0a473487394a5eb65b2f65c9131330c30c3c7ca4a2eb2bd07ce3b5e64a0e5ad5001e020c120a738b7b155e59789e51dd51b6e5b07c3ca24d1eebcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIcU.exe

Filesize
312KB

MD5
1aa5bae5c72c0dc94fc1697d8958f934

SHA1
13aef31a7e2ba4361f09a4838c2199288fe63c40

SHA256
f044208656d081cdc9164ab1b5c35b595af832ea29e0c33f009bf6531e855226

SHA512
332d9e90411c61314018a1296adb234eb5151ba403b40fd4c4d780e8aee678867b9349cd826147a073a390e2095781ae8b10c93abba6fd6b0329ce418a7638fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUEk.exe

Filesize
936KB

MD5
6e54a871f39efcad64d97e435245d27d

SHA1
5d38b66acffdf5724b233f3dc91438c961af6988

SHA256
5eeb8f824b83b535f79b0aa5c3e4cfc33226eac45aca4dab425e45d1cff84029

SHA512
d8f8f3ada2c989797f28f235c3398251ab7ddc8ef021190f5a302a0d8f7fd60d26b27f077b91c2a4c148d41b357fcbb49588b10f3d12418c6b16f334bcef8b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\igwU.exe

Filesize
599KB

MD5
1b4f9861f09cfb61170d025412fef063

SHA1
3d5a53f809b34de3c082f45b9dc5e5bf729aaccd

SHA256
b208319d36eaa2577e3ff3881dd6da3ec6146b2400b035b31e849a181ae03579

SHA512
c73e58f0ede943905b2b979dc1a728a878cc0792ddd1117fa792342a7b234e3c5132c5e6836aa9edb99560ce7f597a2ca2c2ccc61adda71724045dfa5aa9b3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iywUEUAI.bat

Filesize
4B

MD5
59d9adfbe35c778c9fa23616966b5bf4

SHA1
23746c78de8e32a426106bc8517e0d81d87c4740

SHA256
46f39a02f35fd36bb44d562d01fab7a509db29589fcc07809f6af5b5ed5f8b65

SHA512
6a40c43296bc096c38e58bedcc6dbabd8118c1d3687fa7ceddde149f2740f801409993d8af334208966004c8d30b6380ea353b998a2021577db54c18de63c686

Download Submit
C:\Users\Admin\AppData\Local\Temp\jKUcAkUI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYQEkMUg.bat

Filesize
4B

MD5
1ef9da4c4c1103615960bed260f2cd2c

SHA1
9fff6d9315b3dcded2a8dae721a14194e1d6c164

SHA256
5a189608442b97f09fe9a8ef99674b8458383c21f5d71ad873bc23dfa2c3e8d8

SHA512
3c45502f457bdb37322ee6cec797185d46ba87a3e760db9630639a6dab0ee144ca8237354230be484231c8024e1f96eaa0e946b5e48c9a57ffd18521e93a1252

Download Submit
C:\Users\Admin\AppData\Local\Temp\jugogQMg.bat

Filesize
4B

MD5
36900aadca34dfb4f4c2b0247f298a3b

SHA1
dffa7ef61cd743b4b38c4992e075bf4c3c59eb66

SHA256
e3e327cadce54ab9da6b05db42d2c985aefb74775f823937e90cb7adfde25b7a

SHA512
e28b12400ff78db54d175b37e3926b2d0144dcb22da8f4666d0d5ef6e6ef57290457cd37aba1931d073618f1b10e08df8e72605a14899dfe17488f4a21c908c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAUC.exe

Filesize
717KB

MD5
cdbd28b871d2983198232f1d887c7b0b

SHA1
648229cc001daf1177b49893a7bad743ce4e0e4f

SHA256
7ba0035c60cb56a17dec9d66d23f449d4733d9f2c208beeaa6ea02d3dd427eba

SHA512
bf34f1ec7997c37291c1eb931300f2d02141c41ab7df7082c428cf4da9f4507f65c6a9154352e86834a766aa26536008805b96948bf4fe658f91f47c650262a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEQs.exe

Filesize
160KB

MD5
33eabe0740fced5841fa73a33887c597

SHA1
4e123b06de7f0bbfcd2b675780b2706c9f422d6e

SHA256
904ac575217eaf52f00be6bb56dc5c4091ffa10c8319b6cb3ab105c0975ce371

SHA512
89d0b410a40c39f158c67974d6d81917d025253d078a01e9047057b6255ae2b3e31a084329f0e77369c3623e67f3d3f082e63bbf72a2ed17a60925822c96bbb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIwc.exe

Filesize
867KB

MD5
5a674bf620c9e0806aca977e4e4dc2dd

SHA1
d054a72b7cca1670298aa0f70390c029e0df04ff

SHA256
f075ca5b5e374b057c9eb3efff08d653a058c9bc78cf5b81491e221494de8b2d

SHA512
31bfa494c4a8e2b8efbfc1837a4ec27237f725011e2642b6a85025e24171082c27e94c905757d2965ab2860bd05d3141123095c0748f2cd9f3f83440a1567a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcos.exe

Filesize
139KB

MD5
df7fa0d895a2fa81bd0717d03af9727b

SHA1
69fcc674b39e35db4a57d51ade9e2b6949b78c7b

SHA256
effa64465f8ca728fc00f7d670aaf5c15e03e968b1be1cccb02cd19cd36e5d3e

SHA512
9ad7d61dbf7884b9a0b50deff9c7b71e75ae4e3afa003a71a19054ed77685150db62cad7d4a2c3ee969277aba80b8a244f5bc11662c36b56263074017f211412

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcoy.exe

Filesize
157KB

MD5
4eb31296cd33c21e6b5f547876709c13

SHA1
af670b90661523e4a67ebea95488bf24cd2d15b9

SHA256
b037b95d534c487ce0a6538091197e7f9e1adab9cbed01be5e6b16317bf860f9

SHA512
fa4d1d70a7663c83e096edb6c5e971c877198d6a445e2d3a56718ec7bfe367c2ac463fa521a45d70bd9237f6806e2ec4213029f4804fb7fad6ac9c48265d3755

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkcK.exe

Filesize
540KB

MD5
cbf08850f06a1c1504bff15f875d35a0

SHA1
9be4aeb820eb19b36d3837993aeae8dcfc1c658d

SHA256
2432ee992c35f552b839c6a84a126fe1ed5ba3aa1d620ab788cb2b184f992b8d

SHA512
fda9841d4f86d998037c2970534448c5bfcfe6711e75ecd3ef962343afd6a89db7f6a5c04512924c228400f5c865d750e124e2cee846ed908343d0918a315325

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwAO.exe

Filesize
530KB

MD5
2f0ea6ec8482f9d9069fda3862ae26db

SHA1
56c8aca2b77d6bfe05927724419a61add07c9fad

SHA256
7be2a84735dc26509a730a669238a1ffea7a66d965863c9ed7abfc3da305640a

SHA512
e34f9fcd8273861c20043b3ea6d3e533b50b8a8dc2e054145ffce310c5613de82b17e0c29673088e29eb2b2f2e7fa91ebe7c41c55e58cb80d7298d2536a3c01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lIAsYEoc.bat

Filesize
4B

MD5
745b97169a82c7579714c92df89357da

SHA1
22879a647059a0a1bed92bd97759f397c1d42822

SHA256
553f73afcf0ba1f869de369a5505d074b4b63f13da168720886e25b914eb0505

SHA512
595446dc30a566da06be08ea5814ad840a46ebd059271726175ffd1ef8b1a76906dc0372fb5887ba5bd252d4d8bb4083e5565f1bfd21c9aac827bc25ddbd7b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIEU.exe

Filesize
139KB

MD5
513ecbcbdcded826a1d21e5014694d93

SHA1
56d3b7c22496737b2031ef22af225653f6f55929

SHA256
6aee22596c2c06e8b6bf4395477edcce38be05a5e54605c06c8c35598352e4e0

SHA512
b91bf0022feae629ed9f195375f65b961350cb505b2b05dc04fece9fbedfef7c6b764dc341c4df9e1ac62c4ce3e64d4ae23fd76b391b39b9085022ccac4901ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIwU.exe

Filesize
158KB

MD5
17cd2a09f15314245de8646b50d58c5d

SHA1
60c2372b092c4fdbad106f0effc749e181a0215b

SHA256
e47ed5ca56d4ca7b5ddac4b1e6d869432896d8dc9714bd4ea2cb8275700647ed

SHA512
c6e52df8f6fb73f1b56486b6ee5f7fe94fc30567992480489f0fa3d9f65d141a36957313ff804aeb27cc0b6dd021e27ee300142b023c60fe9f92d8dadbfadb6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYAw.exe

Filesize
745KB

MD5
735cf9dcb2375aec0a1ba21339581191

SHA1
d892ede7d51418ed8662e338b627dce81fa5bcbc

SHA256
f0eee4b4e8b672834057b4c4d782e7bb66545e799474074803418bc8a659d7ea

SHA512
59323dc099547da5a20bde8f7bd3e6d958abb1354f54da9ddf74f3ccb7a3c7ddb5971713c0caf715390008ff612feac3be56726096461460bc40b6bfc26f8ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYMe.exe

Filesize
159KB

MD5
69942a351f7c12b5eecbf7af734ab138

SHA1
bfe96eab27c27df88e5126d5a7fbb9a74ffd63f2

SHA256
27d27c4d45c0d0431098629855d8b36cc77f7016619ef36cca60ed48abc93d78

SHA512
be27ac634a0b3bd8b76c74b67dd8b9c41ac2ce85082b715520455e49acb118fcee45da1892c38061260e79cb0d5c4fa83401443824442056de9bc1911662bd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgoQ.exe

Filesize
1.1MB

MD5
128154da6fc86c77dead7195e9f579db

SHA1
d5596aaf617ad7ce7d7b5a2aa3a53381f9fb5ee1

SHA256
447844345aaf87638ce8b48fad71e882a4e377220e1bf2f78beab4218c6bb856

SHA512
9c7ed0a56b6945e4e60054e791c9135dabc601b5123855b2ec38fbb34aec98db23532271403c48b6387c00075df552d0ec0bf3ef2fdadd7a6bd1d4212fb1938c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngkIQEQY.bat

Filesize
4B

MD5
69af21951d7e955a656d0aa3975f74d7

SHA1
4da44145ea08c0babbe5352cc4d364dc0e4fbbcc

SHA256
e30a5d9daa510157ebc3ed5546471d68c9224bf782961bacd38e5da02f0864f7

SHA512
20b611a6e35bb491975b23c4a4cc508b48bb9eaf0dc2177836abb15720b74cebed2315a1cde6d02d22f869670bc455066e3b5d423f5bd9dabc7331a2e519f4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIsM.exe

Filesize
159KB

MD5
9539d4871be01db5827ab74b149dcbd7

SHA1
cb6207e2995b6a12e043ef3e5213f94e2fd9fc56

SHA256
ba7986e00fd43e4f99d92025abb3d70aa3756541bdc363959f21cc5d64930969

SHA512
be4b42eecfa014f2064ace2edf881cf5e7dd4432576c94d798b8e7042501b7bf1dbcc0b253bad2dd477c472c1f49a3295741b84121dce432c0c54d9c6297c092

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQQQ.exe

Filesize
404KB

MD5
d1c125963bd5de6ccceaaba415f5529e

SHA1
724197ff4226482fd97d7ac1ac406a7ba69f3007

SHA256
9481c6e57540886e7a3dfd3da79f9222f8740335580114c9455813210be39c25

SHA512
a27bcca77a4313c6313749064b9fe9760ee58691515621baaea45552ba96fdfefbda23483641e146c7109d18ca46e3f18c3f43254a3974b693b2c18811fb02fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQYK.exe

Filesize
158KB

MD5
444e808bdf713c1b7334fbd2c7bc6b70

SHA1
1093008d1a94a145722f509f92eb877fe193d7e5

SHA256
9b1d2337a1a6f23a1d39e161cbeb2d591ea64a31357e13512ad6e911d99355bd

SHA512
f9715fc862d54188a006aee5d7edaf9ec6a8a5be3f53fb74281db965cf69a884346ddbe566afef374d04233fb1ed259ac65ae19a4e4053c533a7e3acc05fac6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogwu.exe

Filesize
157KB

MD5
f61ca31439b58b067c2a79bdca06cec0

SHA1
efc5bfdb335a4151590af86a438886ccc07dc48d

SHA256
a60ecd7e7df9fee4ab845d968c4783ae5108d325e8c5a0f3fedf010ccfabb221

SHA512
ce4a64f1fc488bc7f5c0d1b711430d7c0baa33994916af7e3ff4e19c35bb51789459efe3c8f3462da1d184e004551cf160afad5aec35b57e51ecef282c38b2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\owws.exe

Filesize
717KB

MD5
7447bf9f7df77089e4d883f9e13fc882

SHA1
af6a1b7506269046a2fb18ef9ea9c1c9a023f935

SHA256
8e3195e6ee73562101ef58cf0f4b5fc4ee3496d0ae2a1564ce4220dce6c2586c

SHA512
314e6f9e7829879ee0fbb60fe72afd585f2b54e1ceb2411fda57c8c4963f63671c6d40a0467147053995c71a5f632a97553f37e853fa834c83687eb078e54246

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQoG.exe

Filesize
685KB

MD5
e08c5bcf8213d93f5fb4209958979913

SHA1
65ab0274549aecaa3a3ae9b3d1c5f0a17acd1146

SHA256
a5b5303c53f17febda97171a99ecd01fd981199db15f7133b4af6a902e1c28fd

SHA512
7498b1f1dba1d557a82eec983d0a74646e7a06aab2c2d4be822ff7a6bcae09ffe18954171b967e73ff617593cd46fd750e9f7e3ea686ca54872a9b83c744cc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgwQ.exe

Filesize
157KB

MD5
78672d54d02e1c1dd4b98343035b82e3

SHA1
db76709ed2d28add442f1cf9068154c402185db2

SHA256
679b4b1109507851686d97904fab389b729735e7d1904675e9400b416be17274

SHA512
6f065d90a6ed7856cd18c70a77fd61f5a45682f2b1770e628d38345a115cde1be890dc18340294083bb2352b5ac5df879c5f6b146d7f03bcf3826fa8c1c1041e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qokA.exe

Filesize
159KB

MD5
f45fe47dbe341f126037889d8bbe2efa

SHA1
2e2abbf4e43f59769f865f31cd4e2196fcf1b47d

SHA256
c77f8cb75e10d66a7ecf82e365826118f77d3914c5411c2bdc2938100a594f8b

SHA512
a24cfa0eb472f8ccdcd8ccf58e5d3da093c7a287d95963584723b7198480be8ec63d994a5d1a3ed4c54051a5447a63cb5c7a740bdca6f7cb4ac9607f4d9cd072

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsQK.exe

Filesize
159KB

MD5
170fbda6d48ffc033394e3c41fdea757

SHA1
21934eb8aa15c07e2fa037571b4b4407039e9b58

SHA256
674d6f11798357fe6b433c7e815f310dfe2a8bfecf5ccc532478ec6f6e47e942

SHA512
8855bd57ee37d6f529121bb976e0088083bd9f8cc693ab0d4a51463806c2ff1dce52c303b7fddcb0b0ad00e504e71dd13524946de8c181faaced18c93e46c072

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruoIwYco.bat

Filesize
4B

MD5
2e550aa3a4ea0e9419f843ed69ec5d40

SHA1
084236f157c5adb3ca14544bb13c4a544ad30d16

SHA256
d6963db2732e5e185cdca449546a66d37c42620b0994c07f84f5950d6c9a6d6e

SHA512
7b51eb23612cf45ee8aef7ba533eb5be5da171d2f35defce1ad29a1f763c76c51f9548785c40a79da735a7f3466ba36d6daa5f3850b03d3a9868e85ea0507648

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMES.exe

Filesize
158KB

MD5
e944307917aef77fe5a4a6149d9f96b3

SHA1
85c358c1f116ede8ee3a273227c1399676516b67

SHA256
7f9d2723eabddb5c3d7e7a60b485f4f0711d8102de1cbdc36ce53c738b37e0d0

SHA512
0e1bfac0b791d0960f8c4dc3f690570c4ae28775a376ed91a2511ad47c6007d1f829563ac546067310c97388d3294ec32ce3daaac4691ba7fff17defb84becb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQoY.exe

Filesize
4.7MB

MD5
9468250c42c9af887530d6614c9b9d79

SHA1
3c52c4cb32df44841d690a4c11ff2d73df52a19d

SHA256
0449bcaebb2b7157899a61ccc4f9b29539f0d17f7f8b5a0472238de87d9753c8

SHA512
1273dec9647e945ee3d9030686cbf4ef282ff69461b02fa24c83a33bcc9c014bd58c3416f2d610182f6d605581f6d10d9307d7061091bed225c446bbdfdc1678

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUoQ.exe

Filesize
160KB

MD5
4fddf193f751af9604f5ee0c00e7edac

SHA1
433a5218794bd0161d22c5c3b7932106a7c6b3be

SHA256
003737465e308e96954175d08f60e1cf8e253cac21a838e08f4a89eb6a20d859

SHA512
18b59e1fbfda4340e1109441c3a2783ebca1eae66cfaf2b8b4aca76d55008d93a69a455f988f8f5fd5e18a08dec53c9772c4b51f1ec6037ec50b88849be25d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\scsI.exe

Filesize
159KB

MD5
f55d73a3358f99d8fb2f4eb1bdc0db63

SHA1
3c39f8ca62a69ad68bb0f3a26a69a4a8acdf9df8

SHA256
5746f43f52d7e4eb9cf6e817d4f10f91299c8c48f977e5bbede7305077ef1d77

SHA512
c181519af92e5c8d02bb31ca91b65ccea5e47281ba45b95ce7366291f0cd9b433b6be6f21956cbc48f9a9bae43390b2a7d251ec140dc5b5884d7d9cf1b79398f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssQi.exe

Filesize
237KB

MD5
87829d0f3d8658befb3f57dc83512a36

SHA1
565788cc84f1c5a711fca233f3e569fb694449d0

SHA256
8d19a4a38158f927c06910156f1d0df522bc8a7166d2fc44363afa9f7fa102f9

SHA512
17d86eab9bcb24caba29a094b96abe3fa27c6067f13c2437421ee4217e5fff2305e17b2dd1206c81af2f63f123148aecff9936479533df67658a83010482af07

Download Submit
C:\Users\Admin\AppData\Local\Temp\sssu.exe

Filesize
158KB

MD5
534ae6517d00b4b2aee371525ad76fd6

SHA1
e0a772a6d3a5453be09183934684118c9115fdf5

SHA256
8727f486d4cbf3dcdcdcd12fca9be38f1bb10ac14423ab785f5a8aa6899c4627

SHA512
7ac10805c7300add611caa6aa05bea82545d38bc673a744a02363204e49259698b59a6c55daad803e4f740b7a2e362aff721b6d0c76c2afb17d1ab78b09675c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAsg.exe

Filesize
158KB

MD5
6a5041aae6af0250e06b807148665329

SHA1
82a6c1ee86e7d806d98a9bff7385760f1a1952e8

SHA256
c4597af34d5eebfaf767001f78c7b3eb69a16ca1bf5b86c6a95ef6d43891cb3b

SHA512
625456d0923205e93bfa572fa37a3bfb19bf8de7dfadeecba753db6b7a2ce3c9d60dca49f03dd183234f1335bba8dcd615e1f2b70548cf98b6b7081951c60216

Download Submit
C:\Users\Admin\AppData\Local\Temp\usQc.exe

Filesize
157KB

MD5
e692f288307cf352a45924c45628cdaf

SHA1
6c87ae3d0b6c0348a8cbb5e2a57497af6cb80c42

SHA256
c15f62d674514103d3778f61d363e38f47ff2051502f024550086825f2791491

SHA512
25bc75af7fbeccfe989858810479163d2cfed37b1755606858a1f5e4951335bb8fcda0aa59c9b7674dad45cdc5d882f4908c4fb23906dbc8542e2465bce51e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vAEoQoAY.bat

Filesize
4B

MD5
65e61845961ee53b4ae77529701855f8

SHA1
facd63cafdbde243280e6ead7590670f6478192b

SHA256
1e9a619db218c83d36d97971dbe5226d1792b5c080a93c2748f8a603a5d9cb1d

SHA512
edd34cd02ad05289bf5a285e64347f60e73b1b40ba4f1881c30a8f0879df2384cdb580df295c6ea07ac7d48875dae109f60500a171990cf3952e3b61fb2ec981

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGQwYEEA.bat

Filesize
4B

MD5
cfc8daecc5260334afd94a7261a197fa

SHA1
930341c099eacba05b2c87f6e30f96386ef4ea20

SHA256
f5f84f8f1d460ab5ac666ca1be96b141762c9b7733f64b3191d3acbf437bdf0e

SHA512
81fcc0a412c3ea2fd4627b975b830ef74dcdb3c4a85e0b396b86ffd2f5511a44d06afb862b223d4402e4bb0b07640c04831d8b5750223168c28d3f23084de0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIsIMgcI.bat

Filesize
4B

MD5
ea43f0a534eacde0836f3f10231bd4a0

SHA1
a727be4de858cb0f5bcd776e26f6b048a0745298

SHA256
1254d8feba3c2d66facd23b6ba963f5f0681103cd6916a1c7748324791bd080e

SHA512
0dea0245c64e199aaa61973740cad4b87650040956b314a2bbe4094513095946a23614db4af8e3206306a78edf83702bb2b3caf3a6c85ba7b7b5db7507daa578

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqYQYUoQ.bat

Filesize
4B

MD5
24f4114b4e4ad41aed9289dfa2f0147e

SHA1
cb8f4db3f5e91ec85936972c321ac2f6660a2fa8

SHA256
d29e8d473f704027bafb10522c02b67d119f5c69a7d74b9841632ea4f7e1b3e4

SHA512
4f917aa17e6991b703e7dcf4615a725b45f345b720e9234d895281830fe09e4da3ec6bf05da3da012054eff3196da3ca3e75fb4353255eb88e627b0107d82386

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyIoEkwo.bat

Filesize
4B

MD5
33ff443ecbca05c3bb15bd72493d9970

SHA1
f9e30dcab308aaa51641efb69c439589c6391640

SHA256
4c25cad587fc28b7850cad17b94d6c3e24e67e5481198ba76e7a879f88cce16d

SHA512
4bc2ac375710b123e2405f5073a8d0f5cff92e7ecc80e0e1605a5504981d69d2e510de27d38e2d4b926d11ccf5a360e89c97779a69ca848a17b78ab84800ad24

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEsI.exe

Filesize
158KB

MD5
bc2d1e5778cbe87c3e42854c4d3d02b7

SHA1
c62e7d26a6398aa04c5cec7aeee3ee27e8c2ab2d

SHA256
a9194e6222909623159d7467424ed7c1a03667ef95e83b2cc99c5602d4d19d79

SHA512
8adcee3eaea6d7cf80b80d195adb96cdd18ddba381b43e104555a062140a63c6fbbb43160614db8d78743ea1ccd61cd828f53182ab9932e700f7f6d98c1a7804

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMMs.exe

Filesize
158KB

MD5
7dd61cb0320a0c58f53850c9ca4de267

SHA1
7c180989a0d142627c69d9923b8334862ba7e243

SHA256
4c0fd8abba700b123e8d303a0aa757cb23383ffb582d7a585ced20aee2c52986

SHA512
8f371db3cc9ab8dd4f977e03dc9b43c3ab3c191af17e9b117206e5aa1be73c07a875103293ac642efa8468e2c4d6e50d380522446718fb780c497c4527ea007a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMkI.exe

Filesize
160KB

MD5
b18e902ead4027e211be8b43e93ee747

SHA1
1725dc36417d644f39f6dbef84f0abdf9b9f67e6

SHA256
f1c539cec10322d77fe97675e884a952043b11901143e2da558973c037924803

SHA512
b0a9aa329ddc2d72b5f4148b631eabc643c8618aad1d03b151f5a0ae84a768a70d3013162306821adeb1ab6f93b87b3cffa03af1d25255f60ae8202986718357

Download Submit
C:\Users\Admin\AppData\Local\Temp\wWMAUwcI.bat

Filesize
4B

MD5
3d1caed8ebbf64ece304c3bfa7f9f104

SHA1
a1444763bfa21b92e9b5b3b2ea8accc080fdb525

SHA256
805b013c716392ad5f7b2cdfddd436f75ed1de7ab6a3fb34f1ae757a59144a89

SHA512
1c91543269d9cdab6cefeb573fd6ca14b6a8cf71af61808178ae98e351ee1beb6f6ce944f982773c1ee6de2806797b76b57e50dea828a7097344c99cef570aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\waAEwwQY.bat

Filesize
4B

MD5
f22fc3ca2c14bafe2519eba111b78686

SHA1
40e336bf93027542bd0ca8dcc589da247549498f

SHA256
3e89fcfa8bf84a11e09c986ca7a9d03df0671510ea8ed3a33bb64dea8f2f8584

SHA512
381e7253a2c4a79c7eabb4085468de26ca7370fd00e17763c359fb51b3437b57bb45b8a1f887d22209b0a4e7f6b56493f3af20ecd60db3be4ec6a1c0e7fd3514

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgMU.exe

Filesize
159KB

MD5
e1ef657c2602f3b207fbba1e9b93eabe

SHA1
f768823e5f7101ac2e12f5f59962b83d5151dcb2

SHA256
a89fd0320061947afc3f7b4190513feb967b334ef0fb05758d17f2f730c2c532

SHA512
d75fe0c251f37ec2ba6e72a8bfa8cc333abb8b9f93b232c584ee0bb851f049d885ebdda8c10e8a9bfea1bfd37e3bfca2e0438e984018ec0cd9f55c293942ef27

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkEA.exe

Filesize
158KB

MD5
42fa60c586d0021feae3ac03db889fce

SHA1
3530bc15e37f870de75d18129ae79a2dbada55dd

SHA256
ceef8c8aae50f33198d81a91019d79a8eea08656738b87123328d19cf3a79884

SHA512
d03fae017b4a481337bed00a27d607121ac56247ea76de8c4178f31fbddde0a1202828a4fb460699542b43beac2e377dc0fd125362cef7206b7dbe9836828876

Download Submit
C:\Users\Admin\AppData\Local\Temp\wywocYEI.bat

Filesize
4B

MD5
ba87080aba03088a70749f58bf572ec5

SHA1
30af43a8a69b29280365eccc722bdba86126f823

SHA256
18aca1c58d0919f789fd51d6bb88c39ad9fdc3ebf5888dc8a09079e551a681f5

SHA512
532ff99a6bd413359110a54db97dda0aea7150b2e01e272a2328cd75096f9aadc3de044476c4a746db7fdbeddeb1eb5551d63ad2fff09e3982cd7ed0bd1ae019

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIQI.exe

Filesize
968KB

MD5
24a8157b34cc259b78855ec8600741a8

SHA1
2e01d0cf574c2db066653ff3fe6a95a1b4259f57

SHA256
aa045d5ec5c5d87c8533a1e0ea425cfc3680fb54e2769988c5ae97e0a5a6fd20

SHA512
5fd8ef526c52727cec647b401f5fddfdff7feb73786eb7588ba2c6ed67adc4304251c9422ab7dcebb9aae4ef1fa98c80cc1ece20f3b071b18405416f7ae578c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUoa.exe

Filesize
160KB

MD5
5f35e18d37d914233ecad07a1bfc0df8

SHA1
593f376deb1d91f904c6b6aed99902f7a4ba2de5

SHA256
e3141b66253e862ed6d69fabc951277ada2d672f86f4195b811f53c10ac1f7e9

SHA512
1b50e355de92848e87f760f777ae3e8cd4efbead43d83bb74c453cd5eca996284d8c30957dbd37ece00cd8e1f2f61b426ffb105d7a89b373c1619e849d1027cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYUE.exe

Filesize
140KB

MD5
11b9634d319ea200d4e40803b854a124

SHA1
98d831b0dfe2f3c957f0d7bef5b8507373f298a3

SHA256
90f41a1ad2ba46514ee47d7dc1c1adfec7360674b787633dd60ca5b8fe830b62

SHA512
19657cfffb9ffe4645601ccde2405b59a620953d134b653f79bdaa040d7c35db24e65dcef8a2edd3e88cba821af10fe35ba3d690bef63ce15537c7736ee70b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycwI.exe

Filesize
496KB

MD5
91074db76a993e13b9dd3ea8f4ada4f5

SHA1
73798830b08f468d82a8cce0966738852fc420ee

SHA256
704ab141da55b724049c629ca4e577c9aa18ae5a0b47b3bfd766fedf12f4fd8f

SHA512
9d188f7143b47f9ec103325064f2321c2275e8dcf6e9425d83c202ba7b4c44fcb7b6665f094fa526daa069786972252ad1e4ffa7fc41b27c74e8fece70238f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycwO.exe

Filesize
158KB

MD5
2d2aeb4e0c64d4632f4bad6dc2aef8ce

SHA1
0fe58f400e490af8a42f10329d85be9f1142905f

SHA256
fe04180305a21ef4ef5a701d0554bc2d31906cca6a36277a98f7cef5c75b9731

SHA512
c8af83fbe3c4804b986726c36242f060c0fa111ee081ed7f1928250eb8c96878dec99398ffcf735d56fc8498a433eb1bf5c9dc9ff7dbca49c79059f11f2e7523

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysQC.exe

Filesize
158KB

MD5
0a0b3f58dec993102bbcf4e742c8eec0

SHA1
9c6166fb766082d5e54e2b482a1d2ccac3a39863

SHA256
a0fa84cb1cfaf69fe6c56bc71be6a377d7d9e4b3347568bde9233ee4d6b5cc9e

SHA512
c632d8735259ccd348076d6651dd095ad494b9e0d39c8c9283a04d11fe062c132653c967221dbd31a4f9f79bb61bda23bea94a381c4506cff59343da783c0e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\yswW.exe

Filesize
158KB

MD5
a216ea9fce3a05917b9152f63311263d

SHA1
2ba2e1413070c4c4899349c4f255f36a016094f9

SHA256
658508c1f8585c62d618ed306cf114007a6d30ab1e5e35d04f41ef7aab1203d6

SHA512
71cfda4c40d5f05a97a35ff41d7263c43fcba78f9a06095b9791c2dcb3dfe9887ce386fb4fd3bfb0f7a0c216c2c4d917c03048fe118affb3df82cdef9eaa07e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCcMkMQc.bat

Filesize
4B

MD5
4a00c3d8cb841cbc282e64c5566b0a65

SHA1
264b69066fc7a42f245a7ae1f1c1822d98ddc117

SHA256
54685211efa36dc71b6844a89f9ab7b494a797e116c4349188c03fe52b87467c

SHA512
4a06d6028d008668219b9c9634f01c2254f20308ea0ea9574f6d0063c9093bf07c7d8a2531923fec83805326bfc50291e11ff359d832450402ea378aaedf1a3d

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\Users\Admin\euAMAMMg\xisosAAE.exe

Filesize
109KB

MD5
1b215ef8327b64088ea4348b6d5abfb1

SHA1
45ffc99e56365a40f96a7b5925d56b579c25a6f5

SHA256
5d8b7ec5666ec5d49ecee602abb2d4c74b5a300e9dd8dd062744bb8708799e0a

SHA512
410cf2eafad2b759ffb77885d25480410f9bc8805e65ab881c07a7d7746a09ef69cede0753241ce6394e33837464daa9f6cd4495d50e1d9891a31d786090799d

Download Submit
memory/528-388-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/576-244-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/576-243-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/596-105-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/596-137-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1136-127-0x0000000000520000-0x000000000053F000-memory.dmp

Filesize
124KB

Download
memory/1264-150-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1264-151-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1284-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1284-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1420-386-0x00000000001F0000-0x000000000020F000-memory.dmp

Filesize
124KB

Download
memory/1420-387-0x00000000001F0000-0x000000000020F000-memory.dmp

Filesize
124KB

Download
memory/1472-114-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1472-81-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1500-325-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1500-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1604-198-0x00000000001B0000-0x00000000001CF000-memory.dmp

Filesize
124KB

Download
memory/1624-397-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1624-364-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1636-79-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1636-80-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1728-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1728-90-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-56-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/1928-373-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-340-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2076-174-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2076-175-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2160-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2160-176-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2200-291-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/2200-290-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/2208-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2208-185-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2292-31-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2344-245-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2344-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2452-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2452-5-0x0000000000330000-0x000000000034D000-memory.dmp

Filesize
116KB

Download
memory/2452-12-0x0000000000330000-0x000000000034D000-memory.dmp

Filesize
116KB

Download
memory/2452-29-0x0000000000330000-0x000000000034C000-memory.dmp

Filesize
112KB

Download
memory/2452-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2476-33-0x0000000000180000-0x000000000019F000-memory.dmp

Filesize
124KB

Download
memory/2476-32-0x0000000000180000-0x000000000019F000-memory.dmp

Filesize
124KB

Download
memory/2500-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2500-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2500-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2500-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2508-30-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2592-339-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2592-338-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2672-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2672-349-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2676-362-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2676-363-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2712-254-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2712-221-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2868-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2868-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3012-267-0x0000000002230000-0x000000000224F000-memory.dmp

Filesize
124KB

Download
memory/3024-128-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3024-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3056-104-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3056-103-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download