f09a47c590aa6ac6b40d660400b9862fd3f07f1c89c8c5d8273d3acb58f884e2

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
Size

138KB
MD5

655c4e0d2a32c9c40f806582f15656d0
SHA1

55424c2985c89cdb88ea6f09f414c87469fe79f7
SHA256

f09a47c590aa6ac6b40d660400b9862fd3f07f1c89c8c5d8273d3acb58f884e2
SHA512

9ec1c398d47e950edaaf2866d771f5c02462717da42cb4429af1ca7f293d1ab7515c0bcd1e931d9e783a4764f03f7d60628269a4ac957779a5095ac7f6d220e2
SSDEEP

3072:LUSHc06BxtaO/SdRwG1LbTb9iUyE3AzG8LrBrC+0UuSaydVq:LRP6kOqRwiRiwA6OrcNoay

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\International\Geo\Nation	roEIQYIY.exe

Deletes itself 1 IoCs

pid	Process
2732	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3012	OKMQoEAI.exe
2128	roEIQYIY.exe

Loads dropped DLL 20 IoCs

pid	Process
2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\OKMQoEAI.exe = "C:\\Users\\Admin\\VoMUsAUo\\OKMQoEAI.exe"	OKMQoEAI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\OKMQoEAI.exe = "C:\\Users\\Admin\\VoMUsAUo\\OKMQoEAI.exe"	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\roEIQYIY.exe = "C:\\ProgramData\\ieMQgwQw\\roEIQYIY.exe"	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\roEIQYIY.exe = "C:\\ProgramData\\ieMQgwQw\\roEIQYIY.exe"	roEIQYIY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2412	reg.exe
1608	reg.exe
1708	reg.exe
2536	reg.exe
824	reg.exe
112	reg.exe
1616	reg.exe
2264	reg.exe
1196	reg.exe
1280	reg.exe
1208	reg.exe
1364	reg.exe
748	reg.exe
1648	reg.exe
940	reg.exe
556	reg.exe
1944	reg.exe
384	reg.exe
1656	reg.exe
2756	reg.exe
2728	reg.exe
2644	reg.exe
2000	reg.exe
1964	reg.exe
1220	reg.exe
2428	reg.exe
2872	reg.exe
752	reg.exe
1228	reg.exe
1296	reg.exe
1360	reg.exe
2320	reg.exe
320	reg.exe
1632	reg.exe
2416	reg.exe
2604	reg.exe
2552	reg.exe
2256	reg.exe
2980	reg.exe
2372	reg.exe
1792	reg.exe
2696	reg.exe
836	reg.exe
2016	reg.exe
2600	reg.exe
1956	reg.exe
2928	reg.exe
2496	reg.exe
2336	reg.exe
2656	reg.exe
1868	reg.exe
2740	reg.exe
696	reg.exe
2884	reg.exe
2676	reg.exe
1284	reg.exe
284	reg.exe
2260	reg.exe
1344	reg.exe
2708	reg.exe
1984	reg.exe
2924	reg.exe
688	reg.exe
1580	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2608	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2608	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2172	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2172	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2812	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2812	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1924	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1924	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1476	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1476	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2992	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2992	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2700	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2700	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1048	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1048	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2112	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2112	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1620	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1620	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
940	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
940	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2640	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2640	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2564	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2564	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2752	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2752	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1580	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1580	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
676	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
676	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1616	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1616	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2652	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2652	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2460	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2460	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1012	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1012	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2284	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2284	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1808	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1808	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2084	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2084	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1168	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1168	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2732	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2732	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2796	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2796	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1744	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1744	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2700	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2700	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1692	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
1692	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2804	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
2804	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2128	roEIQYIY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe
2128	roEIQYIY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 3012	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	28
PID 2200 wrote to memory of 3012	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	28
PID 2200 wrote to memory of 3012	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	28
PID 2200 wrote to memory of 3012	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	28
PID 2200 wrote to memory of 2128	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	29
PID 2200 wrote to memory of 2128	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	29
PID 2200 wrote to memory of 2128	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	29
PID 2200 wrote to memory of 2128	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	29
PID 2200 wrote to memory of 2796	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	30
PID 2200 wrote to memory of 2796	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	30
PID 2200 wrote to memory of 2796	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	30
PID 2200 wrote to memory of 2796	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	30
PID 2796 wrote to memory of 2568	2796	cmd.exe	33
PID 2796 wrote to memory of 2568	2796	cmd.exe	33
PID 2796 wrote to memory of 2568	2796	cmd.exe	33
PID 2796 wrote to memory of 2568	2796	cmd.exe	33
PID 2200 wrote to memory of 2412	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	32
PID 2200 wrote to memory of 2412	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	32
PID 2200 wrote to memory of 2412	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	32
PID 2200 wrote to memory of 2412	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	32
PID 2200 wrote to memory of 2576	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	34
PID 2200 wrote to memory of 2576	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	34
PID 2200 wrote to memory of 2576	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	34
PID 2200 wrote to memory of 2576	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	34
PID 2200 wrote to memory of 2716	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	35
PID 2200 wrote to memory of 2716	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	35
PID 2200 wrote to memory of 2716	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	35
PID 2200 wrote to memory of 2716	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	35
PID 2200 wrote to memory of 2436	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	36
PID 2200 wrote to memory of 2436	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	36
PID 2200 wrote to memory of 2436	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	36
PID 2200 wrote to memory of 2436	2200	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	36
PID 2568 wrote to memory of 1744	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	40
PID 2568 wrote to memory of 1744	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	40
PID 2568 wrote to memory of 1744	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	40
PID 2568 wrote to memory of 1744	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	40
PID 1744 wrote to memory of 2608	1744	cmd.exe	43
PID 1744 wrote to memory of 2608	1744	cmd.exe	43
PID 1744 wrote to memory of 2608	1744	cmd.exe	43
PID 1744 wrote to memory of 2608	1744	cmd.exe	43
PID 2568 wrote to memory of 1492	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	45
PID 2568 wrote to memory of 1492	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	45
PID 2568 wrote to memory of 1492	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	45
PID 2568 wrote to memory of 1492	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	45
PID 2568 wrote to memory of 868	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	46
PID 2568 wrote to memory of 868	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	46
PID 2568 wrote to memory of 868	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	46
PID 2568 wrote to memory of 868	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	46
PID 2568 wrote to memory of 2604	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	47
PID 2568 wrote to memory of 2604	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	47
PID 2568 wrote to memory of 2604	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	47
PID 2568 wrote to memory of 2604	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	47
PID 2568 wrote to memory of 2704	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	48
PID 2568 wrote to memory of 2704	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	48
PID 2568 wrote to memory of 2704	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	48
PID 2568 wrote to memory of 2704	2568	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	48
PID 2436 wrote to memory of 1496	2436	cmd.exe	44
PID 2436 wrote to memory of 1496	2436	cmd.exe	44
PID 2436 wrote to memory of 1496	2436	cmd.exe	44
PID 2436 wrote to memory of 1496	2436	cmd.exe	44
PID 2608 wrote to memory of 2380	2608	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	53
PID 2608 wrote to memory of 2380	2608	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	53
PID 2608 wrote to memory of 2380	2608	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	53
PID 2608 wrote to memory of 2380	2608	2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe	53

C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\VoMUsAUo\OKMQoEAI.exe
  "C:\Users\Admin\VoMUsAUo\OKMQoEAI.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3012
- C:\ProgramData\ieMQgwQw\roEIQYIY.exe
  "C:\ProgramData\ieMQgwQw\roEIQYIY.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        6⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        8⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        10⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        12⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        14⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        16⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        18⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        20⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        22⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        24⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        26⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        28⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        30⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        32⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        34⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        36⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        38⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        40⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        42⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        44⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        46⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        48⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        50⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        52⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        54⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        56⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        58⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        60⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        62⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        64⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        65⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        66⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        67⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        68⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        69⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        70⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        71⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        72⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        73⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        74⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        75⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        76⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        77⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        78⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        79⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        80⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        81⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        82⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        83⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        84⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        85⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        86⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        87⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        88⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        89⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        90⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        91⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        92⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        93⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        94⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        95⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        96⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        97⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        98⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        99⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        100⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        101⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        102⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        103⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        104⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        105⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        106⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        107⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        108⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        109⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        110⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        111⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        112⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        113⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        114⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        115⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        116⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        117⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        118⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        119⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        120⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        121⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        122⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        123⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        124⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        125⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        126⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        127⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        128⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock
        129⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock"
        130⤵
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KiMgAUgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        130⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        Modifies registry key
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xWoMEwIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        128⤵
        Deletes itself
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LIwsgUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        126⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rIUsMYAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        124⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gSgskAQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        122⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OewEYsIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        120⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jMIcIcsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        118⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GoMUYYks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        116⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MKEEkMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        114⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NiMssgcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        112⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mukkAIcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        110⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uUYAAwws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        108⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fuIEUQYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        106⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tUAAYcAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        104⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EGwssssY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        102⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYAwkEIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        100⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lAYIAkMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        98⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LSIUQEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        96⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TqggoIYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        94⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CUYAQwoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        92⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RoccwEQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        90⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AaIgcIMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        88⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vowcEQEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        86⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AkgMcokM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        84⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZacMIQgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        82⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lsggcAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        80⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sYIkowYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        78⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GUooAUIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        76⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yioUMMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        74⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gGkogIgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        72⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TqgAEYAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        70⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rUAkMooA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        68⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wekcYMkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        66⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MSwMkQIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        64⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hmQAwQMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        62⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tIQMYEAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        60⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NcEcsYwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        58⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vaAYcwwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        56⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vIowUAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        54⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dIgwgEwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        52⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XcoEMsEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        50⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oyQAkcAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        48⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qwUcEUwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        46⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BkwUocEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        44⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\saYoowUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        42⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hWIEkYkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        40⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EiYcYsck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        38⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jAMMgAQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        36⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hmQIQgcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        34⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LCIUUEks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        32⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ykccMMcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        30⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Sgckowsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        28⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lGAYUIcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        26⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwYgYMUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        24⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kQkAoEUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        22⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gWUkEQcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        20⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\toIcEEYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        18⤵
        
        PID:472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FIkwgAUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        16⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PmUcQQAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        14⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hMUgsEkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        12⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HaIkkMcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        10⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FQkcUQck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        8⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1616
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1300
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1296
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:2676
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OUwYIAwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
        6⤵
        
        PID:304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1576
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1492
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:868
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\BeQIcYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
      4⤵
      PID:2704
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1940
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2412
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2576
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\AsoYIokk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1070419556-2084578338-6857383711566920214-1238989362-17660307121126485952-502849290"
1⤵
PID:1272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1222550369363750982-531983286-77529531697667523-1626176157864922476-198401258"
1⤵
PID:2992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1651655038-1902866456902081211-1949630324-7990971481292006361-1565932192529694687"
1⤵
PID:576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "580041199-6429724011631068853-2032556409-497750293-546170751-6643764761594742637"
1⤵
PID:1856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1524414209-1565566299586933227-13555674531710155771-4368589828570232151651853331"
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "558391882-1413055927-5938282251791407051-13384220142038548393114645250348134446"
1⤵
PID:2292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1635760625-14593396861640884458817093921442312935-1783571230-188458139137528012"
1⤵
PID:2956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "37526532-174688528-471714577-19448544068216409201711922059-1675908580-1620910542"
1⤵
PID:2260

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2068085509-478299594407842062-502033550-9775328111320305925-1928140072-1220094199"
1⤵
PID:2600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17397065718599404671030559987-614767459-2135388428-126700593-63606882-349208207"
1⤵
PID:1028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-359401004-920965926577494571794108575628814922297065320-1728473582-1177505392"
1⤵
PID:2984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1127489879988892121342029739-1373532857-104996871-1141979506-231617470934037463"
1⤵
PID:2508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7135915341663690365-339663116084292671833076098-2098655160-4217914471917477779"
1⤵
PID:2012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1032373111-13271290011724892635139528864419757269-3040292282044753365755030369"
1⤵
PID:1212

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4875452565173553351349394775-1209637780292438681343771322-440265107188347906"
1⤵
PID:1684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1858671194-569243711-1315094787-308163941158200263113594042905224960161133507582"
1⤵
PID:1808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1784772802-1221186972-1396504194907435705-202851792375609881816623942801952650113"
1⤵
PID:2304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12333211131904737257321978960-6768343741685025007-933633089-1401337434-1627642933"
1⤵
PID:1964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2115868860-345488238-63074740193482735617759999071032329629-5884729861304269688"
1⤵
PID:2536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1589207107-104174158918231927301042021159935619034-359472795-7325336321608680232"
1⤵
PID:1932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6853112462107773446-193358123720216821621521178774-513914428411136479-867664661"
1⤵
PID:2332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1901792733817522931270766928900274926506955733-192841105207421119-1701930317"
1⤵
PID:2320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20621430241660288646-51771341657915895853079985-15258571521955940758977499139"
1⤵
PID:1956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1031308537-465575259-920386023-405159971-1711174639-1118119758-1058060463725359505"
1⤵
PID:2872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9220547541962490774-1450678586940912326491231413393002082-13738560631685199102"
1⤵
PID:2384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12706769981037821951-610506389-1734310783239456653173991313470984600-1776670143"
1⤵
PID:2528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2005991809-19694470-1085328274-1654993167615511886-221948934381866160-149794386"
1⤵
PID:2460

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1106375192-1453916282-737309065649472609-2019767117-1519962765163291593565561707"
1⤵
PID:3060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1079226055-1218476632086935255213219368437248381887884299638632328534213849"
1⤵
PID:652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1129055686-878175323-1760921341-1406776939-1423600735-395786669-121575273-736940346"
1⤵
PID:2212

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1935786003682704011612114426843599651-1096324509-6765630391431437417-1029516201"
1⤵
PID:1052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "406272959-265939308-1570617425344393141-2083809046896706103535531210866780245"
1⤵
PID:1524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "388770577837451074-1677440385-6380154941879896011-329802066124970527296005760"
1⤵
PID:1168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-549947837-19789926611913259512303882797-934517115-1401903600-2895053461519932498"
1⤵
PID:1240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3941794835787590581401218603516920712104263364-1603354171831624549831235215"
1⤵
PID:1096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-839949862-1891773075-449256501-1290369839196759344320249474-1224348931-1358322036"
1⤵
PID:2388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "186718615-679722458-4778022701671652769628576303-2142067392857013203310711810"
1⤵
PID:1704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12352217391043272827286187755-600785364177872593313880270371086418165-45749028"
1⤵
PID:2088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-167862638211221947888794656414086074731685185643-7700972231905475786133104000"
1⤵
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1313593701787272870289431224-1204371079-20550216752041403070-446897501-2072322636"
1⤵
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8530586081293559777-1145520809-1640846044-160950529-449005402-70364703493493990"
1⤵
PID:1684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1590363132-247445188-23965813521111022131842281763716338701-18666401891459706555"
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-210475481424594390977478863314469851251796880444-1564670933-235293105-1019607333"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3362892981646454527212488300218667343696276555519931880181262347795-341373924"
1⤵
PID:2056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "152325537-40359894910567328501347592864-20499623591668726882-417581027950162182"
1⤵
PID:2188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1498072417-136716456219396499551567071542-2074758816-11550250691885303938-335234972"
1⤵
PID:2080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6055768-76260140-12253238681733204844-238893257-9414119061807028277-214851179"
1⤵
PID:3064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4927442385150228901782110400746978335-913415450683205290976144081327995549"
1⤵
PID:2300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7112801401129210304-664638884-12258721241883238647-1492157165-10754696371191565768"
1⤵
PID:2844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9969166664558944801892269355-240506231971759731632683795-1335854072-163715094"
1⤵
PID:2904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2719346231810593178-1950436257-2026483689-2013380498589293557-6616733411938781267"
1⤵
PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10345460201225564822-834100324-922389554423042660596275298-1359855417530359918"
1⤵
PID:1960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1984212598739036844-15824881951867194657-902626843590533813-5411821981020235691"
1⤵
PID:2248

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18682660829607079411804668074-19455129761814804564-1207410997-169749882225823204"
1⤵
PID:2544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-529180207991757737-235078839-3857677921500066994-140153953217088352211977312245"
1⤵
PID:2852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5122058892073882391-723813983-2072963799-359886752-4310184451510832480-2065428519"
1⤵
PID:2560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1519545423-210960136712058944861821393545-618059807815108670-1157733499568545027"
1⤵
PID:304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2016645332-1152150110277584874-1918222273-1365733796-1436745797242252380227141368"
1⤵
PID:2592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1641067199-2147139025209264841854401203-15361974069890423131885977591-529351755"
1⤵
PID:1680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20172220791182742103-2012548711-1242520880-10578280961443266042-1242730356930958740"
1⤵
PID:2840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "874918554215096629348875946212451220820865380911851788297-13034538271488950548"
1⤵
PID:1824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1994780613-142035006299079553-1366068035-14022703721483463771-1639239119-2020221416"
1⤵
PID:664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1315681256141389917-1380575274-19917074202914132201116259570818195970214479281"
1⤵
PID:2160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1701030273-6185301032029743343731190871564841594893080542-956672310-82022064"
1⤵
PID:1656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1553446999-1576505734-10802445201760090909404107950118917088-95172942234667855"
1⤵
PID:2056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "279478480-1299433821-1498197817-18400283051033465214-1615108071-941998699-615467709"
1⤵
PID:2820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2488942701450004941-310253139663758728-16706933801183757317-12670669991700925561"
1⤵
PID:576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-61798067517242931126174113016371076791628297245125229153021001919031049289379"
1⤵
PID:2708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1233202639-20644285685617203111334636632933199198-127015050-8940892851177337337"
1⤵
PID:1360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1333872575-1442624608847649768-205260404818860447211470068759-536372899361530907"
1⤵
PID:2400

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-836143937-325279807-3778151101367412462-707252983-5239985261613594517581155254"
1⤵
PID:2008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-775285925-469002345-7655082156397852671309657907-1946376763-1336501822-2106605132"
1⤵
PID:2728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6096042341298769479-7135725471885569978668545558765361301688126672211452457"
1⤵
PID:1664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1989354856142191500117040692932082878026-205708597-173567118-393031853-1735711947"
1⤵
PID:2440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-105457889-1135674176-2009345257-1603420928-18558323591476475573-16018469721569413919"
1⤵
PID:2724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "988991011-361181843-1996416063-729663604-1488983044-578788362-2017922068-543450725"
1⤵
PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ieMQgwQw\roEIQYIY.exe

Filesize
146KB

MD5
73047961ec6f46a3c223a7f310124fdf

SHA1
052a527905b5b10afc2da7418bbeb69ee6a98cf8

SHA256
d7d94512944c78bbd9ae33ea31d6a32511f7d99b06756c62eebf02442187a6a3

SHA512
365a57fa924f202d2915170634646a2d4906e80a04cfa7299502ea7624755a6ff3b69a3fc9e336ed9d244d1788223016ef5930c3440e3c572494c4e2b9381f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-05_655c4e0d2a32c9c40f806582f15656d0_virlock

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsoYIokk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEkG.exe

Filesize
186KB

MD5
2f3dc16284fbfcd6cb6cd1300398ba62

SHA1
605eabab8eb148b6a07d250d509028be877f9935

SHA256
dbbee9d768f3494190bb30dd65f7abbaf9262a6067391d445871ae374ab55676

SHA512
73d3ccebc269a3a2e43130984b1c116948334ffdf425a8282e8685aff92aba3e78b2fb203f31e6fd09da9608474d0d005b9c44e789ac12b7012aa47c69eb103b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMoo.exe

Filesize
185KB

MD5
123a964983f58f3a259b8b694065a82b

SHA1
daf53708933449207b3e443e6c9c847f04c704f1

SHA256
94a1581f3d7c3874019a10c16103fd951bf0fb604c8cff622888563651396f77

SHA512
9a90a2f7fc8828e26f90255b82e3c63b9dafd9ee39a70f36d24556af6951e49ef0ae359d4ed08d9ba6bdaffdb821366fc9e1604a4630f86100def50bd053fa15

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYEi.exe

Filesize
162KB

MD5
f6aaa22bcb5610c30ef5d41e49e929d6

SHA1
d22d27b813f65ea63bba791ec92a9c7c19a0ea4c

SHA256
41f7396034cce2320e7db2021c5f2d03d7bdbdd96860ac96b7a20aef66509222

SHA512
412adef264e3ba1905f6ee2b6941d1594a5a0e644af3165599bd9230bc89523838779367ab940255a5739f8695bd2bf78d37c7bec31fe6f7003e72797bbf2f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\BkwQ.exe

Filesize
183KB

MD5
80233db05d3003839d551901c5f09e2a

SHA1
2a0ec9fee5b889096c76cf8f31aaf8ab06c4cf44

SHA256
d5fadab3aa6d6ef43d9747c61a1975ec94352186679a0ea5b78aacc0b685b257

SHA512
a40691b61f1bbc3ccd1510d413fb9d92f7d7ad5a729ade7e0b63de6e2b605e8169ce4f4e01a770caa362c966e3cc3c154f710756b60978873fb64c6a69f4cff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BsMu.exe

Filesize
179KB

MD5
c188cc2c66fc28ed30341f5a7a9c15bf

SHA1
28647f4e2af529a2e3cec88dd9e942b1747308ca

SHA256
9fbb526082b4e1fd4d3aa2ffffed8104475e2c55e644db7dc295822e5baecc5b

SHA512
e8e9e0d26346739961d9be2aaa205416d7dab9fd78027269b6e8ed7583f35ebc7c943b9d60e496ca713841d01ab2026c8d658deec303d913ee9850adb9bfcf20

Download Submit
C:\Users\Admin\AppData\Local\Temp\BscQ.exe

Filesize
161KB

MD5
b01ccb2573586053709a9f1c681e3f20

SHA1
70e644caf157a902f44738ef8280bc7ec0509d30

SHA256
87caa89bdd15c31bb3875015c8e26c1bab712790195c3fe82064fb6b1e40d531

SHA512
b203c73f2585a52f1bb6fa78a01e7e0a0fc0a7fbe05750d96b7b223f13bb221d2202547fe0847259d8f792a0e319d67ad059c04563f79018add8f2c0f0a3ea32

Download Submit
C:\Users\Admin\AppData\Local\Temp\BwYQogIc.bat

Filesize
4B

MD5
2b74aea5cbb58e81561f4e72532b094a

SHA1
c819f426b69fa0ce629199fb007bb86be6fad78e

SHA256
878d622bc183d81abfbb880b466fe9479864f427612691210d07b3aa588247dc

SHA512
2d359a36a02703e3339885f478c3b170ea3668027349e98fba1acc5af69ff1ee7231af230c746077bbcfeabd6b512fae4f391508026eda729631e93472303abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgMs.exe

Filesize
4.7MB

MD5
86b030e57ab5ff35c25956dcbc5fd8a3

SHA1
a44ab15504775e3fa5fedea8ed1c8bd12c87fe5e

SHA256
d36bb5497fcc732b0c2bc906dbdd12489dc8566810f0f638b177fa35b8ecce00

SHA512
412e16baacc36833edd6a9c60e0292cc20b443afaf8556cedd28de48c9dc2cef55e855d268272bfac7b172ce403fbff4a5712dc0ffb10f5c514183209d48a0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgYu.exe

Filesize
893KB

MD5
5b00647ff1228a576c652dad5bd80beb

SHA1
d6fd26fa5ccff63da4e341129f2ed9d86aeda6ad

SHA256
f984c3e5c00aea50bd938196a8a5a9a405413a1058faf0f269cc51beb4a19e01

SHA512
a77f98d3522df67c2657d876259a88742d45c2ddfcb57b8cedd8060a88d621095932c753912efd02d2a6799d6838d4b84102660b9394a909add77b6634c8e0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkYO.exe

Filesize
194KB

MD5
77ebd52317eeb112126522144c8bfc69

SHA1
a8d7aff5a24e81f1ce019597aca49b53f785b8a4

SHA256
f332f2a31ac5149a2234ef50c1dbc2be4de86deec9549637c4fb489acb072437

SHA512
145b62f42987bbe86859735c210d41082e850f43d2c47ae93a2163a1c95016ae9c7a90bef96bd0631df9a99b0973585d7208c9ffc4faf23bffd5389c68eb2b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DoEs.exe

Filesize
890KB

MD5
377c84fd94bc89c5f717b06464388878

SHA1
fb7f410e2c15831a691dc0f2d280d45181205190

SHA256
e0e83078030ebd54a72e40dd4e93b1054c8f03a220bf83ec4d51b34a580bb0ec

SHA512
fd7793da7e6bc95e863c8a42d41daebad907252dd26331e0e41942481388808c96e701e28674b00b202b02b2954ca9323c495de4d47e5d18eadc5643c1f5836e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DqQkwkkc.bat

Filesize
4B

MD5
f503561b3a08db582dd95b73f7e81375

SHA1
062c9023897ad3b053d0097077ad2530e6e8c537

SHA256
2ef83b55257b0cd3fc36936a5ff515f4142126e7ce9bccda4fef4fc9b744c56e

SHA512
2205a62483222ae998eec834f31c9ec743575bbb791e34e10eff04f59a771077e1df4c56e240e6243b0c7100019c1faa5f8120268672c2f58c537172b92093c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DwEEIkwY.bat

Filesize
4B

MD5
ba19e8d45d4c8243eeb98d8b111bd7de

SHA1
bbb271291198abad84ab8ceee3a021ea92a4c1e2

SHA256
f97829a69408b030c7ee684ae84c3f5986e8d12e2c762eb62c03e822c02ac39d

SHA512
4186090fb99855be6cf78697590b7c8c603c29bb4e2f70f92044e49b5e29699f83c0b428e119cb28efe8faa7921f753756b8d6798ff1aa114e637a9da3741b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dwkw.exe

Filesize
171KB

MD5
0add1c2d1338332834c8c9e9004d213d

SHA1
6c15480f1ba048f369ff3f5469872e0fb4587ef1

SHA256
50d26019c7208780b696d6b7d3c001998aef53ffc102d6a6685b6722f1a19623

SHA512
ad556c0600eebbef2078994f3571b19b0e508f6f7b1610a344eb7fc850c07535b5426233f6eaa1516ec0638204b4b515c9282510f8102ea6c1987b4657f2ba7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEka.exe

Filesize
183KB

MD5
fefce817ae55add927dcdbca71af3b06

SHA1
a5defab305bb4b0d688fdc992aaa8ff5ab069046

SHA256
3866983b81a1e609d284148303d248e07e44a3696c0fcf212226eee5f24dd377

SHA512
78fff633a076ddf3911be8547dfb622a64b693aba59a2e3149cefd1b4e9381744e7e03d1b433f984abd38c1a66ec0ad2bee92b684265641b7f168f137aea6f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\EeMsUooA.bat

Filesize
4B

MD5
fbf4871e304ffaa074019d87c8503317

SHA1
469af2e88103bd392af9905c7a55406808d82fb2

SHA256
8a66db80f1635db9cba39eef5b7b16e6d94d3e9a94712116b5e10a8842a535f1

SHA512
e395db327259a02a65ffa6cc1024149dfa848da38d37ed8708579b3acf16c1a1ed11f18e8be4efdf23006a689fcb4b32ddb2582fc9be60d61f81dff4901c2088

Download Submit
C:\Users\Admin\AppData\Local\Temp\EqQEgcEM.bat

Filesize
4B

MD5
9e207e29b140c62959a988439e49547b

SHA1
60d1180aa94a8ed4133826881478f5bc8077f187

SHA256
df159ea046459181f00e046770120e5ca619e45288ed33799418fd0e8c95bed5

SHA512
5978337bf73a9e25088a2bd79140f2173ab43926e765a84f77f07a7adf6843cb1b518887e3848891890b1b05f53517d4101ffbadbfc31b8810c508672ac4fa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwIc.exe

Filesize
595KB

MD5
514a91b71dddcbb6c78f1cd2054801cd

SHA1
fc183ebc9334eece3a47bf0afa677b218c154c16

SHA256
770897e939455cb594b7040dff063d438a84ea3706f8e0fb67ada0017bf3642c

SHA512
25aab7329b3607dc5f1977330a45408e79a53fc08d3149ce2bb09fb5a5d36811a71de938989828466790c2c23a10b60e809dc3cb114c3dd4e1f4b8f1127e5c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAkYAUkU.bat

Filesize
4B

MD5
21429ebe299a6c45d9370e33e09d3d1c

SHA1
72c39df3e9d8878e21cad64902d91c611e60d14c

SHA256
bd201029739b22bfa8490134f6122b7b48b3ea53a7eb961333f34067f01fccc6

SHA512
dae5cdae46654dc361294dd2f5844a604e4d3b6c926d7136e3eadc183197f8ad7035f6f48afb0881f13283c08a57fc97ed4dbc3119ba4f538befcf714d974e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMUo.exe

Filesize
177KB

MD5
f97bc69a4f7c05ced1ba9639b6105ce6

SHA1
e82c5f3ea3e4c9bbed4f4b62d8a9325dba47db7a

SHA256
c6f5595f45aa83f0f267dd478fec4363e1cd0b060b8d646c5294b09e7daac53f

SHA512
abb6c27622796a853008472a85691af2c38c6e156d4eb1fc3bbd0e71bcbd27e4605d23401b9f8b45b20d54850456e20f92ce7323dcf58df23dac43d82edd69ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMgM.exe

Filesize
188KB

MD5
8a0ff22fe7446fda6526ae131ca0d06e

SHA1
5d354692ac2429f0a86f2778cec1107f73c6694e

SHA256
0f18f1a0350d17d58e6ff608767414f4a2ec9c7364e87cd6de7a74662acd970a

SHA512
7416c6c7d08952cfac0e982b07c7f2b9fb3ade0f445b5a2ce354ca5ebcd7176866d3253d1fa91a594481073443b7086529cd5fce46bf088fb9006c63debc08c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQMG.exe

Filesize
188KB

MD5
32872c26b6733dcff2db0d72014af3fb

SHA1
1c03d89eadce19ca480208704d561f4bbf4c8cca

SHA256
a880a801bfd4ac5d485df72d8b0b149e5f707f245f9af7f0fa9fbe22286244f7

SHA512
fe6141888053c56fe7018c1879e9d7ee80fd2f4262be2df9bda0aca39dfcdba6b53b703770cd5683f36c00a27c8701c8c026b5e785b6bbc1ca505ee4f304a9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAMc.ico

Filesize
4KB

MD5
e1ef4ce9101a2d621605c1804fa500f0

SHA1
0cef22e54d5a2a576dd684c456ede63193dcb1dc

SHA256
8014d06d5ea4e50a99133005861cc3f30560cba30059cdd564013941560d3fc0

SHA512
f7d40862fd6bf9ee96564cf71e952e03ef1a22f47576d62791a56bdbfbff21a21914bfa2d2cae3ca02e96cd67bf05cade3a9c67139d8ceed5788253b40a10b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCokcEgo.bat

Filesize
4B

MD5
beccb35e6ace37845a4d4e90b6dc03dd

SHA1
a8fef2b9f70dd6b6fdce9074b0e31ea345bd6033

SHA256
0c1bc6b62dcc8fa6ab0213357f336583f28427d44b001fb95348da651ae3a1d0

SHA512
131e70e82e2067544aaf9610124b2809677471dd8123a0c8cf3709072d32aaacde7bf22cb229e1a99f21b9a59327651d4ab2438086a8a1da6f5169040a809e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQoU.exe

Filesize
179KB

MD5
0fd2b3889e3484346c692c0252e43bc7

SHA1
925f4f4872dbbbe266e32c7a39608768355c1c1c

SHA256
297623454c11b6fd519f1f537d685e2877d54db183bee5c86e6805eeaa9649a8

SHA512
f497d8d84a10db50e9e955bec95144add10ad45f228b7ce1642d24bd35e38481d7b7764801ef505a70bc9e148cf2a58b864293d41f23bb95f41bf1cbb892f0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcAo.exe

Filesize
588KB

MD5
3e75415154dfc2441d369bcd1e606e3e

SHA1
2752dc99882dfcfc40c1558620833c18f126e9bd

SHA256
503e2ba1b1066782b1b5df33b531da99eaf9825f98b8169fae0b8578b95d51d0

SHA512
de46a152fc4e80a5d45555bdcc6656454f7fc3e68b4c9f62ed6d56f27cd44fe1a5a4c0881ab948694857041f1a90a79c8cce7a3fc9b6c6619f89ec12f7182837

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ggwm.exe

Filesize
189KB

MD5
d6739603db2677798fcdc963520afd2a

SHA1
9f73708239bb8e9f30e4717af32671ab360c182a

SHA256
99bc101a481d98ff05799ea3c06170cca65644ba5a07e454c2a75cced3833359

SHA512
e6e572d5881ca906f6e9896a30b4d9d38171b0ca824ddd512598d6669b79c3df380fd4445fb4a84535d8e9c8a17a05a8ab5137300b1ffc1c711a47df134fcf26

Download Submit
C:\Users\Admin\AppData\Local\Temp\GioQwQoo.bat

Filesize
4B

MD5
c994f4ed52f3629ba3a5677a9dd9d7f5

SHA1
c0033824d54f280be01c2a833939581b8236d85a

SHA256
169c4e937327c0561ad5da35ed396aa8e33b3896c0422b28c75d63bd50571908

SHA512
7aa40128b0c103b7772063c91059da3d4091988cf0dbe8c8a2db0d2c5ad95cc798fcc825fdcb665cda319d44c567de2a35f0f2c2a7b9dac4e29b8a14413384aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsEa.exe

Filesize
1007KB

MD5
259af7f23ad7bbfb96798cf11d5c7bcb

SHA1
200863b470cab46ab6b07a9378cb9801a263020d

SHA256
dad9483bc514fd0aa6a1c62151924f3e62ba6b7ec11c39a0cacbac57732d7570

SHA512
08b681842a3e06ccd4d406971a176cdb63174dd0cadea019268581ee2d274e381088183a39c9f4f573eb2425bd61e87ff5c38db06047f6ad623be2f1bddf1222

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsYq.exe

Filesize
182KB

MD5
9fee13e6008941aafc63445aa4ff6a27

SHA1
ca1d4e1411b00a9cf8db497be0fed7bb329ec304

SHA256
11cc332874b9924ed90e88502a96a3235ef521353f8fa9ff92980b8bba43e37d

SHA512
9c340c17802dbc649a7a77b37f82edc7cc25cc0b1bc1dd579c57168cc68cb5d4795cbaef9539034ed19a1a9a53935a90bcdfcc80ebe70c52fba0a73c99c5b4a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HOkAkYck.bat

Filesize
4B

MD5
fb7c042057e200d809b2168a182d97f7

SHA1
e6afc2f4406d0cc1ee5bec492e1bd44a7368dace

SHA256
e2fc35252748aef55033208f4b3ac12c18c38a5782e2a6040cb3ca638b631948

SHA512
f02a0dc0efa9242e5a9a4d5a56d8a7316b6bd0cce5ebaaa7414c1d1691582cfeb017cdb822882217f80b4a75bf8c69c46a5d7bfeb309bc70d663348ecf09e77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcEQ.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAAw.exe

Filesize
190KB

MD5
17086391bb7dcfe2ab00589cbc24b1d8

SHA1
6dd5eb4d26148185bb6a04c38210749558a3a36f

SHA256
a8e115e168ac6ad58891dbeaeecef0b5fffecf2da835d300509b9edd0f424fb6

SHA512
61c14a93d1223269b682aff71f7dcd6c8198713d0aea4db76c6c227bfac83c56f2fe268b938487f22dacf2cd9c645dd4acbc3c783b243b012a05b7d00536d14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iwgc.exe

Filesize
257KB

MD5
07b81b4873314606d61cdfddcc16736b

SHA1
672a3c14d62f372f104e5d338f02c78e46e08383

SHA256
22f969841d04802f8b76a02fc2d79826e8573e0d428a3247257faa42d01628b2

SHA512
a6782f1d6b85cb7782e36a46dfd5952cc114556b892a4cc8de6973239fb8e3012b3230af5607388d2b72241aa991b09793a399c9e1b042a0fe43aad38aee5cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaEQUYYM.bat

Filesize
4B

MD5
89b7c4dce4d681b8f5fe368fee579d79

SHA1
e9edc7ef0c311fed309d7c9422093d1f27086021

SHA256
cf53e5663feb04be12059f77a07459bfa3e7639d505fba03af619df4b84fe3fc

SHA512
1f82b7f10d0c7b0da2167f9d4e80c9485970fdcb7de093a9bdc224f0fc3b676d2afa3f8ba9c044749afc13b29f11fcc11d40d55536b34bb231d7831d3d686eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jsoe.exe

Filesize
164KB

MD5
7d6259a5f0ac1aebc0c0bd3afecafd88

SHA1
c262770a195cfa928527681c9c5c81d9c67d5ff7

SHA256
2b95c549424938ca5e0b2ae20eac7d956fa38367db5517f460d68e2ae5e1c0e6

SHA512
a1062ab5ce5b65d74491ffcbee00e50fae7f05f4aa9322d3610ccb1f111ced6be24b07a23a294f8a9788fd357029dede8167287061686c365ef2559f81072602

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAoW.exe

Filesize
429KB

MD5
a04898b722633287d2b6b83886e3a491

SHA1
c1fc4979348cc25334198081e3fa93b2c7ab5428

SHA256
4637841d7eae04a1ccbcfe289714fb3759a9bbb57df33f27382c6244122389a0

SHA512
3ef84882b6f94ad31066420fd424780205951fb8e9b29c47b0c142c0373117bbc4354716ee3b53c6466ea476c55ccc168298e079aac85b12ed95661021a35556

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMYoAcwo.bat

Filesize
4B

MD5
32da30b53e8d7e15cd63c16a68017b5f

SHA1
3416d477eea8de5959a06f1e8d20f2636875a853

SHA256
4a5957d24b7702b25beb2032c25a58ca6071640c606972c7c8cff17c3d27ce11

SHA512
6e625b0c55519dcfaa99e05c2f342417bdaf77579155b61564f228a7b73f5323d23d8b066bb9b751a52f75ccd1fea6650de6ebf7b05203b81b82cc89b0b4629c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUMm.exe

Filesize
734KB

MD5
f6dd80f5f1391d8daaeca11d86a33e06

SHA1
cf13998e233dd8879014aa1fd5a7cb3f778c7c03

SHA256
ccd3020f0855626a08e871aa4091fbec9d1b920f8864a25e5985d5b5a9cb8aa5

SHA512
2e543ec06818b2eb249838609722f8884b3176ad24d1d4829c1136ace01ef7764cf147e0be90051c809d6a45cb50e720b60069c2b864b8af7e035a26e873f7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYgy.exe

Filesize
587KB

MD5
be9888640a65b18ad24acdc5ac5b1d9f

SHA1
3ce09b2779d20bc157a3b64b52b260a7b3f92c75

SHA256
efc2d2ed98d12b0a60603bfb033d9fda93d03d7bdd677d836ec1211f75a358f0

SHA512
6aead72800cabb4245bafa010e95c92b34ec7de801c56807b08d38392dee2ee1fc9ec5a0ecb4348ebf6285b777443e9e61409cc23de57d2ea080cdcb61bc4cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgEy.exe

Filesize
733KB

MD5
595adc512380fa0223c9d6a5bfe2577d

SHA1
e7dd10443f17f9c426af8673c616b7a0aa4ff256

SHA256
edf210ec9e5502aad8605dd23107f7564d6febf5f6686bc027a9d15db61b9ae9

SHA512
7a2bae959ff60e8ead3761628642a4655ef2960a1b472f5e7c44c2ccac95f9298c4d1f8212463f30e7b1930cb2365680ce21194604d4a3843319f39d813f5c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoMS.exe

Filesize
189KB

MD5
8f5fadd587d320318491238d2a33a573

SHA1
c83efbafe177b9a490ad07da73cc72eaf00d528e

SHA256
ad0fe9416018793959c6ab42127d5a72ab75759f15f0b782114981fb79e848ee

SHA512
e86b6fcaa65e94c5ac14139bb28f43724ee8e6a258d92682d2621606e00919800e4d16d67c2dd40bd49ad31e9c52abe547e9961a567ebb49561cd977e898266a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kski.exe

Filesize
175KB

MD5
14ad007f556947e26c05a424e0158ea7

SHA1
a68ea804b0aa84d8af9a505bc2513e3d74ee5afd

SHA256
6381b02a17bec5409de8553548b7800a12d1619640caa0ac893ac724059627d5

SHA512
11b3ff7eadfd49be8abfa4eaf3e782d9d469ea33d119297667d0688cd19f4aae61577c5e06bfbb64222d65dc2f8b3b17a8d401eded20d83577f4f43b9a7049cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\LooW.exe

Filesize
193KB

MD5
3cc0a7007292d78a5df1d7b56ba02d9f

SHA1
8270dcf481b1c068b6e4479181e8b1692c007caa

SHA256
05a6951309ad3b9d587fb0594d8610a54d0966cb8113cb6f43641eefe15726f5

SHA512
fa210cfad2cc150c448398dcb9ec666643ade39923766dc9fbe3f7d9391c784c0281591a5bcade83e6875cac90bb97ca599694c0db50be63e067798993cea669

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQYA.exe

Filesize
672KB

MD5
ac9d53ca39f8354daddcaf58fb5e8c15

SHA1
0f3f90c130b2a933b3930bbd1954fb828fdcb8de

SHA256
9b10f90ab2a217d7ac06f81744540f4edba48688f42f4a1895870e4b889f66ca

SHA512
06693a9a3e01b4144e30cbf12f8bc84e132213a4ea30feb98f54754f768fbe81f8b0c10bbf97336dae9104f68b4642714b7f19dbd014fdf4134416997041e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUse.exe

Filesize
357KB

MD5
181c561411d99de6065a81cb5500d96a

SHA1
6076f084f38cc263969b265c6acd68b5a7029b85

SHA256
8cd6e0268273acedb27285822033dfa0c5259b837be6856f56538f084453d40a

SHA512
cdf56c60c48835feaef853061cb73f3d4f68abfc2d92a8befc8c95f0db2a6245d8df8886a1ed8ae3fa02048616e9eb21bcd9b8988ffcd2669dc9225e2fa5c3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MaQYoEsE.bat

Filesize
4B

MD5
ae3b3db0f9594fba9459e99166ccc6cc

SHA1
6c7501af861b5c4f64980b2da9650eef3396d4d4

SHA256
218e13eeb95dcf2aef3f748dce32c42a3e0b96162c19e1a0ae59f65ff2f375fb

SHA512
0cf8751b07b6a175a7dfc1bb20546e86230e2336b2e861e2695149e90dbf02960edbcce12caca8ebbdd8a6cc0d90ca64e1549377a6e4cbda231097e075433570

Download Submit
C:\Users\Admin\AppData\Local\Temp\MocY.exe

Filesize
989KB

MD5
fb8386713db561f5e4c3927dc4d8be9f

SHA1
54f7d0db01368c878b763780a079b738bc303cb1

SHA256
53965521fbf608e7925d6da0610426f01577c2086101edc9ca90602b1e93309b

SHA512
48d23641e3b74a918108cf932b129f154f8088cd44571d8061fd61de65bb65eb1ae08b0c3c8dc6eee2d896d329fa83db3b6298d8ed4d5ecbafe52a456e38f8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAEI.exe

Filesize
176KB

MD5
2c554264d8758f52d5366cdab16b2b24

SHA1
088954a5701a9f9e695a6a57c77e93d8b9ec6b61

SHA256
333b079f84fa1bede71e60849d478db701b17ae63393c44db9717cb27d35a3b1

SHA512
66af70e4f391ffab6fa062afcefcb8d58345c58beccb83e2837578787da4c3aa356197f957402389fcb282345a2eac96e19ba63e8667e87c053af07b3fb3bb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEowggUw.bat

Filesize
4B

MD5
4dc27dbec157ba131954556f49dd3117

SHA1
4ddd6c6299265c78132412025d79352b3a287d0c

SHA256
f5a83d8250a46d13eb921218a146d06f1d2edab95cfb3fdfb79d477a8d5a0c20

SHA512
766bf9704c342dd653861645f37274590c7f3c52cf2f0cc61f4724a6c9dbf763d05d5bb3ca060a42cc42639d7ffc15dcbcb9f71bc1cc29afb27a2e373c8cbabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\NKwkEIMw.bat

Filesize
4B

MD5
78e81cc1c409136875d0e7f7554ba14d

SHA1
42f5a897e3244d4d88a723ead7ac29a4ca3d0dfd

SHA256
f11c56b3504406febbf29ed4e203800ebaa580ec7e2249ff7e6f26148bc49b3e

SHA512
c61fb7007ed5b3b0f1089da0ad16d1befd84cd2036cadd1049ebbf5006c2b878df905b87431424abc37827bb136789690c95e2b68aa7018faed1e9b221eec096

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQMU.exe

Filesize
4.0MB

MD5
78faa641d34f29c07341756b363f1613

SHA1
220bddf6f5ba61d5da935ad1087daf3f5a93bf8a

SHA256
b35ce2254bb11754dfe1076c2c8aa6c4abb7c0205da6c873f73c197327ab32f9

SHA512
1da6f9471a0e4e8ba4f1b8efe625b5687d56f7e9d4179166a4c1e49e7bf95c3935d0f454eaeafa8fa6f1f7faa86971f792335f6768a1bcf2ab9c80f8f2945d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUMEYocc.bat

Filesize
4B

MD5
a658f1a9571632486a6ff377d58462a5

SHA1
f7be212529dd9c93406815e4ed379051ac5a452f

SHA256
963807ad2647089c8bf747587e36f42634f5aa0b48da6d4fc5b93708e1ff459b

SHA512
34e117fe6932912c8ce57ac05139c27eb77762492a1448253b1d05031d4ee762224c4d772201496371b22597d81fe0685dcb25e6d9196a1807e46f3fc5bb279b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NokgkcYo.bat

Filesize
4B

MD5
e07c910f0df628e3993a902835e60489

SHA1
2f1faa8b8e7c88c1beb7869f906f3193ebe0e66d

SHA256
78fc0af3d384a8ce2d629814ab6e28ac47f39246d31a44cf70e8855fb3aa089a

SHA512
f215ab2588bfa7733e4dbf54b439e3987a5469a079cb73d0a23e190dddd40896340834b5741e4d6379dd1b3d40f9a2f89253c3b5f0874b978f47a9f290a65178

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAwQQAow.bat

Filesize
4B

MD5
4f0deb57748e708d5f91d3486c60967a

SHA1
30cf3e313678d692a040bb5991822f8e7b8785e6

SHA256
ca81746011bd3744207d474a380ad9bc08adff00aafa46e4519ea93c1dc6f31a

SHA512
04f14766719ef328ffaae4155bb9f44fea4cf6997c1e987361cf752f7ffb8a9942968bce28ee5bbd42566f96759a928dc7bd37d958d46eccf784d20a44e836ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIAK.exe

Filesize
182KB

MD5
e6f2462855ce49d9461726680c316b27

SHA1
ce12d8908e0578b47386809c9cc7c6a4c86e2086

SHA256
c2aba0044ce20897a665592456c2b61456defeabfcf33dbdcf865f3f9d46e4bd

SHA512
fb0a593f8d65f0aa8c0fc97a4040144b10985d8c88a94a988135093d458a7838a9fc71e193142c6ab6c8f434b277f465f1d4b9800a04087f01eed2b998ecd31b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMYw.exe

Filesize
181KB

MD5
80a36cfb64952f067004eb1e364edeab

SHA1
3d9c38fd712857ce1f68deb0c32e0bac82735251

SHA256
d299e4e541daa5acea66e12fec99fac79d809a2ce03686551e89a67d8d0d1183

SHA512
70588f69ee680a572d9e743fe094d7fd27f9d796572a3dedffcefbd53b69f320ab8e6f4e87f1c5e62c7653200cce35d73132d161fc255bdead2ae48a330b25c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OagsoEIo.bat

Filesize
4B

MD5
8deca53ba0e81ae730b7b0e6df9b4a8e

SHA1
cf5f0c7e3011056c20a9b1e85c02f930519734ab

SHA256
a3e30730a6d82cf0ecf9e220ddc005951c12d11296661c51f773956b6ff378ec

SHA512
ec6643adade318a36f46f742bb7bcd07f041a27d3c8341127da263898434f09f1dc543c92d4d853076b748e90fffc9821667af604bbc1704430964c5aadfe605

Download Submit
C:\Users\Admin\AppData\Local\Temp\OeUwwEYU.bat

Filesize
4B

MD5
db6aa324d4f2f5588bc4fb41777258e6

SHA1
d01184d856df93c8ab95b255ba5c24614e45590e

SHA256
5627efcbed7a47519e12746f680e4cdd11bf40bec98635aad129565894d76ebf

SHA512
df8054087c9a0a28d3b918fdaeed3d72bd3c8986032858913077823789573d2117a438810a67b379a66ba1abc29c2256907c8b11f92b5c1ffd968b6abfd2a255

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAge.exe

Filesize
187KB

MD5
7aa5e76923fbca7ae40d7c306e64c50b

SHA1
936442dae2aea37074436f00564171c93f98ef67

SHA256
482fc7faf12ab116f186bb14dd8437535fc1c695894a53f10af118752deb8bd1

SHA512
62a4a98789a157336f94ceab8629b9b111b71c4a65a035adf928c577068e45395fb3dbc0e41c7825fbc9184faeaa4e13ffe536ad4180963a2d404976d2d26f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUso.exe

Filesize
524KB

MD5
530106234242c35b3638e07c612175dc

SHA1
cf7ab135e2ede3d5b6696f98086aae08d0e45470

SHA256
0163fdc4fc1a564df479d140004b7b279763a8ac6ec619aa1ed694a8561c34b2

SHA512
f1ffd292086a531bc05995567c5e7e764c1f2e86d68efa5d5f637b813e12d735aebe5c287fbd2170ca90a3ed1e838a6f88462d76d8863c5bdd9b52df244263f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIow.exe

Filesize
185KB

MD5
a7fc6d0ab4ef5916173a8ece6351185f

SHA1
7cd853eb6726e7b8e87c7565367e9ecba82341ac

SHA256
20f15b8b7f552b7e348799be15f8d2c3a85d5bdd3911cff3a64c91e43e6c7270

SHA512
f96ac65fffc43218846650916008caa1e923fdea0a5ef52a676ebcb5ddd074592b165656339f3694fd904da679e0bc06274c5c04174c57033471811c927c13f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMAk.exe

Filesize
185KB

MD5
268925e14c3ccfa373c12d4fe380badb

SHA1
a494afc7304f0066e6d63ca4a912094c6b7f57f5

SHA256
016cca970e68461f62da5ec4c61e4d8ff13d59f91133b02947aa7951bdb67f09

SHA512
8d3b55c215dd27382bcc151a994173c7fcd4353fae8c5ccaa989feaa1a4f468976e42ca1abae425710f4849ad46429f594a13262838b50f3af67bd84e31d8364

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMIC.exe

Filesize
184KB

MD5
8062a3d99d59fc3342a0edd11995165b

SHA1
c6b29dc4ec1473663737b61c3259ec38147dfcdb

SHA256
2618b3af0082938dd776857a96412bc2b1d5e200ea53c2ebe6f96e6132788342

SHA512
665eb95bb40f5eca6845eee201178edc61fd5efc3c7d71e45db4dded341a63bcf9c6475344590422ec370317d30b214c4dda970a1da9f250c7ff287735db7f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwsI.exe

Filesize
190KB

MD5
2abfdb6bb4de547c3d8a582064074720

SHA1
401c1a32a9e76530636f4819e08015a5e4940e58

SHA256
8a40f06e2937b5e0ceb82c8160153e6643e8a38792fb7b121db58c777e0df18c

SHA512
89e4da9ae1cf81fda16ae9de5adca1a4da0b69451ea845f3ffff3fc5fa4e4ff2e2c305bd47a1998dffe10949fe1e1cbbe1445898c8cf28aa09ad3815f5b95851

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyYUYUEA.bat

Filesize
4B

MD5
d15a779f890be971aef8f91918f6aacd

SHA1
8a9e7ef2d4ae2e1179c9c25fa83f2746e180aa7f

SHA256
eed652b9c3cdf627c17b6f2a712e880e6af5632448825c9094e330443cab7292

SHA512
266eec1917f988b666fa92217bd961b301249931f470b2b1b1e06646a68ba9dec7ff5031b193f164d6e00628322a10914ac530142cbab0f7a88bdd8fe020af67

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIgG.exe

Filesize
176KB

MD5
589fc8b89b9806f55b0e1a8dbc4e7a19

SHA1
d10c88c5dce241abfac95ff5e976ec67d7a2c000

SHA256
f3691d9cdf4a0599974a40f3d457c4afa9504ae5b25eac077d682c2892062179

SHA512
f19e1a6fd290015032000e288d0eeefcbc32763e65a71bdca49f103fbba540dd72e58576a8ef4357a0529783566298a5ec9b809f44a4b70be669234a58287441

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMEe.exe

Filesize
762KB

MD5
55a893967b7ce0ee71be975789d4dfe5

SHA1
9c47de56fd561139c9c788c351106cf34740b9d6

SHA256
9b430d9412b4c974d08ed036d36057c53d34d2125271b8a72765e34f11eb0c3f

SHA512
7e4aee0125373c1821d3a40e0dc9a134b0cc5a13ac4a68a3c9edb179372ac9d4d65669eee54981ee4d88301c7931adbeda5976791a7f8a5b4bbcd878f8347902

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsQW.exe

Filesize
172KB

MD5
1e4bf1b10a33b5303440d69582255bfc

SHA1
024d7ee53ffa1acf077eaf17c0d029bc2d1b9f9d

SHA256
a6a8071da6a69d75a1f65cb37f3b62dec440b7791256132becf9f77177bc4c24

SHA512
036d27c792256acda205e3ded906b2a49404da27a4e4eace44acda19ae68409a496ea7a767608e1f92a2d0b491c8e06406a3899dd670abc423554843ca8344d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SygYgQQI.bat

Filesize
4B

MD5
d5f512c9e5586ad8e276091b5c26ce48

SHA1
a86a26b09dd52a36d2a34220cd6d814a9c98cb52

SHA256
8ba1324f01766ac4a1737d59f69bb043d1a03173e336c46f5896315a9fb65915

SHA512
133302daf88f309dd99d1eb9025b4ae95fa69bad557fa853e41b24dcda74e1be27b4da68ac7eb67cccf47eec8b5f4c8cd3176db2b333276dced506bce03ec4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMoI.exe

Filesize
191KB

MD5
d7934972630e919056cb786620051870

SHA1
d9cf521d45dc378cd161e0d1155e9b94360bf36f

SHA256
54fbd72d18bb57117f0b46db895afa5a97910c59b4fd3062701623baf95f0072

SHA512
c95653eae36954dba9518378f8c3c831fd8627d2d7fb0fe3a8c008f74c186062816952f70c23127a4056870d6c82249c3ff3cd43a190d2471d0b6c742a5660f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOsEwwcI.bat

Filesize
4B

MD5
10506c3df68f955b2974b445caf02770

SHA1
ec3fa4cbb4b4e34aa903b86299579edd4da3aab9

SHA256
dd39e7d489a34a0d0f59497576a243b173c4797afea7e266585abdbd79986c88

SHA512
0dd36f5b5ff0a7495ce65f2fcc274a4e28c74eba24e02f7a329252f808ccd602a0a520957fa9101fe52394aef5fba3c7e08fa3cdde279a0c7f7c0b17e2fbc32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TQsk.exe

Filesize
178KB

MD5
7a4d3fca8e7f738a87f7bd9560c0bc13

SHA1
6a8cb44a01a54bc8b9614edabf5f95e7558467c2

SHA256
157e015d643d3a47c6fbe7fce1c88b82a5f1abd26dd31ee4e37d5ca7209f5832

SHA512
ef2019362f488b2109a571bd5b3263a5199f463a33c92d14cc4c06e9d0521efea118314f9c34db45074c78e4309df1fefc864f0016edcfe4bac96e0e82e53185

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSUYkYMU.bat

Filesize
4B

MD5
e3eb335d8c41d14696d5ea1e4d4abbff

SHA1
28fdcdfd89583432ae8a42089b3961312d00da29

SHA256
411c43d7ff0b339163370eb40b462b4c46b47b89e11d70352d508f9cf4b1d58c

SHA512
7900f1e9a74a0ffb2749c24e76d3496c7242dcd68eb15f57778984b71ea75696e6cd58221fb42b5033c89d1b44e22d323dffd715d4202d2cba3ef7e1d1bbdc57

Download Submit
C:\Users\Admin\AppData\Local\Temp\TgEUUEMs.bat

Filesize
4B

MD5
f86a92e44217bbd4ea281cccfa58e272

SHA1
0d217e72507bcb65d6e6c51ff27d3dbfe3982aa5

SHA256
a9fd49b647588243fc338dc9811541e017053f80c48c4357410750fbc3138e80

SHA512
a9aa415a991e17ac946dd8eadb679bf36ea99d3d4784c63630161e9a8f1b1f9c41442600dcad7263e6044ddb4df5fa66d5126a253e04c7e4e18a2c7d99182073

Download Submit
C:\Users\Admin\AppData\Local\Temp\TkkMYAMM.bat

Filesize
4B

MD5
f6b84f68f905de88e1e53a97faa9512e

SHA1
073c2dc8297797fc2c82c8d4426db00feb2d47f7

SHA256
0e98bd8c2d6126e35284c8404207307857efb859c723c10cd0c938d903cd2034

SHA512
f2856582b13a726f291b8c7fe3b6606368a1e82b3325ee7e1c198a72a5b7a73c220e2dd3a3ba7d0988445819ddf3f8f12a6838bff9c6d7083a3a58bc6f242237

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcUe.exe

Filesize
186KB

MD5
006b7079172f6c4b410b4d3d131d5fa2

SHA1
a5867a42baf688993eb660a411c8dd8a0d9869c6

SHA256
640ba466b7e427f12afdcc6801e2c6ccd262eb699377eadcb8e616752231acf8

SHA512
bdc895dfec0bd28ff12b6647ad25a69a28da24640220c55c10e9b5a9e040e66ebdb16caec8f972de797023967ace85659aa89e72c78841da2a6fdad41d3991e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\VgMS.exe

Filesize
195KB

MD5
56307d535ee8d78e317cbda45b0368bc

SHA1
f7ff82bdaa58dbff5f5b42f4afb39ca30b14a035

SHA256
29c4912d0e6c9f5503889d8d8bb9ca54025c5362cb3c09bcf01f896c334544b2

SHA512
50ddfab326ed4e6ea4ae7102384781f3cc7299b8f90d58321a39e56744b9a6a5fdac0511a4d9aa6dbe26011530579f22389da8e4ef5d8de14c100ee85313c8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAYy.exe

Filesize
791KB

MD5
1b5e866f6b66f9e5189780472eb49214

SHA1
b3d8a4f075c793cc3eeb8be65473442138ec025b

SHA256
a6d2ef0117243b4b471ad01bcc675b2bd0f5f0cdcf18e45b0024abaaee7cccfe

SHA512
a4fdf4ba9d523ed7234e25fc73061535fba139d7fb0a266b46437225454b7ae6bbac5dbf02666036125f7817f69febc252cd0607131f1de00394caa3d96ea222

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEYS.exe

Filesize
186KB

MD5
aa3416e71b6587f1fd650e5b7fa9fae5

SHA1
869a9d97e4dd41613a89955d360bc91db5a72437

SHA256
b61d2380addcba11c27d4829bfcd963035e91916045c0cacbaeba17dafed7426

SHA512
8c09f3909f5d732379743c763a33762173aea223a13cd6be4578c89ce79daae964b6d64543e156b817af23e075688b6fd1646db996097796bef2fe556bddeb5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIAu.exe

Filesize
759KB

MD5
cbffb21b7f01205c8caa5e680249a9bb

SHA1
b02d4d87da7da4076cb734f93944aab124d0fba1

SHA256
774f89e86df471fd7d6122ad9d4a1ffd51854ad0a42edf16a8a1083887b50fb6

SHA512
2609ee76b782b05ddfe75844a7eb3d4de619f19e77123ba0e19d1eb490f18253835d1b40ef693fff3c998cad35c786f9f2dd1c32f1953402f26cac05a2701432

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMko.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQII.exe

Filesize
195KB

MD5
27b155aeb22901653cec3f26e0ad1e4b

SHA1
2d71a717175cadfe49d7a8f631a8f00a92169588

SHA256
d60f1a7dfa3c730545960ceb58631ec6850c49cf730cff8b81e2d3252cd20ab6

SHA512
528579289cce60210ff0f1c498d4f22c7de7ddd2e98b048ee6c6934129da79ba34d600fc25d56ee866bf764d20732c61f19b6f35320ca35718dbfcaee82708ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkAU.exe

Filesize
588KB

MD5
30408008622800c95793e59d755f6e17

SHA1
df96e1dd954a976be40d569e01de277fd48ac294

SHA256
9ba5ab668bb810a6a4f1acb5703916d650147a27de6ce680baefc5107d78ed8a

SHA512
658908252fd684baa9577b90a9e2313a35214b3fb95543fefde12f7d2f9e08f946fce07bcad474c04e8caed0029365d23d1eb7074a80c3011518cf7146575c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkUO.exe

Filesize
184KB

MD5
1f13b7e498f29574ad0bf6fe6c7cb082

SHA1
2ee5b3ce3f6e89bbc26ebbe88a29fa9c7bdb167a

SHA256
f7fd61ad4d6fcabe7ab1fef3995e25ba3d844e97346cae154feb4a8fb2c090a0

SHA512
6ae433fc2af86a424a34c06b8ba1dc74180f375e05494bb5f45f724c9a0b4eec019e3878328e79f63210e34ff8175204dce1e64550445fdb091d3fcea70c7bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUksEwks.bat

Filesize
4B

MD5
41b148a48623649a7d881c72457ebb24

SHA1
031e981e6fb95779521bae805acd7fbf30152f01

SHA256
b12bef78b528e363228f54184a709d7a2b0b5c2009377bc84d27e1e3a059ed2f

SHA512
35d1d541cec35bae90d21bcab9df57d1fb961ef3801a4eb31e6b3a9a13cfe43c4c8bb89984a64b4f466dfec20f7fa29693c54060435d8dd5271e34a6762f0279

Download Submit
C:\Users\Admin\AppData\Local\Temp\XegkIgcU.bat

Filesize
4B

MD5
22ea8615a6b175f1cc30ee1f26456bc5

SHA1
d19680063563c661108ee6290f5fa489f29c850f

SHA256
2a37adb91be120e688771e364dd421cd5aa649097b07f7dfc800d08a0ff0172b

SHA512
800ee97c32de50d64a96ece8b2fe0b715803c84fd08536ba801126699bf6061533f9aebb16b9585f739865297b14a36cdff0d9d4dd9d63e8a21f4c2e3a8aa53a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkEE.exe

Filesize
183KB

MD5
8288b01be4ab97b11e309eb22a25d9b6

SHA1
d7b88cbdc85d3b64d2b6351359ae816dcdd5c974

SHA256
b8eeebb0e4d6107fc2c1972aa153d5dae311b2c6a4aed7383d1f015cdb7312b8

SHA512
99249faf94c3730d11d483d9e92828d1b8b7fb803363a2664a53e4553c19a3578121ef8a3884b530c049bb20988f2391320f582097e45181a31ab3ee1fa3b3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XsIc.exe

Filesize
188KB

MD5
48254f18d1e2fccf4bee5947619f3aec

SHA1
2e07968f3591c2db8d4d0c30b0edbd49e99877f1

SHA256
7dfe13d72808dc080939071578d19c52aecf60926f57e6973c9545c571ae3310

SHA512
2e0862eaeef8966818acfbb7e13054e24a935dd60c42bcb8f0155dae256b7683e4faaa2f4fdab8f0cb9edab860cf93f841dd7f3d7c9700fd205d331ec1c43389

Download Submit
C:\Users\Admin\AppData\Local\Temp\XwQC.exe

Filesize
178KB

MD5
066470e5fa09d47bdb0f0f85911bee97

SHA1
ec1aa5fdfd838d4236f3c2f0fc0bd9c39e91d5dc

SHA256
81d8a7815d28a83950c18c6d0bf3ae6a9f93a41e87f1819ef728cf3361550211

SHA512
7f8a2f1aab87eca325ddc14ec22d3dd7d21219ff6eee3cd55fdf5820a1174398fe8bebe98e9f09e3300a97e7b7659475e03d127f2854e688a672724ffe34d6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAcIIoAY.bat

Filesize
4B

MD5
c8c54d648709ebaec7ef3507aebfb89d

SHA1
671b8ef649e391ae58ec715128a998c74adf5703

SHA256
8809177601deb85e07e8a9724ac50affb46d99e06afc93f81014c6a016d54f34

SHA512
9befecec3ce327afd30c330a733813ed7d0803c2a3409237dd60e24b80740a57c242f22ad51b6e35dcf6bc2f9921ff31febe068a32da4b1072b33ed9b52fc63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YSsUUUkQ.bat

Filesize
4B

MD5
43c3675c806888114390f469246373fe

SHA1
09f04687c753b95720ad52f4c0e30561e0926f77

SHA256
83f3663599691219392dc188a0353ecb52df610ba70e26a2916675b9d1144dc2

SHA512
ab52052e1c1a63ec218e6d0ba358e3af53ea41aa1c7f1ca6676ca391c71f71b91e7cbfbc1fbac92f25966865c90757c5e1852d191c8ed2a2c70eec711e4b9fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yccw.exe

Filesize
171KB

MD5
7c3517554380d88dafe908fca1b22052

SHA1
84d0378b87621fedd0f0f249aad8fbad182bbbe3

SHA256
a708770ae07bacfe7f3de5043fcf019d60ddfa141271ea2e4747fa6c73cd8de7

SHA512
545f2c78249a1ab95bdfc74445cdcf5a6c4fd055437bf9e26e82af6c47f7f37af9484fd51490ab73b09d81372c148074b38dbef5d93e7b3da589e82a7bcfe766

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yckk.exe

Filesize
175KB

MD5
3a12abccf8de4bb8317a03807f6cae7d

SHA1
bc60a3f125ae8168101f32deea7317baa23bc2c2

SHA256
a0916b54a6c6ad7cfc0a9927f1e37da6e5f1a025178508e613676221ac3c197f

SHA512
f8346e1959db076d01090c9e7207476b64f864943085bb5d88bead036ba0c3db328e32edec44e53b294a448354fc7050fbcf5e095d23c6b767bfd645bbfecd63

Download Submit
C:\Users\Admin\AppData\Local\Temp\YosS.exe

Filesize
191KB

MD5
53939b7765401556066357ba8c08b197

SHA1
ffe46b5c4b887bdadf2b3c17bea099c320e70d85

SHA256
949d07090072dcf0248756f487b8b5ea99400807ed03d504f6179aa6a5be9c0f

SHA512
93c4ec9f7d5211354d5e8559b52e6ed6faf90a0ef2196e9f73ed6c2f0d6fa2c06da001c034ad03cc0802e2426f1f55a6148a411593e7ec2341064faf19a59b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsIS.exe

Filesize
193KB

MD5
eac8d0a7b0ff6a95d1e2abcbfc9fb9b2

SHA1
774341b959270579c4ced8b07cbdd3caca5958fd

SHA256
39d51af3bc6b494bf55d3a6e421a36daf6b4579fd373bbcbfcaedddc5e149ad8

SHA512
6869f5b85ec0574c8a8674690064527a061d3138424c6c7af5ab60cfae4b513a75e49b699cb3ef2cff2fd060ce20399783a3d387236e0a136ced03da96195110

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwwE.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAka.exe

Filesize
175KB

MD5
901d3c792ac9eb8aecce97b7693e13ae

SHA1
00d30be5396eaba20b83cc1e2fc8e55f9d2f4fbc

SHA256
296e2cbcd50d175a54ec196afac19b89bcbc7701ba23f8066f377102b5195c52

SHA512
334071b6c97bb9793b5473c8593f99ea4bdadb89193770d627985fd17effe2d11b65a3aa41c7aba6eda7ccf4e4646148a8d719a635dd61cfc3334eb52e485cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQcU.exe

Filesize
196KB

MD5
7d5ef4cc8b4e12a46c9ab0bf4d6bdfda

SHA1
efb29a60d872d868f14c2c381b80849964f6a158

SHA256
ab9c0e995d1ba1453e222c6abf22929960927a8c5ef535ce72aeee028dd6e5d0

SHA512
e8536861cea50fdafcfa3de93d4d6d94701b793a7f1905dd194aeca5343f7eaf67fd11c85a427393f0a4c49e6629102ff87cf708685a60cee17c6f7d3c783949

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZoUu.exe

Filesize
173KB

MD5
d927a065d2ac822dacbcc014b9907445

SHA1
78bcbeda5e5e3d776f2d8ad50799d08617b84e0b

SHA256
c842db2ee4b219fb79fb1b6d847b0282dd44b3e232576a92da0df0364aebacf2

SHA512
96a4d551c6b3a259005b83a4fd65512e4fffd739d9ac8fd4869e3e4bdce590fd3be22829ce339781297e4de9fe0bc80d3d02f8689f603b5008a0733d207f907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\agIS.exe

Filesize
180KB

MD5
0c4a31defe6d350f3ba6036f9c4b815c

SHA1
a9aa50255183051bb1210977c3cdb2b586dce629

SHA256
395d8630d76945ad0e442fd57f2ecb575b9881e0453bb8d6675219ed6ce66971

SHA512
0ab887195be2ebb9baf0952de915034b531b1b01cae80ec6866766da6b7a2157cb7010fb5fa74abd6cec9470b0086b521098da46ab18bb6ebf7b6434be2be367

Download Submit
C:\Users\Admin\AppData\Local\Temp\akMa.exe

Filesize
183KB

MD5
fda8133a3b0598f837fce0bafefeebeb

SHA1
0a1dd7955270b88556e69651f9302b7252229103

SHA256
5f66fa13a371e5d7355e5c622d789adfea7150d7d3d5b69a7da5c5446169fc42

SHA512
e0f939e359c336487661614ea12db34515182ea8b08b1a1c14bc3bcb0dede42f710355d6d26d72a42165ee724f6895eaa0dd6a3dbc2f58e58bee38e4d4213625

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoEG.exe

Filesize
175KB

MD5
9e33274bd817f24d30b66d39d9d13d96

SHA1
29b042d4ab17321222bd01871218d07ceddb866a

SHA256
e1487a346e1dbe6ac51fcbf7fffff2294b57bc9d9e844c5126febdee57083dcf

SHA512
69c3511c0d42b12caa2d25262a5548831e2fbe85f83e72f324d53c17059fa90133c3c2496270a4743b2b9edac4916cbfbc1c8097c8b12bbb5029547cc0410ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYscQkgo.bat

Filesize
4B

MD5
7ea43b256f19acf3b6746560058b2f37

SHA1
21e6f354c8101df53b351d91b1a6a0d8c7e69115

SHA256
4ea0abac481574172995a93a676fcc920ec73e37f2567cdac3fc5378ff72411f

SHA512
83f41437d70427b32a034bfbfd9428f8c98ae2ba2ed40137ad62e56847e2d6e56ed2fd5e4cd3cd8587ecaad28e5cbcc9b364d8a4b8242a3701ae2c83493c08d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\biIgUcYU.bat

Filesize
4B

MD5
566811c2be523f4f574755ae345a08db

SHA1
58f5394235aae1db3c006ef396e1710b0240e95e

SHA256
34593a11b0a97d1f9d674af6974904eebe7fcfbd8c702a0491bd4b71bd6c6d49

SHA512
386aa0aa0649d32283eb344e7718e778920eb6a3c9bb723b4395daef36c161ba0c8733c197f1f4cfb9fee84b80a08b2af77b6f38f8200f1f7dfe353e8ac703c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bowW.exe

Filesize
187KB

MD5
b00179abe717f70b1d4f4c5f9c5f578d

SHA1
18312ba0e40d9564fd97599abfe6ed732d41c138

SHA256
0bb2d6a31f0fa44bc1d67d48704679825aba41fe65baecbcb11326cdd245d00d

SHA512
e4939d1eb2904b138686e11cca985adf8744d5aaab8c23abeef6e5130000529a056ed616851b36d853808aed80c2b622aac8d7a916b610341672468b67a3f3e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bussgQoE.bat

Filesize
4B

MD5
e57167c19ed4b7c62a6527f85687cfab

SHA1
2dd1786f9b6898e7334b583092405683ec0442a4

SHA256
440a19fb3fd6eed4321a5389b37b0226bcf38c28194069dd07c523dcc0552096

SHA512
17cdcbfc3d42747865107de9b35cc4db1fcae9f4dc9d2ef9ea6be41c7a14643e5d5abfa1707a5b386ed897555b1dd51f886d14f3910b2e6f521420545a6459ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\cCcMgMUk.bat

Filesize
4B

MD5
be7a2899fb55e0aafec5fe5f125492dd

SHA1
6a8ecd15d8f29f6bbc408aad31a5ab63797a0846

SHA256
64061caa13e0dfd7144155f98b613f04fffe6733e6df18e45651598a93b0fa2c

SHA512
50eebcc9aef11abcbb676b8f57ac921c5af36001d93db2679f12b95a5e1e002d1670121ac1815b09b4925e3fedba40d9538dccb32afb001b819b7a41a3687f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIEA.exe

Filesize
768KB

MD5
576b062acdd49435f3d842ad0c5d4d60

SHA1
d6445d00ac775a3ec92193b4682dfb6e8919b6fe

SHA256
1252bb862acc4d5dd7df2a6631d200c4aa89bbba66d168f5ec11ad9b163b3c8a

SHA512
2694247c0e7166f9769260cb1b4540ddb202cbfd7d03a265603e4ef4f9c4bdef3072e5e5a0878819857395ad3dbaaca25f751789d19e226871ed59dae9bd6448

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQUg.exe

Filesize
529KB

MD5
c0298e02893d2bbcb4e3e76661c8512f

SHA1
36a6d4c8256e2befa1113c2565dc5d4b8fe5a668

SHA256
a612fb4457f4528c8afe4412b41fc49d1ee3ab71c00758e7041b5feb78571905

SHA512
bf179d7f7b1423d2442afddde8a0bda9bc3eb9868699adfd3a7b7ff898b41e15c87e632b2b60ee49ed4d0df024f3aafa933dcf7bedae3e76a95fc1483287d451

Download Submit
C:\Users\Admin\AppData\Local\Temp\cWkUYIgU.bat

Filesize
4B

MD5
862323430380ee3e3fccc92873b7bbed

SHA1
a45e292d902e97f2bf2c45c6e2b52dc3a078e6ed

SHA256
3f2212ded7bb1f4aae4e1e8aeef152438ab3195757758dffed8b06476c452687

SHA512
96d7b32ee22303abf0c65bd0b379376c4a7ea0ad273eaea3746831a3ab097ecbaef8290ddd7a2f24d9aed422732bc5fd65d7fac72b97d29af492f9f41cbaba92

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccUE.exe

Filesize
191KB

MD5
9cc7d61a4647400fc2d4eab2cb5d656a

SHA1
34695734d460d422ce0dbbbf778a8879d8e185d6

SHA256
7128d7a2041254e54da5799ed975b46a7bb19b2918ee814ebf35f74d97ec1106

SHA512
d7f5247d1bcba6fbc5036027385e89074b3a98b30abf46841a95d673ff2d48488c444a7251bcc9809be983a8d0a034b35a9a34e35c9501040358b488556676c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cckC.exe

Filesize
953KB

MD5
9407a522c941ffe179ae6f7eddd3124d

SHA1
ebce978e9f648df6ca715b73cf536cc2d8895055

SHA256
b4d579ef453478acf0887bb800413405e7eb5eedbed8d3203f49055b7911f8ef

SHA512
e48b578a64416f84b955696954a4ba4bbf7f07bdb092acaa41b176f7c2242abba100eab440b186059fd18e247950718acc45e56228c29f0205cf1713aa27d82d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceQIEMEA.bat

Filesize
4B

MD5
b59940a2f9586bc7ede7c888b4e2ecd2

SHA1
ef173d39635865893b153432c13368007e73daed

SHA256
b37923bc49e85ca7637b306872241ea3a06dee5747375fa29d0b79c954ad7d34

SHA512
dbb3226c215061ccb2fdce7f6c5b4c9049e6df731124f6c79976a9fd6a396dcfb004c09e5e73aaf18713a57921eb07a8e84ca3f9aea5d63fa8ba8970c45e50f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cggU.exe

Filesize
171KB

MD5
86dde3d407f4debbc90b0ecba066d7ae

SHA1
919a749b9eeca001898876f265037076c4caa66d

SHA256
5599851cdce1a9744506d2222fe7384621ea1069c3ed6a9e8f52b703b55b7431

SHA512
7af6d4a74a2cbc6563a3a203b899dc8e5cc19d8b1c755aad77bfb25685e6dfed28f9c3d286d950f4b9fa0dd69a923a872bb574c2a894da5fae690b691ef22318

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckAm.exe

Filesize
894KB

MD5
891ede21cd227ab7a558257024cc2b0a

SHA1
21d00e20211390663e351a8c007d069713cc0524

SHA256
e14f0b6f7c3280f5d61b650e153398a77bc2cde7798d7957efc9836b659ca486

SHA512
15431cc4a6f0c9703381f8a4f7510cd385208eefe56b6eeb80291ed7028a0bdb734b30184f953b0b2f5e619a53d11b204f91f821a34d2201a0a23a4c745e0063

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUMUwMgg.bat

Filesize
4B

MD5
4d1dc5d6c9a8645871a337766dba02ae

SHA1
e0a0117dc6ec82f4d1698935dae2ac532981e0b5

SHA256
e603e661b351ea3e1394d1a8a9dfa08cb26ddf6799d5bf232e731a7e85880022

SHA512
bd9f9dba3b064844366973b2cd7be3e8c702c900b41355d6d0f80d7663e5ea027718a38ea3596e438c586f57e8ba8ab37362f066de6a67b69357d5541693971c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkIQgwAg.bat

Filesize
4B

MD5
c22eafe8c1edb6976c73dbff03315a3c

SHA1
5fb13c237ec5fb308609d55a7439d30917bcaae0

SHA256
4967a06fa8ac6c8178cf06866b871f7666916a62bcffdebb282e74a8d74dd98a

SHA512
0965fde89eb23637631080d78fb577734cd1aef5fa2e3ee47c3bcda0d0d34f7c8f6aa7f2cb728ef3933cce729a926849c795a6a2857d175e37642a6cae2686a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eecMAEoU.bat

Filesize
4B

MD5
76ed3dac7ac22b5577446edf4783ecdd

SHA1
774c735c89aa45a53de3f8edaf8e48284d10f4d9

SHA256
b3c9761603ea2e229db932ab8112e4ba2a7358e73741feb1f0332cca31799002

SHA512
a8e2909d4591ff35672b18c4f8559df3ae26e6294ef483348961e0fe25c2f98487c89c6e009a0e7b7c8f0c6cd668315e80b831245fe4fe27511127171b01a92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekIU.exe

Filesize
272KB

MD5
f9c3ac55dc7ef7ad4d05da1081fe324e

SHA1
ae03d20847e53a2d45948502664c46ec0d7b0fe4

SHA256
ed04ebd2388008f686eaab3eb7b0943ee39513fade9472208cdb38f02eba2d84

SHA512
bc2cf5e8472c591cc3f290c068d1be6a71e1b12e2df68c5fcc2b7bac0e924ded7746038b3db6d789b6f5f01a15783c2aaac77d77141fdfbc43ab72c18d99f013

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUIk.exe

Filesize
173KB

MD5
d05d7a48d642d4783da8c40194c9b9aa

SHA1
67ee2a83d735524446844757608cc8a68363c1e2

SHA256
451151b500d02e21e890ea54f0d14dd578e48a3073dffced105de435f3155be4

SHA512
284c5138eb0624b78bf917bfad67c7fe67fa9d67942ac80c569e5adfd76415136f5d63598d9f5c283cff2f40a6639b78c4af23d80198a7f49e876680e0d61ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcUI.exe

Filesize
175KB

MD5
7c81d0b74d5c5bd6e618186dbd14bb7c

SHA1
56e63d2ebb9374ed7737686d0e1fd5f4c763ae12

SHA256
109416523dc5be034177126e62094d6bfe739cd5619f8563b3d9ac53718424ed

SHA512
44fc61b40869f558870e890ad2c2f08aaaef809efec19d635072d380251e18b58f391cf29d389ad70bc499d7ee732a4114b66c4fc6b88cb0a2484cfdc3506100

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsgC.exe

Filesize
175KB

MD5
7f73c416c08e58832a674578cacd2166

SHA1
2e87363ac142356d09b2b5063014202d94068470

SHA256
3e2ee2953733c7ec5217df3d92dbaeddb9d8aaaf39d755f01058c10d4a58ada5

SHA512
8d5a1974747fdf7cbd5d52ef57a43e2b6125d8668fe9a39005b4259df05489a09272a03f70498dab9a62487264029a206d58bca0910557b5efbbea883fa4ff8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAMAEYkE.bat

Filesize
4B

MD5
74157f13722ccb6811865a3c507bf229

SHA1
40b0e081b3a96bb032cbaae5624ccb1c5d10524a

SHA256
0e1830146a834d39ad1305be9452ef82c47de2c72b8affec41eb6ef8d68e3eca

SHA512
4434230959a26ef39eb026abcba9f4a78b4d3249adf16989372de77257517219134ffa2f06469eccb2107c65b04f6a6c1f9d2e1077589f7dd17f255c12f3df78

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMsEEMgg.bat

Filesize
4B

MD5
5fa5e2bbb3981d0f573ee7685a91d49f

SHA1
1f9f48435624930486ee20d5a93125909efd7419

SHA256
997abafee8c212de7ebcdc0c48261692538da9fbac7a25eb0fd71e3e2dd2117e

SHA512
b22ca45c06037a70a04f0061f51fcef9f3efbd4a53fdd4b0f4590217fc4a96f59c0b9c6dfe78df6175b5e9df7d01f5233d921d8f6ab3d9a118a6e690e9f76426

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUgQMoUw.bat

Filesize
4B

MD5
665579c102f95e4d883b3fe766498e54

SHA1
34933130631352d566766af6d5a31be9d9a3b44a

SHA256
18712e0cbfc9d118c427f88ca7dfe82521d58a36d2a881b8a40b7fcb7cd1a37e

SHA512
a2a0a341ba225d6f06124be22567767743a47a410b3ca44c06980a5cd79bf7828bf14e4ae46dfa9cc75059b068a4cf9872052c1898fa17bf5ac53ec6de431028

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEMO.exe

Filesize
177KB

MD5
83f1bb970192bbb9d142f9d5a4ad52a0

SHA1
c3937108d01727963c3a3543390dd48157d6bc01

SHA256
ad4e112b4219ad2c5adc545848414045771437083a9f67216791204375be329a

SHA512
69a084e4f9a364645192f1e96ab0fc26741942b2230f89459bbb6338520bf3cb6d8f1e3fad36d8a1bde4a9c7cc2ea7264afbf90c8cdeab2a68d0d8200f03b7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQEa.exe

Filesize
255KB

MD5
c69b7fb46b91b9d83305c30a321a4611

SHA1
3ba50bcabcbb46168a547c9bd5e1c34c46f4d793

SHA256
9296c788aa6c25de5a0228bc4512549075a810706d3e962e80168193376f70c2

SHA512
23d479aa26678f65297762f4c37b268e662485d3c43db9761f77f78c86e9bce66666cf5765d30c588ac146717c95d6782f8e00b5ad6eec30d5554fc524b5d395

Download Submit
C:\Users\Admin\AppData\Local\Temp\icUe.exe

Filesize
251KB

MD5
c562736664973e558fb7d6fc9ba0b74f

SHA1
ab79835a22436781f0b4739ce5fce6d51e1a5757

SHA256
1fa9ea3d27072a879770a57723da184c201abe33f168d70c28fecf144e54b20c

SHA512
0e0b8fbe78303dfdf9b4eafae6e4843c1bc8929c913cd4d9c9555a3c03a52ade29a1e5e95a4598d7092b491846c5506669a67f52f7455c8296ed6069ce0b16f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\icYYAAco.bat

Filesize
4B

MD5
e8d5d27458b075791935a3dccf3418e2

SHA1
84370693075a64fcfba80ea880afa169ed7cc4d4

SHA256
12d33f1ffa4a390327e7ad1e5c0a49a6b9893b7f0ef172d0c44166e801c6214c

SHA512
7d5337874288c5bd9e8d36eae3e3e39056ef2999353cfcf7262714d14a94059b0417a338ef534da5b942d9458436d6b474c49e29df3d7c61bfb5555eaa9d0ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAcg.exe

Filesize
188KB

MD5
dd8f5f9c83fd467668ba47bea776ba73

SHA1
b18b3651a5fc0b83030f4b924ec4a99750916dbe

SHA256
fb0b7c64e6935b64283e2631ec1a3bd144bd0ea7256518bbd4e7d9c5ce769a11

SHA512
d8b14d9814cf5fbf20fe81d428834d8a6a806264b15a406cec0822f9204965d2168d818749a7b91a44af89f804ffbbcec3270540e2567c7f2983e5fd9b3cdd4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jQQQcIUQ.bat

Filesize
4B

MD5
4c6cd121fa7d34e2a172902a117bcbf8

SHA1
8c48815ab9b467d26a0582dbba55c48b936e2167

SHA256
ab8617cfdeb68b8bf58e8d0911e020ecdd0f9edf5982bab907f10e532b431948

SHA512
b0e287c2d19e1e66a82894adcf49282ffe8b0bc91d441d9a02aad9a219bbb2c44075eca8780ce785386222f7e5965ac10beee71f5215cf80f5c458390ea51ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jQgm.exe

Filesize
193KB

MD5
7d8369ae1563e530417a425c6d07dc26

SHA1
1e56e5ee5dd4a533b6f219a51aa60fcf71801c3e

SHA256
1f1a3dbb37df1fb3cbfaf06e5c85dce97b434d0e225de956cfa21256ed909777

SHA512
edc68648eef1196ee2691efbc964dcba6c8f61def17fc34ccd18ef3ef145d3f724254cf9714d7fb3c9390ad03ea0a1c9caf1a105e317a9bb5eaab1125521a773

Download Submit
C:\Users\Admin\AppData\Local\Temp\jSYEkEEQ.bat

Filesize
4B

MD5
0a7c45801142e8b4425bf1a4538cb26c

SHA1
1123ab54679b6f32ab5f0ae8d575a462a62a0986

SHA256
9fc030ddec6f451234facd88b60c0881d41f17d0671e69c5b723215a66520757

SHA512
998c6e389cb20cf80e5c98643f42c2904c234fe3bd01d336eb254d7d14901537b62803bab14698461f024bbf7c4c54962bc41680ce4802cadd90577458dc2c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jUoA.exe

Filesize
184KB

MD5
987413b84864d9293731625df63e313e

SHA1
632d4bb0ac41839be7f6509d870de07ac5ca8c26

SHA256
af6a371652267d24746c9b33598815b69e1251392bb8bc95d9fbff1fde074e53

SHA512
0c17f09f642cd2e58f8248c7c37eb6b8969bf5eb1379c3bfabc6ef073150472a3e071e46cf4c99f22dc3901de99fe18218537b390f55d77b8f46c7395a3a6f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgUO.exe

Filesize
702KB

MD5
b9a78ea5bce1bb2add35766d86a8d55c

SHA1
7d240fd98b16c2b528a22c8008de404cfa0bf0be

SHA256
ecd52b4a06ac4b70394f1e17a2f4dceec7161a4cf3c96582084755618daec56b

SHA512
50d69dbec4e316c773ed6c1b8ef30454c9629d9f2dc563fc1086b034222108792640bbba607cbe5b7249df1440b526339d03c8f3b64061f6d42e1ea90c869133

Download Submit
C:\Users\Admin\AppData\Local\Temp\jocW.exe

Filesize
172KB

MD5
2c771d21ad609d9ab112c67e4bfb556d

SHA1
0c3bc54f85aa20a102c78917303d1f3797821b72

SHA256
2c27f8d58705fd56ab52b761ee7b2b1aa773a93210fef0a73908bf3b8d684b4b

SHA512
474fcf47a7cc9dc114e8533748cbec3f357ad62d1e117393f0b8157dabd79d2fb456aa49f3538188788f66cc591061611518e92e875fa17ca3b9ec6bf704b1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsgQMIss.bat

Filesize
4B

MD5
efb3e3f6be08f6414350073df6378ec6

SHA1
ee726d4394ff26f7206c24b41962a51d917046cc

SHA256
0d9765500d50a76ff4e85bfb0d3e4c6248fa6b2838a9808343c3b992d0e9f73a

SHA512
4e5f0697d3b3eca7fda0a3678004c013e4be187e7fc9acab0e9757f20d59556585fc31412c4a9d0af9297b3da4039576a7756f940044effe83c6ce9aacb52f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIgo.exe

Filesize
177KB

MD5
632e0e4d3c9690a9bdebfb4a139f2689

SHA1
ae933ee41c9c11ffcaab666685be342ddfbe4e33

SHA256
4d56a5a6013b5f9b25d543437a4ee468d1eeb747f7b234fc537f7dd61532e582

SHA512
04271d9ad7e62d8744c1c9978b5fbf32eb494659859e22e72b930893c1570c078cb7d361a2627e59301a624d2bba9f6d88cc8d28050bc58ecc298abaf2bf55a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcYc.exe

Filesize
179KB

MD5
a7b2b4da40cb6561ecc6d5a0d03d059d

SHA1
44c37dbdc5a1da7fbbca0890f5d9ef3420d46671

SHA256
69e25ed75e4064f036226bac0bf2573e3e69f117aac8a3943f572fecd662562a

SHA512
e44a5b04c9d4a21608d05910b1f520c1c59fbd42a26f319b64e09429df9b1281cdaa12931b669c1b3f7bf499d998ffea2c13aff52cd937c85ebbae091b1a70f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcgEEwws.bat

Filesize
4B

MD5
9ddd570210de3a799eff98d6efabf6bd

SHA1
33c2850af72700e3f7f27c5fc23dc828510666ef

SHA256
78ece4208dda8c512818253f464ca6080ec2140a09932e5884c41d0da479f840

SHA512
cdd6d3336de89c10cecf80131c279ce02f46f2dc77e5ba03eb492ed89f30fa96e272c044efc755d72d95d7e39ce5b6cbd0f84c44b29a727587760c65dffd79c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAgK.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lYEU.exe

Filesize
723KB

MD5
87be42c700675754b7af6cafd09142da

SHA1
c991723fc533a67b351405d46c480ded33a9c083

SHA256
aa290fb8025857cfb1a599e91a7974f37ced61e3abdd7718205fad5f812ca3d1

SHA512
53318186a45790127a07fdce640b153c1d7d7d24a9876d94883d47869c39cc906cc5159820bf9f6466b4d6c5b091d252b17e5733fb8505b6dd0eb4b8e5f1be28

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkIUYEwk.bat

Filesize
4B

MD5
c3d0ef028121f80a25bc332a9519be54

SHA1
27fb3de1e57e6420fb793636c46785a117da190c

SHA256
5ef27515f9b81e90a0c1d8384dc32efdfc409ffed477327cd5e4bb207c2f9db2

SHA512
5b42c265dcdf331a5582efe267c66dc4c64f24ab23a17de5fce24fecacd9b023da0f3cff4816c8f70c7a5bb7c7a9d30c1bc8a15d6e2f37249258ac33f8fe6881

Download Submit
C:\Users\Admin\AppData\Local\Temp\lysgksEw.bat

Filesize
4B

MD5
86a98cc5c83c541038cb011d532b5cdd

SHA1
1581e15464b61a9ec26f3d33c27cc77b50614376

SHA256
5b3fc2f0c5b6f5afb6671372eda95347cd5b7fa93ad2be24cc48ab0e05cf2f0f

SHA512
48a63fdbfb8cca261e511e4bc62fa8d06506664d383914fc95a723e89f17d37be6ff16dfde783d43c33ec3299696027709dc4a081c8c2b1e8abba0186476350f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUUo.exe

Filesize
186KB

MD5
480377bf9a0fa5fe1a93f8c966320196

SHA1
4a197647fd2668a3e5671fb12ee44599be1b61b2

SHA256
8f9564f954ba1508bd1181b0dfa1111c0aed344f375374f524c2e204acf85a34

SHA512
4825ac1c45bd218fe81106deb1feeb92a93d81a4c9b125661c9ae7f8ec865bdc42e31033446d3889ebd93703ad51a6b43279b8e47b3bc997f914a6fb9c543645

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgQgMcgk.bat

Filesize
4B

MD5
0a317a26d90f35d9bb3dc00c733166ef

SHA1
f829be50d4de1a80949e41ca6b2df04083590220

SHA256
6abcf94b7ffd25d94019408e2f7e916a37393a49134b26172bffe01d256c9429

SHA512
38fd097617cc14f8db8703a18806a0823a766879b5e9fecf9de65913544a22b5bb8c5390745e39e22d381de1394e3c87dbc15c89e8d77937271417b941faa966

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgUK.exe

Filesize
553KB

MD5
26d72e6561b4622228130c7fbf6097cc

SHA1
6bacbf3700de49c13d75feb09aa1407ff989fb3a

SHA256
31935e28b3832762499023b173718ddddb0e11dcb46300effc8f8d5836d26d03

SHA512
219129ca45b3e0ce2dbb1990d36ed3e8d51ce11ba9ef63733e62d2fc0ebbb1e0d40a64f6ae38a3dacc8fc7ce4318d8b8dc299ce015d49b1f2c587dc2c8111323

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMEo.exe

Filesize
176KB

MD5
5f06c04347d75c8c9ba9e945d3d09c8d

SHA1
a24fcec45f20c28b20fa3849a957ddc08279dd9f

SHA256
d310445500e9aadfbda3798ff06483321913744229cf75fbe4cb8a6f21275d5a

SHA512
f2e9ae0c7332c4bcc1caf8dd7265e55113c4d0756400d85a2634079f63ae4c2c9fbcb85b0127c75006fc384673097a43837019121eaf5a78136d145cd4575c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\naAUUMoQ.bat

Filesize
4B

MD5
4d2502171f70a76ad7a82aa533136f67

SHA1
542dfcc686f64d518d107b3f47810be89afb8ccf

SHA256
e47b01b85ec26df39515938e5b509c20aec27dbf3bf66c48a878d19c7a67ebae

SHA512
51efcc0ae576353d5b34895bf5119a2034689bcf8f9f178f7e8f4d394f37eb26d752addd191d4fa77c1ba9a40f0ee61b1e5a02efcaf466652a4e6d0d9394887b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIYo.exe

Filesize
183KB

MD5
9f614e19f91dc31aa5827984d540610f

SHA1
cd1b0bb96cb77ad1e6d9720736c9a15bd48c47c5

SHA256
4e65b7d3bf88b4764ec47ad590873bb1edc4a9a38649f989b9c68e71333a7c65

SHA512
cf04bbbcf98929aba4a7304496de0694837a842745b04a2de6204e1acc57e9894374c1d88d9d6604356068ff25997686df892b32184b7b616a17c0cee627f943

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQUc.exe

Filesize
159KB

MD5
81d8bc9bea0bc5517941be838183699f

SHA1
68ed9373326582a0a7ef02edf8cfe36625ed6a53

SHA256
825f8f6f580d1ee8e021049fc1b60463c73d46d77d58b640e7b990d4281bd213

SHA512
dfbcde4c23890dc96e921b76151a20f67aee2597dd9da67f95dcdb069dbc75fe655e2e30495480f1fcf16f8b0bd998737a429ea40341cb4a7a3544b200342c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\oaQMMQkE.bat

Filesize
4B

MD5
6c448b4a4aedf618745fd367d79f307f

SHA1
44f451ef7f1bf732fbc01c27448fa6616699cbb9

SHA256
c111afb10cbd15bf637bed680dc6e4a23dfb8556f87bf38300a9816523e2eba6

SHA512
42459abc78e78acb49a5df2c59405111ca339396b6c60dab7a631cd8b7ead13ce355cbe94729929b2aa42e902217ac1d2b412924b6c249ebf6fae97d657bbe71

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiIssAEU.bat

Filesize
4B

MD5
c6e0c77720e1beb5b1b1e55693c70f09

SHA1
28afca2357e0ce1a3d7faa4e49bf1c941295a0ad

SHA256
9f7b6fe03789b49484b1944194b8712f80cb9474e33cc0632547bfa547674508

SHA512
0cef75a2709c2a04cad2ee2cb06bc9a1f63e3df876ed0dd5af81f1ad39a3af97132c3f88dd3ef548f359943dcff509919f05d3e43bf16791a48f29f4fca92cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\osUc.exe

Filesize
948KB

MD5
02143de357ac67fc13c814cabcd8aae3

SHA1
969b742b354e5d32cd1b46265ccea67a515356f2

SHA256
adc0f53ecf0908148ddca76155d96067822386ecf56817ca88698c213540d470

SHA512
238bc1425a7aacca8100f781cd906b22187e3156d771eb652208342b1da4d1a68ece9075603ea77fa3fee6f562c4868cfacac084778891985001f52021459dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pIYEgMUE.bat

Filesize
4B

MD5
7c6cc5964edf8397d981b75a461e6222

SHA1
16e766e0c47d1b8b52ccd9c03fde12429f728b5c

SHA256
894391fd9b12266ad3fd321bbf03908869c505b0c3b72f6b3cb2e3a5828e8ac5

SHA512
09fe226b5b451bb5b9983ad3c2a98fa0ac5db4368548c73e4287ad45afdacee9f0db555f402cddcc7af77620fdb5a243e28d15d2b2b4abffba30e229cf7c8174

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkIQ.exe

Filesize
193KB

MD5
4c0692dc02bb66901f665a96269e87c2

SHA1
c8ebf9f6f44048a9def4357f0528c7478d335cdd

SHA256
909da58fab99b99cd5e1155d6e7070e9bc9607bfc412528e63ec8ae4a718d0ad

SHA512
1807d0d45f8684e37baafbdb57b800888578e3b1c3b98ceeb408c6875a1d3168238e1fbb4ee892a6bdcdf81feb7ea62c0a066cd5f963995b3932623cf8a18bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pmQMMcUE.bat

Filesize
4B

MD5
7c10ef6c14336e323f71f5a08d57fabe

SHA1
1f5daca48d43568ada44c6bef62bf93618060f66

SHA256
b9bbed6fb6cda81815b55f42ff816687eb7f65dd20017876831a0b667c61c54e

SHA512
671155679712fdf960240f497cdaf8652049e3fab777715b088d68cf059772af94ab5f920d680f3b15de7a30283c5332a3d65e833934ea103de0d072a49e388f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEMA.exe

Filesize
189KB

MD5
a4adf78ca1c37f617620bb8d38b08b97

SHA1
5e38d04a68391811341c278cb86ba4400bda353f

SHA256
55236690ac95cf5c7a68c8836219f5e14e0174a68a6ca8647073f10e97f84f13

SHA512
c4f900ba8d7d825a676364fa991a4e39d445e345c5e64054b6782602f003b37494e663459561b78838be99eb37c3ca8133672f76d4307b102cbec601e6f71f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkcs.exe

Filesize
181KB

MD5
716f6929f526ec7b1a506fb11818c710

SHA1
1c03ece781a9b429ac1440b0c3ca55aa733ab803

SHA256
97a950827e8f7f2a85a16247696585b5ef50d5931836920b7ce8cd9cff14f513

SHA512
4a53b1bf2fc81a02e89c134ef3451a5057105345205bada97211577a0881a1dc8df756cb58dc2f4f79acd9f4e0c160c0de0ee001246a3333a0c581049dc2510b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsgE.exe

Filesize
194KB

MD5
878fd6cc63729775a92926a9f537ab21

SHA1
436486020cdc7cd530ac6815e1f6641e3ad80735

SHA256
f2468281764de4ed2444a4286cc83e8b097b04b6060ec10f2d95210e533982ed

SHA512
e508b10c3d07f91e69d8ba2d294641e8021f6260bae86e81b3afb7c4dee176cc3e015755ebafd63a185d4636f774b375d3f048f9186e141636cdd1feaceb212e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMEy.exe

Filesize
8.2MB

MD5
c2d4b646296953a65e1c207a1ae33932

SHA1
73df34eee0e45b5ce3021483f260e7c493a250cb

SHA256
69d496fe0d28a1adf285e429d6be59dacd8b4ca8a969c258ba77e9e2293412cb

SHA512
a6c6c0d4b4d062e99407227bcd37075ca32ccd89b2acc2656b2beb9ab2cd1af4fb7345a3f410d4909b5d80825735270bf408ca0f6839ce6a1911bad427a1fe28

Download Submit
C:\Users\Admin\AppData\Local\Temp\sOcwUwcA.bat

Filesize
4B

MD5
d71d114601418853068973deba4da8a7

SHA1
8f123f3d1c8b74d47e9e257ee476ab3fcfb02d9e

SHA256
51f0af3ada29b8c5f66fa112b85259fa7472971e2c6dc8da812c97bf1322d3da

SHA512
e95bb5d104222ffaf346d8bf154c62d62f00fb0a5f2a4b7875bcfbececb35a3e352d85ee214bf69f150f864900ae60da935668fac6a4e01902c0b053800fa15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgYcsYIo.bat

Filesize
4B

MD5
df65840ad0c4273fd179631a5c7b6ea8

SHA1
97d5d2ba0a92dd62be73a59e9bc5cb7a77418971

SHA256
5e9a5db669374428cc00a04e4bef07377e22a10ca52f8d0b443d44410c57f5ad

SHA512
1d072fe4d9855b37ac41d70a54814131254e8caa2a44a7a30072cab4981abed5902263808d901d28f8605739af29345bfdd42be1f4d3779cdc60edf6dc8a915b

Download Submit
C:\Users\Admin\AppData\Local\Temp\smowcEoE.bat

Filesize
4B

MD5
d0e548856bb39af5a54ae027371e9884

SHA1
df4ab1e5e7f8016b33089b32ab5fd5f6b3c89b09

SHA256
74f562b22b9219b9ca97549cda4dbd810b4e32ef33c398c6382631b454a210c7

SHA512
aa8bc74b11dc1c7de64624ef4ae806d261301df0ab4a3cce1280bc61360390e8a55d87bdd11f5eccbfe08d6eb34a0d4bbf00fedb7a44f06ea2cbde53d4793c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAYk.exe

Filesize
1.1MB

MD5
a9b02a03259f3e06154c1fb7648c3f33

SHA1
8c6e0cec24c3afe849ad4ce1d50cbbfd7d388f07

SHA256
2235334b71e52cd6d104942cc6a3d17b26dc7c4f1622231de0c3a7e7b28c40d3

SHA512
00daf6f4ddca355ad480e0cc73bbf5297f36e432872747a74c5bcb28412bd8d34951d911d914ef97e5b7ad2ab9080f5497e8415c6a40338290939ab2bd58178c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQAE.exe

Filesize
184KB

MD5
59e9a4e657926fa16d1534e4b7fce3cc

SHA1
32e87ccd1d7282766a3411e25e16d1ea9353e6e6

SHA256
99ad30023492a60b2944342fc337c98dd393a0fbf35df1d688975b5e06e18fce

SHA512
b4f71da4faf4cec548a51ec6e98201d89c4749afba6a876f492c78e1b9d4c438368f5a99cc2f3ffcd9de988b5b67c26d74bcaa3aea83abe88218ae49dbb5fbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUsS.exe

Filesize
174KB

MD5
95e825d2539f7690837c31221524a81e

SHA1
0678ceb0f60f2a1b038a930cd00c568d6fb6ab73

SHA256
aca27d61676a7de76825728bcc0ccbd56d935f82022b03eff6efd7730a65d115

SHA512
c30ebe51342f9103558bfd7a8b6597204af923af7b6ab9400c67658a0f964e60db191d6f35533ac1210cb762146f477f64f05aca42fe3304101c084d9b39991e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCwMcAIY.bat

Filesize
4B

MD5
1be564a6b6f1cb6383ae75e88fb8b581

SHA1
acdc1d1cc0e4254fdcc37fd22bd1d08f3c5ea054

SHA256
63d74cad12136895a9ff001aed6cbe6b37d4cf2749f1a07b0a30855f25dd9c69

SHA512
905ea2f9260530fbe777fe2767d028c47207ae3a47a10b6b51bc3235f69d26e939edc138d431764e6721f2d742330de177ae99000aad6b49c608e6f298f8ddfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQcq.exe

Filesize
1.2MB

MD5
d59df6306e632c152fcc600d29a396f1

SHA1
fa28e7e2255f33a278fee65fa560cf4466c13675

SHA256
3680f33c726476458ca971e7ba1b95544d55dd7c89e0c297c489cfcc7e095608

SHA512
dcad41f25c9d90d9734a421643534df5ba4ced4b2fbbc38243e13878667f70168b7f530efb2daa926cb38105de814cfeb99d58f3fbdfdcecbda263507dd29d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUci.exe

Filesize
176KB

MD5
8422327c887920533a0980e4a1fa4973

SHA1
bdd5f4cd14b4c4d5c14946bfd277172a894c4e16

SHA256
bd843c80a690165711f5ca2519bb7ec0bc70c949e2d76d2ffa948559f4451fe1

SHA512
229377bf58b434b20bfd101a81a53916b3fc77cb8332aeca7321814cfc9b34e3094297dfa870ab77855c886a08514931a7a781d958845408431138c3c25b25a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\woIoQYcc.bat

Filesize
4B

MD5
49d816ee6c34d968af4f1e0e3620adbc

SHA1
6cddb7a6e477f07e513cc05587d46aed4744db2c

SHA256
150fcbd49fd68a029c92a3efb3470f06ebf64cea646d926be8d26f790e0fd2a9

SHA512
b09d1f32814f605a9b5a88d67293a2f9fc1e8af00759af6726347872ee27d5e57ebddbc237e8c94726a3b0858b019c48fa2995c9a68d3aa6128165489fc17973

Download Submit
C:\Users\Admin\AppData\Local\Temp\wycMkggQ.bat

Filesize
4B

MD5
c15be29f587bfef13b88a5c7262e9273

SHA1
90add8a168bdd4dd9b004c6e0d0ff1d91a2884df

SHA256
2f94114f2574b204de76fb90b0d58a9484fa8755e230eb2c0dfc068e337de211

SHA512
5f69e4a67e44c1a4871468969fe92e6a8129d8b289aaa2a866ca63b6856d2e5fd745533d00ee8287701aaffb9290b9e670f0750f2d0d5762183f04ff964dbf71

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAkwwQMs.bat

Filesize
4B

MD5
34c3e7594de4cbe8a0c016685cdbf561

SHA1
486ecd414f793d12f1bf4289f659db21b46526f0

SHA256
5aa829ae13d5c5ff91f9bd854da9870fa3c3ebce270df9893509795e695465c8

SHA512
9eaf5621b23ac6aa26bd8cc908ad483eff1780d44fd75655bc329abfaba6fbdbd45081b3baaa7d17c646f260512aac46e9ee98198048b139b06d998db8f73650

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMsm.exe

Filesize
190KB

MD5
bfec210284b054b03395b8d3498e56f9

SHA1
72477087c5426f524129134b476e7ba0915232a8

SHA256
c9925a1118b14c9fd0d89d50db492ec485cee16290f29fc15d2bba198deafd0f

SHA512
ff73cda4519c2f21843d33049ff8a0cfab5bfe1b5cc0265650892617aafd139b94e0d6c61df7309b746740afefe1feabdda80a42e21ccd51877caf0b45e4b440

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgUK.exe

Filesize
687KB

MD5
f5caa058f2ac7371eeefc4437bcd8624

SHA1
65f644053f25ed81695c377e8ce6c05d9d09b824

SHA256
5d86796779faf7b280cc2e9b42711eef3ddbd1b340fda4d4a69272b9441be013

SHA512
8c13c7571649cc73e60363f7de50d3f55e2bcc5efaee2c36c14770bf99aa6237e226c2f2330824bff3692c9633e7b361459ae8a40811718c2ccf459ad9b76a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuUgQEsU.bat

Filesize
4B

MD5
c8ab6d83ffcd25af087e90f7019888ed

SHA1
804e5d911729776cb9544d12c27e37126902a2b6

SHA256
1ce9074dc9d33553e050ab367d72daffa629df89cb8e71a6bcc0bfbf0def7bfc

SHA512
36c0bfd02b900c9b32e305b6f95cc876f96367d58dc082ce287af708be0ba2f1dab8afaca6869058bf7dc095a9bfca6dd3b85ee31915a6a397828b6decb4886b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAgc.exe

Filesize
187KB

MD5
18ef2e83b28ae965849493f6c0e1dcc4

SHA1
49f46d42b45a3c791fff1db1281f3aae6d878c02

SHA256
ca61167e2511f512641b45891f1a7c6bb3246178049fd5f5bb5d48670e4a13ce

SHA512
fb702cfb2f254632e636c299a150a80071688e8709f457c71fd54656cba10c93970659fd63594362f3996e6901ed605a8be99255f71794d35305953257017b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAkm.exe

Filesize
188KB

MD5
12cb3af497d9d9395e158eec46b92ede

SHA1
c7e7b2ec0565d1b7f5765528fc6d9c5641c7b3ae

SHA256
ce04cfc31d054db4c641150e42be4c4a7b7e61355957e8461e3797b64bfd4899

SHA512
fb4b033299bc839538e78d45674831d824acf473af37b25baf356ce05ff2d83f713acca77ab5ee54f3b443dad82266ff72fea44f9a1a369dd18b2405ce44f3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIcC.exe

Filesize
192KB

MD5
b96719d7d7ee48c058e6c8d6d1804e57

SHA1
118af6069610d6d264cec0d45de51985df884fc7

SHA256
adfdda8f00975633ac2bfdb0c763d44539b73ed02f178253b1e91a07896fab37

SHA512
ef9c602bd6209b5dd5547104957cd60d88cdd64ab4277d3fed63ed31b88d47f301cd369d8002f12a5872ae50dcfcd065c2646a8c12dc7b0b407b758534188454

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQYsEkUY.bat

Filesize
4B

MD5
9b9f322d0345f491e2655ad4518479f2

SHA1
d124121b5269a6484860141393816e024cddd007

SHA256
0dce3bb5550ae86c0a0ffe5f6fd007be78698a1a69a2bd03becb0fc16f23eb10

SHA512
9bde10cd9a6f6202335d57de585e77d1fe2068339f20cc5d68fc31589fbe244fdcce558e82655dc635d9531ce9487625134e6a0f2c783ab2a34c03092a77b2dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yiAEAsMM.bat

Filesize
4B

MD5
9688b18f23c7955bc8e3572dcadd64fc

SHA1
6daf4b3b8af630c3e737f8cf72b739dcc21560f6

SHA256
0b96794f3a507b495870c4cb81f133a2c73c54fe6b612b634d0e6c3144dfbb0b

SHA512
d6e8aa6cf836094bea47fee41d78d897cc062ff274f5934fed247868f2e8dc01fa4cfd94e8a0b8ebcdf2006a31539c267e57ada60b6d39eaa2b294c11ccbfdab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykkoEkso.bat

Filesize
4B

MD5
df7bf4471acab0b14f2504787dbf5b94

SHA1
6f7f5b54f819cbb2cbb5e561cfed00ba592b5626

SHA256
0e59763cc76a3280470b8753fe9c740affa62842885b534cb36269e5a6fddf78

SHA512
ed32d107ab954b92e5d1f46769ddcca58979e8fce8260638d4b015c1d53cd30508861c70ad4c6ceb6b11a851095ade5b0e53077fdcfb443ef8e1409e6148238f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywYM.exe

Filesize
181KB

MD5
c8fb3ef4b65192696132d4123f685785

SHA1
374db8965518839c9a67a0d4a4163c3e018f8f88

SHA256
a670caa7976414a02cfa1f0b9ef68f889e56e5b34976de75d55fb179120e4b01

SHA512
ff02ca5a8a0c4f08d6c64e08b46f8ba134b6b3aaa8cb83a6e0d63932dbf301bae872f93842464344a66f01ecea4c5636b3e23f5a2e6f28f088a8128c2dbd79cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAoO.exe

Filesize
177KB

MD5
ed009422804e649e225b398ffa8ad778

SHA1
ce3b3d5a4d0c0b6c9df8a95b06c75d5ce095cebc

SHA256
e62f533f3b784b565ee9680c0de2509fb146a741a288050092617c51b0d0d93f

SHA512
40345e1164f3a7ab3cce9d9cdf0600cefb7bc0d9f24a6e343c8a06660ceeedb64e1d3cd219ef7e286f5025f7df090b8f0ad947c75d3810a590ec71f7c07aa753

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEoA.exe

Filesize
171KB

MD5
5845a3fe80d71a15bab5f8eeb175cdaf

SHA1
00f47afe29b0afb4a4c11eab477c75136a8dd497

SHA256
3f16b5ab195243615395e595c8c972ce4d2c2d72c36a4b260dedcd9bccdd4f6b

SHA512
1e9a5600e3d7f7d11b94aeb40df48660aa008c7ed9aa88d832756fe387ef197537bee82d56073f4b1c4b91c89b84c0d3bcfb19dfc4e90a5564d1c02f004aaa97

Download Submit
C:\Users\Admin\Desktop\UnblockBackup.mp3.exe

Filesize
374KB

MD5
d32059f1eccb8563ec847f0767d0fe71

SHA1
3b91d64cfcc52cf5983dd726acf8e5c990cd3497

SHA256
a3abc7f0ba752c488d8bf5f4649ca6f49fb2b8697b79e0b747d120edc6063e7b

SHA512
2fb22551dfcb2201773a1a0f76dfb3501379aeb45e44ca9fad233a059407d8d3535b05efe8f3ac20ad57b2f1876bc584f0e131e97ac47eae1ef4bd3d5de12d50

Download Submit
C:\Users\Admin\VoMUsAUo\OKMQoEAI.exe

Filesize
144KB

MD5
222fb25efd54ce99220ff763910b319c

SHA1
127990c6618e1bb1c4d1a9d8b75280f0ab1d38aa

SHA256
619bf4271e5ab74566fd733806b35c494b15974a39942f4502f6cb086df07926

SHA512
96dc84d4327b042b0883d837e9e602a2f830e8bea174ee5d6363cf8d28806137cacc5ac28f382098586b933d89f19bf9313dc4fe54fb287b6914d03da61a18ae

Download Submit
memory/548-346-0x0000000000140000-0x0000000000165000-memory.dmp

Filesize
148KB

Download
memory/576-207-0x0000000000170000-0x0000000000195000-memory.dmp

Filesize
148KB

Download
memory/576-198-0x0000000000170000-0x0000000000195000-memory.dmp

Filesize
148KB

Download
memory/676-417-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/796-231-0x0000000000180000-0x00000000001A5000-memory.dmp

Filesize
148KB

Download
memory/796-230-0x0000000000180000-0x00000000001A5000-memory.dmp

Filesize
148KB

Download
memory/940-323-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/940-301-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1028-275-0x0000000000170000-0x0000000000195000-memory.dmp

Filesize
148KB

Download
memory/1028-276-0x0000000000170000-0x0000000000195000-memory.dmp

Filesize
148KB

Download
memory/1048-252-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1132-126-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1132-127-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1476-183-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1476-161-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1580-393-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1580-416-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1620-277-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1620-299-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1684-384-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1744-55-0x0000000000120000-0x0000000000145000-memory.dmp

Filesize
148KB

Download
memory/1744-65-0x0000000000120000-0x0000000000145000-memory.dmp

Filesize
148KB

Download
memory/1748-361-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1924-128-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1924-160-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2080-322-0x0000000000140000-0x0000000000165000-memory.dmp

Filesize
148KB

Download
memory/2112-274-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2128-31-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2172-89-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2172-111-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2200-11-0x0000000000390000-0x00000000003B5000-memory.dmp

Filesize
148KB

Download
memory/2200-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2200-42-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2200-27-0x0000000000390000-0x00000000003B6000-memory.dmp

Filesize
152KB

Download
memory/2248-112-0x0000000000280000-0x00000000002A5000-memory.dmp

Filesize
148KB

Download
memory/2248-113-0x0000000000280000-0x00000000002A5000-memory.dmp

Filesize
148KB

Download
memory/2292-253-0x00000000001E0000-0x0000000000205000-memory.dmp

Filesize
148KB

Download
memory/2380-79-0x0000000000260000-0x0000000000285000-memory.dmp

Filesize
148KB

Download
memory/2380-81-0x0000000000260000-0x0000000000285000-memory.dmp

Filesize
148KB

Download
memory/2564-369-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2564-347-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2564-175-0x0000000000200000-0x0000000000225000-memory.dmp

Filesize
148KB

Download
memory/2568-34-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2568-63-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2608-90-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2608-64-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2640-324-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2640-345-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2700-210-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2700-229-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2752-392-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2752-370-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2796-33-0x00000000002F0000-0x0000000000315000-memory.dmp

Filesize
148KB

Download
memory/2796-32-0x00000000002F0000-0x0000000000315000-memory.dmp

Filesize
148KB

Download
memory/2804-406-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2804-407-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2812-114-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2812-137-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2832-153-0x0000000000150000-0x0000000000175000-memory.dmp

Filesize
148KB

Download
memory/2836-291-0x0000000000160000-0x0000000000185000-memory.dmp

Filesize
148KB

Download
memory/2836-300-0x0000000000160000-0x0000000000185000-memory.dmp

Filesize
148KB

Download
memory/2992-206-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2992-184-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3012-29-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download