ec144f775dc2a4984431b171c719f488946bdd87f4fd7c5f54983c572e1b4203

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
Size

113KB
MD5

a442929304394d9e6ccb16002e28fb8c
SHA1

7f51867c17cf7fd5438078cd920a6958e2f7988a
SHA256

ec144f775dc2a4984431b171c719f488946bdd87f4fd7c5f54983c572e1b4203
SHA512

2b9198511065b00d6d1e191940032ef6ed4e7515feb93600c9d931581bb42fd32ad65a8d011768eae7bb7d39c7da8db4dd37156a0f6735471f93dea1f726244d
SSDEEP

3072:M6f6Om/aqS+akBBOk8evut5yWeFhqGcB0a/V1QmsbtJk5RQ5CeG:Lf6byVkBMt1RWZu5RQoF

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\International\Geo\Nation	lYsQMAcY.exe

Deletes itself 1 IoCs

pid	Process
2936	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2972	dOUEIcwQ.exe
2560	lYsQMAcY.exe

Loads dropped DLL 20 IoCs

pid	Process
2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\dOUEIcwQ.exe = "C:\\Users\\Admin\\GeoIQEEA\\dOUEIcwQ.exe"	dOUEIcwQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lYsQMAcY.exe = "C:\\ProgramData\\PSccoMMU\\lYsQMAcY.exe"	lYsQMAcY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\dOUEIcwQ.exe = "C:\\Users\\Admin\\GeoIQEEA\\dOUEIcwQ.exe"	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lYsQMAcY.exe = "C:\\ProgramData\\PSccoMMU\\lYsQMAcY.exe"	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1560	reg.exe
2192	reg.exe
2996	reg.exe
1580	reg.exe
2896	reg.exe
808	reg.exe
2148	reg.exe
1296	reg.exe
1052	reg.exe
840	reg.exe
292	reg.exe
3052	reg.exe
2712	reg.exe
2692	reg.exe
1748	reg.exe
2632	reg.exe
1040	reg.exe
1484	reg.exe
1788	reg.exe
2708	reg.exe
2612	reg.exe
2876	reg.exe
2628	reg.exe
2936	reg.exe
2520	reg.exe
2800	reg.exe
292	reg.exe
2216	reg.exe
1096	reg.exe
1352	reg.exe
2280	reg.exe
2808	reg.exe
1380	reg.exe
2952	reg.exe
2144	reg.exe
2612	reg.exe
2952	reg.exe
2316	reg.exe
1784	reg.exe
2232	reg.exe
1376	reg.exe
2412	reg.exe
1060	reg.exe
2272	reg.exe
2096	reg.exe
624	reg.exe
1472	reg.exe
1500	reg.exe
2200	reg.exe
2488	reg.exe
2592	reg.exe
528	reg.exe
2168	reg.exe
1700	reg.exe
1640	reg.exe
2628	reg.exe
1292	reg.exe
2404	reg.exe
948	reg.exe
1364	reg.exe
692	reg.exe
1816	reg.exe
2800	reg.exe
1796	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2792	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2792	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
736	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
736	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
572	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
572	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
1044	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
1044	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2292	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2292	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2496	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2496	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2948	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2948	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2904	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2904	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2244	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2244	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
1480	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
1480	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
3068	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
3068	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
1636	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
1636	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
1740	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
1740	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
3060	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
3060	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2896	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2896	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2336	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2336	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
1992	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
1992	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2036	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2036	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
3040	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
3040	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
1332	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
1332	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
1540	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
1540	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
988	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
988	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2796	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2796	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
1212	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
1212	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
840	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
840	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2016	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2016	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
584	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
584	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
1036	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
1036	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2124	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
2124	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2560	lYsQMAcY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe
2560	lYsQMAcY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2972	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	28
PID 2360 wrote to memory of 2972	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	28
PID 2360 wrote to memory of 2972	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	28
PID 2360 wrote to memory of 2972	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	28
PID 2360 wrote to memory of 2560	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	29
PID 2360 wrote to memory of 2560	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	29
PID 2360 wrote to memory of 2560	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	29
PID 2360 wrote to memory of 2560	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	29
PID 2360 wrote to memory of 2812	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	30
PID 2360 wrote to memory of 2812	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	30
PID 2360 wrote to memory of 2812	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	30
PID 2360 wrote to memory of 2812	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	30
PID 2812 wrote to memory of 2268	2812	cmd.exe	32
PID 2812 wrote to memory of 2268	2812	cmd.exe	32
PID 2812 wrote to memory of 2268	2812	cmd.exe	32
PID 2812 wrote to memory of 2268	2812	cmd.exe	32
PID 2360 wrote to memory of 2696	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	33
PID 2360 wrote to memory of 2696	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	33
PID 2360 wrote to memory of 2696	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	33
PID 2360 wrote to memory of 2696	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	33
PID 2360 wrote to memory of 2692	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	34
PID 2360 wrote to memory of 2692	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	34
PID 2360 wrote to memory of 2692	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	34
PID 2360 wrote to memory of 2692	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	34
PID 2360 wrote to memory of 2488	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	36
PID 2360 wrote to memory of 2488	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	36
PID 2360 wrote to memory of 2488	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	36
PID 2360 wrote to memory of 2488	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	36
PID 2360 wrote to memory of 2948	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	39
PID 2360 wrote to memory of 2948	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	39
PID 2360 wrote to memory of 2948	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	39
PID 2360 wrote to memory of 2948	2360	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	39
PID 2268 wrote to memory of 2752	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	42
PID 2268 wrote to memory of 2752	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	42
PID 2268 wrote to memory of 2752	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	42
PID 2268 wrote to memory of 2752	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	42
PID 2948 wrote to memory of 1804	2948	cmd.exe	41
PID 2948 wrote to memory of 1804	2948	cmd.exe	41
PID 2948 wrote to memory of 1804	2948	cmd.exe	41
PID 2948 wrote to memory of 1804	2948	cmd.exe	41
PID 2752 wrote to memory of 2792	2752	cmd.exe	44
PID 2752 wrote to memory of 2792	2752	cmd.exe	44
PID 2752 wrote to memory of 2792	2752	cmd.exe	44
PID 2752 wrote to memory of 2792	2752	cmd.exe	44
PID 2268 wrote to memory of 2804	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	45
PID 2268 wrote to memory of 2804	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	45
PID 2268 wrote to memory of 2804	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	45
PID 2268 wrote to memory of 2804	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	45
PID 2268 wrote to memory of 2664	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	46
PID 2268 wrote to memory of 2664	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	46
PID 2268 wrote to memory of 2664	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	46
PID 2268 wrote to memory of 2664	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	46
PID 2268 wrote to memory of 1580	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	47
PID 2268 wrote to memory of 1580	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	47
PID 2268 wrote to memory of 1580	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	47
PID 2268 wrote to memory of 1580	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	47
PID 2268 wrote to memory of 764	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	48
PID 2268 wrote to memory of 764	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	48
PID 2268 wrote to memory of 764	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	48
PID 2268 wrote to memory of 764	2268	2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe	48
PID 764 wrote to memory of 2260	764	cmd.exe	53
PID 764 wrote to memory of 2260	764	cmd.exe	53
PID 764 wrote to memory of 2260	764	cmd.exe	53
PID 764 wrote to memory of 2260	764	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\GeoIQEEA\dOUEIcwQ.exe
  "C:\Users\Admin\GeoIQEEA\dOUEIcwQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2972
- C:\ProgramData\PSccoMMU\lYsQMAcY.exe
  "C:\ProgramData\PSccoMMU\lYsQMAcY.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2792
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        6⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        8⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        10⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        12⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        14⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        16⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        18⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        20⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        22⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        24⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        26⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        28⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        30⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        32⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        34⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        36⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        38⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        40⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        42⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        44⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        46⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        48⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        50⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        52⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        54⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        56⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        58⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        60⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        62⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        64⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        65⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        66⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        67⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        68⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        69⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        70⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        71⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        72⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        73⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        74⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        75⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        76⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        77⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        78⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        79⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        80⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        81⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        82⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        83⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        84⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        85⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        86⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        87⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        88⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        89⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        90⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        91⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        92⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        93⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        94⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        95⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        96⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        97⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        98⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        99⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        100⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        101⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        102⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        103⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        104⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        105⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        106⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        107⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        108⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        109⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        110⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        111⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        112⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        113⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        114⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        115⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        116⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        117⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        118⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        119⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        120⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        121⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        122⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        123⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        124⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        125⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        126⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        127⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        128⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        129⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        130⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        131⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        132⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        133⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        134⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        135⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock"
        136⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock
        137⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fUUsYwUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        136⤵
        Deletes itself
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        Modifies registry key
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bWAccQIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        134⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HaUgoIoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        132⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zeUwkEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        130⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TowgUEcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        128⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LqkAokUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        126⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jYUMIcwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        124⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CMEgsUAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        122⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MEMQwoMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        120⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eWwscoss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        118⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sgAoMEIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        116⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iEoEMgkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        114⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EYwAoQQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        112⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nsIAMIIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        110⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMkIUgIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        108⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        Modifies registry key
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ymwIAAIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        106⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        Modifies registry key
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cowsowYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        104⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGQYQokI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        102⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VAMMoMUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        100⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BEwkokss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        98⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TSkMUoIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        96⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kkYYQoMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        94⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\coAkkckc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        92⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        Modifies registry key
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MwocooIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        90⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIEsoIQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        88⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AwcEcMsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        86⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        Modifies registry key
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hoAQkEgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        84⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIQEoUMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        82⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uEcMUUIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        80⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nscEMYQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        78⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZukgsEoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        76⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xesAgMUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        74⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OawkwUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        72⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gwMMwQwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        70⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EcsQAkYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        68⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bCYEQssA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        66⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nQEQEoks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        64⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yUwUgIEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        62⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\emIIMgwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        60⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\POgsAwYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        58⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PYAEgAkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        56⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UOkogwAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        54⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PYwcAEgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        52⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BUwAQcMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        50⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lSwEgQAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        48⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cYkkQQUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        46⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NigwIosU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        44⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zacAsoMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        42⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KeUQckog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        40⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aisoYccs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        38⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iekkcQow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        36⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HQcwUoYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        34⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rEwwscIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        32⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DSgAEswA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        30⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UyEUkMUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        28⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DOUsggkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        26⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\naYAwQIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        24⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NMswksMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        22⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iOIIkMoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        20⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PEAAwEcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        18⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies registry key
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vgsgMkoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        16⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SgEsQQog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        14⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LqoEsIkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        12⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BMIEgoYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        10⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YYQsYgUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        8⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1808
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1560
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1196
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:588
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BUYAkMUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
        6⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1320
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2804
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2664
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1580
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\SIMgQEcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:764
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2260
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2696
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2692
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\qUQQIcoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "522389697-1675824253-116888632689141427702890228-756771891-1667879713-151182705"
1⤵
PID:2952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15929997132057479502198132431610574923298226463651973430421-987726807-2133130628"
1⤵
PID:1196

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "47917277513614701222140599217138496229236636119-206646745720603290951753036678"
1⤵
PID:1684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1886941458-312313701137468405833121406116045161901271880-18808963841422986585"
1⤵
PID:2956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1303991147-1960275791-918599110-525685338-1134005604-1205683551-1803992268-925264355"
1⤵
PID:844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1479788869673707609-58194454900629790-55109441-21340346701785158668-171055471"
1⤵
PID:2476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1120347425-1200543949200561791482442088-11793317531386114544-1648533369-794946405"
1⤵
PID:2836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-287572062-906457289-1914415824-15514714661167394032-1241040870371344331008740304"
1⤵
PID:1628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-176326015510804278103293136571767984634-811251389-1421456498-168368178-734937810"
1⤵
PID:2632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1841247414-1784766755623573471-1809849950227803257-12483091201675060926-1917537387"
1⤵
PID:2548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "756303790-1123846191152042826-19650190714137305623449700581112350972-370693429"
1⤵
PID:2768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-161104493278168536-282798411112947208721006199466810426-2083697948-858404351"
1⤵
PID:808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-193148764021080309271155175603172647619498661527317983986420539817821565496180"
1⤵
PID:2696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17957026861470505393-553058505-100787354213369356218030825403834264091390225448"
1⤵
PID:2796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-770382200-578404030123265447-206347793213939191819145979511216832524-1762535677"
1⤵
PID:2268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "455847647-5561321871734980160404566121962280464-1760933089-1273930930-1978126092"
1⤵
PID:1040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "309639852-909295207-1071867983-1023132338-344336457-10894140701636270250961012528"
1⤵
PID:1068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-571251915-1990413825103148347967695851317598842151084439465786047004-1462348794"
1⤵
PID:668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1559858903-808204435626131560942785980-1005737850987956634-1151141143-1284421387"
1⤵
PID:2272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "77329786115301825422771494-1747001571-2140354978-1521533507-1374620953-2058884523"
1⤵
PID:2628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2051350412-844934127242211044-516002753-543869066-16112374031513764378258309087"
1⤵
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15418812181359449468-314190862832470766-756850571679883855-1640212972861579476"
1⤵
PID:1636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4019185801214455944-57988113-865145717-197423399015633994941166837957866917260"
1⤵
PID:1532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "68307925174755854717275851861441941436496262961-85406666718666936-493922478"
1⤵
PID:2896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2031698649-664674215125565349348873837-14666752421168232830843807586-911663882"
1⤵
PID:2772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-731944584-21104473612110402921-950562675-1572435749662020230-471768950-1118967894"
1⤵
PID:2608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "759979043-1365122927-88258587531071474910587296802428098801828907655670742121"
1⤵
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-738184692-774655512-1132242391-535726164-368626615-522682578-2279763821180677522"
1⤵
PID:2072

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1989989428-16531726831110520523-19520293411250417980-102073198117179099741172785898"
1⤵
PID:1732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6851193891295239980-16282869571782940308933797078-956429644-1983158754-61549207"
1⤵
PID:988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-788125358-875879297-959011793695817446-16687531341830335760-5879757251028745100"
1⤵
PID:1516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1266560754-19560180062088730112-954245521-2137088492-928702978842049345-1392478585"
1⤵
PID:2588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2116534100745432269-1034713308-20785301762158411578485502711235834438-1334625363"
1⤵
PID:692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "980972289-1992623948-15514824101958558171-1785551057216227754-1033423334-488047310"
1⤵
PID:2948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-717401575-15043833771224852482-2038846681-520826109-478954441-1814772389-1382305501"
1⤵
PID:1580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "754028587-4789850862494174156804270031209475450747001354448723888968514775"
1⤵
PID:2232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "105837020615118301281962110890553642615-159811668-1894581564-1438580020-1893240126"
1⤵
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1761723201-213662251002907159-217373076-77722982010105393811508947918829564793"
1⤵
PID:1272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17075147241121259166549245082-19073050851278162817-362660385-647918047-1981754469"
1⤵
PID:1036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2501200314245796501836754693-925028959199610657918466663991073945908-1625487695"
1⤵
PID:1352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-26666631421507801-15536884371428171322-1192769408-688104842781575798-751257891"
1⤵
PID:2436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-591833395-1116215853194229647818530183359227955493917436881481655201-1070337614"
1⤵
PID:2124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1378763508-107310992818525796722107805396-1414116839-1084985237758200544795964260"
1⤵
PID:1668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1490766802-109061622817136052124403749581507021306-1522343074-275366957-226296768"
1⤵
PID:1304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "793303224-237420679329240066330601604-26081340-4193820532036786241937987921"
1⤵
PID:2428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "197258987617587929131392169204-635535588-831431581892907107-200917637883619065"
1⤵
PID:2592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1732115144-419777637-918456224-39629287511026291851885819085-808019614-1668771416"
1⤵
PID:2132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13092194846109671861416631569-5334200421086938491256861001119434719-1024427260"
1⤵
PID:892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "360396122-951212021-4195978761809247815-1729304361726012536-976344515256474714"
1⤵
PID:2888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21037834438149445739046618153942212981919943869187397567018425488311565974516"
1⤵
PID:2748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1055273619591698266-56193504615910269711822031240-1403009449-19675420121636303385"
1⤵
PID:1308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1596236130-31061296248837995511597318761262266121-534992406-335366105364825102"
1⤵
PID:2136

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "168986674916866935011771471974-742881101-165964450620750820051873674419885753781"
1⤵
PID:1772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1227203954-1528696460-1984623152-1376043498-934941712-1449690421703736585-1400887818"
1⤵
PID:1824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2086829753-10861213521532972685619111105559415688121696005-1503805297-781983204"
1⤵
PID:556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10023745701129490810-196027904-113840153111360188891468052779623263762-1081077164"
1⤵
PID:2944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1939498176475503975468388076-1564030645-14177769541370287913-773970696203935872"
1⤵
PID:764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10792202922106204682-124925917814196423191288693307-13407952411091978699-1990548283"
1⤵
PID:2848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-234121984-604387711900488134-386839601-16530794151003766484556094266-978880347"
1⤵
PID:1696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "497778968-2122116546354058967-137738818-1296094379-134556716-508063422594809208"
1⤵
PID:1660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7880574541087735079-1805505851-1720435934109849902129268631813927436091513257539"
1⤵
PID:2200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6792400794989878616855110-147226268-186234585912030459759247703321631824466"
1⤵
PID:1704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "419789616912012211-1151116855-1447546545201436271712296920821120095179-666058704"
1⤵
PID:2952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-71825816360833582719641464039490723552143779108270787391-2116959251-224244195"
1⤵
PID:2540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17562899871735151367-1132364039-16295778292039055339913364735-695051011766338221"
1⤵
PID:3036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20304377722085066516-100995282-1991039631-703550271800213553-101375923-1685041827"
1⤵
PID:840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1708222603-277677381-9067489301853417716-1427645796-1375578451-2051870413346141136"
1⤵
PID:2328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-950496981-1015107973-1786212931-1833450891337392842-50143536-1244296193186958761"
1⤵
PID:1872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17299840645845242635323725-917090738117620023215805828852103003160783627465"
1⤵
PID:2052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-448496126-1472533076-474137741120845832720265016151831817477-1450606281-326016999"
1⤵
PID:528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "303554639-1543824095-1501646367-1232754370-1613182292-1118227896-1538456243917675674"
1⤵
PID:1112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-601610972-304778936-1258663812-1450126243459795627-1777638620-1188928178-1088526431"
1⤵
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

Filesize
162KB

MD5
4a62b56646c8896d4266f77ec53697ee

SHA1
95e5e28c2cd32d420aeaa738e003f25ee2a17a30

SHA256
02b2d5063fbf3556d2d97783f3f4a6410b7c4c70bb8014c2258b7002975d045b

SHA512
3e258a9b7b84bff18aba1f4eb6b94b65cb362dd38356ed9861ee811916b461ef3a064f0b7e6cd08d45af1ee4525ac8cfb98ec68e0e45bfd7a068c68a5462f443

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

Filesize
159KB

MD5
1d57f2ee25160c9e39aeaa730eb14440

SHA1
68041837d90b02f5a1683a50a12f6ec74855b16e

SHA256
c8a10f979334bc638d45e7ee36b63397e1e29117bb70f70499312ee076ce8086

SHA512
ac441dce885b97de292ffc2350050fe7025a9ed1d4733306d294bf3b9e42b03c274d403138731181c80b7e2dae73c3c6d344defb724843216b30073ef8fc1403

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

Filesize
158KB

MD5
1f194d4fffa0357e81f530139f282b67

SHA1
5ccd55d12a0a2751b81c5cfc80aea75353ac3ae3

SHA256
a96772c73bb4a3ab42d14580a2755f218efb385c3817fd00d0648db1275caea0

SHA512
b73dd45cb9976cdf830376a0fba51c428b46596716a55b9a80932d5eb8efecfc879ce0d9976fe1f933d569428d3beb4e1bc6aedfd6c81975724bec5d660f45cb

Download Submit
C:\ProgramData\PSccoMMU\lYsQMAcY.exe

Filesize
109KB

MD5
0497a9c99c689a07c675c46fade4e817

SHA1
4e9878403cccbffcae3f3bcbe73b42f6014ce418

SHA256
09e3e70c060fc9fb08845e02a7ec43c15891d26f34202b54706f5c06ad86067c

SHA512
5d9363b2d25f57906edb5d154af6ad5cd3f9fa20435590043078499bdecdd7f97ad31679e16b73b68e1f6681cf7518b33ebf7fdbc4ead6e2816651d5db11bd9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-16_a442929304394d9e6ccb16002e28fb8c_virlock

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEoksQYw.bat

Filesize
4B

MD5
77139b8bccf41d9d83517633fe396b3d

SHA1
e97ecd93422699976f3c85255f7f65d437f3abbb

SHA256
7a14a404da1ef49e5d7f53f84578cc1f79bf7465e99c51f27bf4c5c178198d35

SHA512
5ee36d0efe2cb6792af61ab2ad13c4f43ad95188b255ed6bf0c0da86ffa125fb4e26c2c2e8974c7f1409447ffacb4fe589e2e30c1c7e64fe64d5868babf4d547

Download Submit
C:\Users\Admin\AppData\Local\Temp\AScIEQIs.bat

Filesize
4B

MD5
ae4ea6e82d677d76906101b39e3c8a38

SHA1
6610d93fd9a43e502408ee104ca3bc681f35bfe5

SHA256
14f5df964417f18fe299a57f406ccbc1edcc8aa18c1b1f281bd086e881175997

SHA512
3de6b9219ff470ce8262eca2f3d4264533e78cc248dfa433f41138f29557014d5ef24d3b2fb8022220ad370332d5330e1ddc5d6d58196857bfc62fd9581aa3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ackg.exe

Filesize
566KB

MD5
2cc6d5ffb1568aade7fc931b72f0ac5a

SHA1
e48e21ab80d6f36ffbcfc8bf2e0d24f4e7925827

SHA256
267111f39c708c4340eb2d026aa4dce605d1a221da8b1baeedbb11611a93db95

SHA512
a9edfb2d72bb4627b08d015bb87f28f24fdf3d1ad32c3a24654c132f9c2468f1d9688e3b5df6341d37c5becd287edf44bf18fe15667d005b49640eafa4125802

Download Submit
C:\Users\Admin\AppData\Local\Temp\AssYYYQw.bat

Filesize
4B

MD5
a93420cf310e19b5c62f6181ef937e75

SHA1
43e17ddd06dd6928b19e7ab2da2f60b505882714

SHA256
d0d2e7f1c18475e433ee7b56083910d34dae6cb6229130b415af304c300b6a72

SHA512
1b81e128023fb1464033d5c7ce595d4bf36cb573ebf64ffccf06a871f654bb2ceaa14b8cf4c0bab201bf8f41e5f91d9a461aae49721409e0f0456cec0ae525e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AyIwsIcs.bat

Filesize
4B

MD5
81d6b4ba3d5d143cc0f14c9e3f03947a

SHA1
4897dafaef0e65a5f8874b5cb6a3401ca65d0f7e

SHA256
d2e259e65886b0247eebaf010e01d595505cbb21e8dfafb7c4e01b95588ce1d3

SHA512
f93ad370c49fc5e18748789bc8eaa1fa67e5c43b16a1810e4c24d426020ff6001f1feb57d9208b5c2ab5d5bc8decda51522b84162b6682a404d05709f1b70e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAYcsgQE.bat

Filesize
4B

MD5
6dfc342aff426dd8cd61f3a2ca5097cb

SHA1
a20a651ca3473814835f7435f8dc30812c54a9f0

SHA256
0728d8900ba0289cf089890f9d14ecbc85c1306435806a7c44f03359dbab16da

SHA512
b95e9c32696d4cc230fdb4ba2e1fe8282ed29d6d642b6a980503beeb2a22019a9a0762a182bf013fb149c15d6364ce7fb940067e56acc832dcad2e6b7bbe837e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCYgYUQE.bat

Filesize
4B

MD5
f42e67d15f352e491148db1e776097c8

SHA1
4cf89737254eeb8277c1f9b97fe4159ba2fc37f6

SHA256
c0dd503f5d1e49a813992de78f07ce8883e65460940b881f7a7c9b6809e0da17

SHA512
b32cb425a9f11c03a6558ede5b99a722c1b235cd26a7541d8d29b6f1027bbb23583dda97a6b471ad74905b37015fb918670b2fddb825b1bd0df30335bc5da5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQMO.exe

Filesize
158KB

MD5
fa573473d20ae3fa843036cfcf0e2e8b

SHA1
5388b4d1e316e042bf2e0b772d730fc7368e3a29

SHA256
4c35bf03cf39ec8642b10864ad269933ecc22fbbc065bb7c1ee5a45820d449ed

SHA512
c0c507dff24d8249a9f8b8dd782eee4f64d0388a0d0f13567ae2cc3f75ecc7fd69f0549e94b9f93cd279fd6682cd359a6b1c027b35a3137d5af253ddbe1f8606

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUYs.exe

Filesize
1.4MB

MD5
c607077a58e3c63e3595f06b532835cc

SHA1
56b76667860e0eafbff038de030c113c15727e34

SHA256
318a6b9f6d93db464c6c9b00abe32217bd622ae171cdec6860c7c3251c9e39aa

SHA512
5ae6b1e7d87128fa68e1fb774f76369c26a0fea10e2361da639f40cba2aedc532051004db3637baf03210a2bdd36e3b8c6f11b049d03bdaf2c77bd606b6a173f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAgE.exe

Filesize
158KB

MD5
7bfc3f30fddf9e896a5b1ead26c7be5c

SHA1
eda12d166b2a430d2fa12ded0d041da721d80544

SHA256
e0b60a103c44d59b2b42672447fcf9d5c4d0af0d3e10320ada383e0954520924

SHA512
c7a60159a81b6991353990902eeaa2253844831928dd71c185fbb6f82971f9e829b61f624621e0a783e682e60c164b5f69848335fa0cf718a9921bb9eb5f7d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\CWgQQokc.bat

Filesize
4B

MD5
4f409419bff144bd0fbd5e60850f3029

SHA1
b917a0428ce936ee2007fc4189c7e3e33f7fa437

SHA256
f3e2dab1d73671178239cebb3950f44d458a6bfd076caab5d0e068ce89099c3c

SHA512
b18d021195f0b131154fe818902941a20e9efe182cea8047f3c7fb78f0f15350d97b4fb3c223be8a2efc32c82fa740a5af1cd06dcabd2297eb6f5eae32b219e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYQw.exe

Filesize
158KB

MD5
04dcc356738fd11f7e3ce2c660baa4f6

SHA1
9b3fda37df304df279f496f2e544d4e7ee56266a

SHA256
b34388e65f4e8a653a6513cfc74c69c031ad9e8a402e5254cb0c8512fe638080

SHA512
b8ecf5538b2c4c3e5658a3ddbedbc96f0bcd1aae861320571f2366972c2cce7728128b460ee63b94bcc77e29e1f9582cab2ff8b618d39b7a6041b3c08e253b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\CicEAsgc.bat

Filesize
4B

MD5
2b65c4291a6e63c44ce0360a0a10fd52

SHA1
cd5f21187d447b1b1bb1e40d3a019da0b8d00434

SHA256
f69c14d636712110e0198d70ef81605b8111e01d00d5caebf16dee6d873f2ff6

SHA512
436456b6e8070e928ec4162148814515634db8ef7bd29c82d09614e81f92f1495a755c2d478ca26a54a0becbf89364b5e1b58670ac294f802cdb260a6de1d067

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwYIsUYQ.bat

Filesize
4B

MD5
c61d0c3917dad1e780440f273e3b3692

SHA1
4ca5468f428cbf556fb588fd4eb384617ab123e7

SHA256
db93dabfbf93195cbf818c57699f3c55a5dd3d78ad6c84e95661af7ead02e7f6

SHA512
c50668982edfbd453f072fda10c473064824f2f7f27376d26bbb2613be9f623a73846093d718eed61b6a88d715f25fffe74f846e091891366f890ef45e02a397

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEIu.exe

Filesize
157KB

MD5
b52c8a58214b8af431e3b930c3e86007

SHA1
b50f9e8a7eec645cf504e372ceb52819c4b797ce

SHA256
e3809b7e3a25a015cdc4be2e0d9a877748ec8f61fe37892235248e0f1b23eefa

SHA512
04e644bd147fab3f4b479dcdc7e7c829f0186a596335d0970fe774a9cfdc455b304291b6df43ca9d644bb6bd872d123590503804173d127cd1337766a3ac6011

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEQgkkkY.bat

Filesize
4B

MD5
096a43ecbf1d0effa7a7cfdbcb12d107

SHA1
553c106615ea6cdd0117093fce914757d67fa752

SHA256
9db4ef81846ac59be2cc20e2e0150cad565892aa8d73c699abb6628f6257d67f

SHA512
f55562eaa6295af1304bbb55a3e08e25d02647b4e7b2bf71272fb19bc86fcb913c3ab164671ce7ab71691ab210ea816e3ba2a7232f2878be13126e1e5c11cb34

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEwYIkUQ.bat

Filesize
4B

MD5
33e4222b269fa9745ba708efb30554e8

SHA1
30448dc143cecdefb64822c915c02985dd78d697

SHA256
39e812eab5ac30dbf5e9e69a15706c188b608d04abd9443c93ce58f74fdb9e61

SHA512
80891092e81997d2f05dccfd02903167adf2b6979960ef507f5c2da1429b59ebc344ea6b0036eb40459d88eab7825787657530119bfa348af6e4d88d89dbff49

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQcu.exe

Filesize
158KB

MD5
5ea939d761e53aad9055da68db831b3a

SHA1
49a6d8237884d8d255f66a855d871689a1d7b97b

SHA256
be415d7d275b40019978cd72efe228a2a82dce9445220245cb39fbb0f95f1c3f

SHA512
e8ef0b337d054f8de571ba910cd960f92db82d656c4fb32705d3ef5b0b7583a581878ba9bd38046a0211786cee79cc81f62d0c1bd04d5c7798daf46e96a392a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DwUm.exe

Filesize
237KB

MD5
b4c3023781e99d24165bca1f054c234a

SHA1
27d17f251bc8814ccfabf8ebd1aa976a52e38993

SHA256
0e7793a24bb067311ee62e0e4b573c8669a1b91c3d34f2b4e88db3d1fe482410

SHA512
006ec9d3a3009eb908ba515324737c27d22c0c39b8e55a2c80f4f7d4744824307abd62848bfbb0aae2712aa7d014937232ef5ce44088e9d5d999f6ebd2f2aa55

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGEoMsIY.bat

Filesize
4B

MD5
33920c518071c4c7f0d3cfc8ab6ab288

SHA1
ae4b0dbe17bc99ee4f052215ed6fa73bf300f5f6

SHA256
f914faa8168edd9398f2e3aa020427d6cdd1b4a3d5f97afb6cad72323b3a848a

SHA512
1c56dcad3ab9d62db2d835cb77acb2837e94945befb281ce70d35079519a8401c753368ff089738bad06cbc48934c20ad8212566ba93c03e08c37c5443abc2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMUUccoY.bat

Filesize
4B

MD5
6298572858a77413832ed3e104d64a2e

SHA1
14bc9c071474b5d9b5f2d6c676c607e27fbcbe5e

SHA256
7721c231cf9d81c3eb9fb85c97b5bf5248020fea299a9ac6539a67b3b3f27ad1

SHA512
c5320e5cb58e5279e268335a696d4e54090f9a3905b6c0655719ab218946608fe4e60e85ff79d0c1a40dfc1de3fa7305a65119bb09816bf2ba3c3aba003cbf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUYgIMAc.bat

Filesize
4B

MD5
14238c166602af40bd031c2e57371eb0

SHA1
88d09d152b3b13d09b7739b08e3b2e1881fb619a

SHA256
716be70de4ca28895403568b749b3ca6df334c7fd4b8dfbb813806e6a6bc3745

SHA512
f1d080523c44080d0a596413e294d90e496f2759a3676b20df68bf3111484d4bb3eadb3f70151eb171c9f92b036b7b1eef107eb8132f0d7e7e7a0c62eb73c548

Download Submit
C:\Users\Admin\AppData\Local\Temp\EowI.exe

Filesize
158KB

MD5
18ba3df7dd824f396a94ce947b8336e7

SHA1
a43060bdb4a3f5705e126ec5775f0e9e43184eff

SHA256
6ff32411f536c822e3437c281e3a616a7324c9c5c4de7947cb9515cb594c7537

SHA512
82d5e402833a3e88867a8d7791c1775584027dfed1d4d303db67c418d5b65da4d3c7fb77789376e97d10dca6fa02ce464c40eecb41b4b829d1ead5b721bb6318

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEES.exe

Filesize
870KB

MD5
2368ab560de16c19db42bc5fe56b7ada

SHA1
33c33f39fca2b11c6296015946c94b532519cf62

SHA256
49d4b116af44f7d31f430f6e9a3b060acbb8c7807d10f97a47298233e34b067f

SHA512
35e28d6ab89482519b63a65993a7df14f0af61da3c0d4477a9fc480bc88711ab32f3f6052276d40c5faa51148a3bd9c8a56b6213e869c45f2265e299c38b67db

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgEW.exe

Filesize
158KB

MD5
0e7f9bcd040c066f2e9165af2fb49716

SHA1
95b342e607c1a117d4005adeebee434d8ba9b42e

SHA256
6f00b516856f6d29388ebe99c0675305b3959572f50c28a2d45c6b4551409dee

SHA512
1d5b37461618b09164a699b383fbb34fc6b43c4674a05206ea34204a22b12052f031ddc3bba9a421345ded56acee0e0b58c4d5ab5ad20cd5e9394c9032dcef5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FsII.exe

Filesize
717KB

MD5
9dc7e8ae344b70e29a9231ec35c6950b

SHA1
cd92c5e3ac6ffec993b8aeff638f08ccd9da5a87

SHA256
809d0b8ca0f2e7758729f3018943bcb0fbb3076e55b195712c0ca45ec9536358

SHA512
60081466f4c3490223650a33459d7fe402031556f2cb9b6d15684262ba192fc1fc832b4b76f14f5620e0f5b745b142970e0507c25522e526f8b1f61dc6f33579

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIsIkEUg.bat

Filesize
4B

MD5
14d5516bb052bada58e8783b29e0b45f

SHA1
b8e8de10e7d8a57f444d390bd81a528718fb89dd

SHA256
3c0f4a40010f5bd75dbced69f1ba0d25d42a1ab347a600c3b1d2950358cff40a

SHA512
1754d7885bbbb82c38b0a0b225ee8f4b95ee19e55d12396128c0fc905fa3230e0bae998a2a00e8dc5388ee2769ae17e63f0eff1c9518b40b8b52ee53ede24dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwwkEsEs.bat

Filesize
4B

MD5
2029c8fcc03638a9fb6df126e1c85268

SHA1
c10028dc9a18eac036fe0c41acbe94d2ec6d6f4c

SHA256
d2ad802e17ebe2f467df28d9595758b7710f8a5158d43f03e99316ea49731762

SHA512
3c600f23ddbde09ada11e95961f62242319b25961d69f6d2fede9c9297962ab0c8c829a8639793ffce5bd0c9eaf6c4fe7472ba7803e6361f59fd4cfcc8556295

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCwoYkMg.bat

Filesize
4B

MD5
31f2b1449f90889581c540813839675a

SHA1
5a54596aec76ba0652172cddd783464287b3dc66

SHA256
b56d7d5ca5af6146a36d332646153ef4c597e5fa4940a7f223c80cb247ab1917

SHA512
a66891c0b6b50b5a6e024041da98457129dfab3e909e60bd2e217c3ba801b4072e8a95117467f40b302b06b7afa7dc9e927b588b444a8390a4e28e7c161bd519

Download Submit
C:\Users\Admin\AppData\Local\Temp\HsIU.exe

Filesize
160KB

MD5
31d01839c492044be8984b84249ba487

SHA1
ca1d86a0bfd0fde755403c8de8e6509858a9e430

SHA256
15e895b308b50083835bf0386e1133d463860cc53cf13aaae12cef33428d9966

SHA512
d666a56e87e5f548c051f7f48c96dd113d5bc35dbb012fd39254d84b91e5777be093067947c6959ae4364605d14f11d611e8fc805124af48873538a441459953

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEEgMEIE.bat

Filesize
4B

MD5
08792938a61383304df39c66adb3c031

SHA1
3c899618ad68583a3c726b5d87ef6c813e0a782f

SHA256
81850151339d028d09f0d2ceda151d2895bbba4a878914b58f7ba48a6f0520ab

SHA512
c080c1b22a749c80dd4e943e18b39864131319bc83d3da834de1f39dbfda26547e7170ccb0f2b51de9f7e6bf2ac3f18c5bd1eb318f815e731fe0e689cbe19d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IKIwQQoY.bat

Filesize
4B

MD5
3dcbd5693f6e5a623b4f8f4083eb4bf2

SHA1
78eb23cd18103f6dd82cb3e1ec9815b9120891fa

SHA256
45d2e81b6f678d1aee7f83d1537659051ae5841d07fdb5400e9d51f4e9d491b5

SHA512
2250582ac7f10e730ddf5f4e456453226be096028d2baeeca06e511027ab3ad31b7bc0f4b66bfdd2430d5a0e54efafaacd9065ebef777662a422250f0ba31c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgEc.exe

Filesize
160KB

MD5
b08fd5cdf12ab63ba02b8c72fd9c94db

SHA1
7dedf105827b4e6b35c35773c03c40567f1c786c

SHA256
0fc586321c7f26f0df5903ea51a027751dac33f78566f974fca5984cb28bc5d0

SHA512
6e8ef80328358a70d63f9166b51f55b4c4ea008fe257839d9154bbcf7cbcddf04b28163d28442e553cae900810962f1ab2f6ed54c33b7d6a1471b967b0248f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgUE.exe

Filesize
138KB

MD5
b791f3fe7ec1a9d379f741274e128662

SHA1
4a7227488f1ade2efe2c72f967b3ed93cd0e02c1

SHA256
3dd37424c95ce7bf4f1460fee924457cbf067334fcbe21d3fbbb27eee4efc29b

SHA512
9e8c10990ed6e04387292c367a339e95a0267fb38c17bc42c3bc3475a86266862a952152295c1b7be055be3e0ce1833ffbc95053a47a26d101059df73f711cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ImcogMkg.bat

Filesize
4B

MD5
ecd14004bed0ec6b67c499f853e2a08b

SHA1
a67926364b4f9933f0d6b3378cbfa5914028c082

SHA256
3291bee79ebc3b5a3519cf4f748bdd8a3813db06368ce2a746f0aa2448bbdf99

SHA512
345ae4533a9a23e1d3d6a0f893a1389b1e55cc61b696a90b8bf3e3d16cda8293be59dcab96a87d3dcd86f94f1119b1350bd2f8cc6818f0ee4b01eab6d2b1df41

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEsO.exe

Filesize
4.7MB

MD5
1ddc583639efa620a7ca5c5e973b4fb2

SHA1
ce0ffb9a84d8d2d04d732fe385fa3dca9bb4b98b

SHA256
18b4350f2ed1425e1324e2e8f350bc04033d956fb771484db73551cd6edc0437

SHA512
9cdafd81d32bebdab99830308b1f2b5e6b52e1a9c51e6f32f5f7ee40f50d7935803be7997500a90d0be30c15c163cc253c0400f01725b74f6de930aefdc7a38e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JsggIQQg.bat

Filesize
4B

MD5
2336db399576f14b200afe014a109173

SHA1
24df26b4e6180d977539c4bf29f9ace30bb980b3

SHA256
4930b7bf0ce031c7a3eb22e600fa344ce3490f2168ed2511d06ef3c68c6969f7

SHA512
d445f45e502c8112e6e4240d14b069232f8f8f4430b2694ab9e79e8ec75de8a3122b1d9bfe57cb2941449e833c3b754299fece25a0041046cb296f507094eb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JwYIcsYU.bat

Filesize
4B

MD5
c3d337f7803cbba3393143e5aa7c687f

SHA1
321fcdbca19675706bd4ba9338d4a538fa62a2cb

SHA256
f4a041f13852f3c79ed01868da8c5a16cb0cb45c3e2ff5af1d6e663388531363

SHA512
ad9ac1f832fa149cba84f4e5efa765283658a54b303d7b020e3b36fbbeb8588938c0d209dc6bb9dd6cf0ee2e165ab4c97110e4f216f3a40e6351e532043d6030

Download Submit
C:\Users\Admin\AppData\Local\Temp\JyIgUcws.bat

Filesize
4B

MD5
31e44ae56b0ef2c969436da626ffd324

SHA1
ba97136f2e63a729edf623a6faeb21030d5a4ed6

SHA256
96aefeff598f6175fd905dda217d8ef5edf2e50b2636e26c628f4e03a43aeba6

SHA512
4eff1ebad6f67b32693a8728c7d428e7c76217ac2390901353750c5e152e25b055e7f3f8b2476cd09b5423bb5c899499dc7c3ef6ee26815b97fc527634ae1cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUQI.exe

Filesize
159KB

MD5
887b66edee8f5cff078853c742e9c9a8

SHA1
5d425d2d3f30dcb0d294b056598f543998acf0f2

SHA256
78bb758b6fcc466137f6ea1ca4908e4fa9eb918218757b237a5d93631ca2371c

SHA512
31fcecf0bad52ac945afa4fa018557a4ee46e872bcb40a0e23b984b937e5fef8b396cd69730c19278c18830668feb08d3fe7c8975cb052faf5b1784d54649675

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcwE.exe

Filesize
158KB

MD5
b60896297ddcd726bbbb8e58ea0d92cd

SHA1
f9ab0b9f02891e3fa6a271883373dbff64bdaa0a

SHA256
b27da03788126fde97b31051efcce0a7dfaa62d101d931d691490d08d0d83506

SHA512
e06ec3c85c1eff94abf3aea592c989226445dde0eb4e3bb697aa203a398645afbb1f4230b6e27c7d0f2e19753aba5e2200d4acec914a50d211996386e812fe71

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgkC.exe

Filesize
526KB

MD5
65c0405cdfd92c6f3573a05c3ce5c853

SHA1
200aaf3122b64cc5686b5107398043df8d2b5cb9

SHA256
fc66a27b888f9b47bd635fe3e5d983d7063faada7f0b19689710ec62bf3ad8ec

SHA512
32d59f1733cddf005fc52b0fdd4a869c3ec3d5583adadba8d72ed825865524bb6b43beba86bff3ef0a01578706863657e8a535905689743e1c3d55f71d42dd82

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsEk.exe

Filesize
601KB

MD5
543443ca1702384fda6c66a8a186bf4a

SHA1
5c3de225bb9fdecc010c42cbb08dfe771908ecbe

SHA256
82c3170c85be9c13e7f20f0bd64395e55bb362592ebc43b9c5798b66d8727776

SHA512
6454eb1ca74446c86fa515fc04d7127ae79d6bab982524ff0e22cd584142d1dccbf6835409ef937450016d7a352b44a77a02f029ee7971df918432b099eb912b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIYG.exe

Filesize
157KB

MD5
87884fbf3dc6eb32067287ea2f92069e

SHA1
66e259b625763351539331c16b13ad3f1ed30707

SHA256
87861c3d2b51e86b99db3b3c591981a45fe6d3bb3a06a49a522a32d607e1d885

SHA512
4dc9e100714a1e72efb2b7fcb7655372f1b739d152d8ebef0be9509ac566389ead16449b222ebbdc3f95d78d2f633e0e1ee7a1d9ddb50d07e25f89191e0cbc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQsK.exe

Filesize
157KB

MD5
ad66fe6efdb3a96014bff06a616179cb

SHA1
808ece95968a5fd3c5e0401c7977723e8a77c383

SHA256
ae308d19647434e24bffd6281022002090d26291dcd462f90a4d03ea874b175e

SHA512
c94cda2a58dc3a46c996b193b930b296fdf65761d455bd0d702717f2e3ba9041b21e489791595e23d93a0a755f255e8a523ae9a867a4b1fe6b9740740cbf5b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgkY.exe

Filesize
156KB

MD5
fbd6e00e5f899e6a2602417fc5a7bec8

SHA1
3744461c6eaa32e789596817435576439d08b03c

SHA256
fd93641b5c37cd550b472e2b6c2781870315fcc2fe60bfd6ad8bc5ef2f5d9b02

SHA512
302c6f50150929fa8e8c2061000adc1fad258ac452cb56b873a5b95116d3b4ec2cbf115d5820ebb5b4d25d448d72b763d500d679e03bd56066f893d04b743290

Download Submit
C:\Users\Admin\AppData\Local\Temp\MGcIkUgs.bat

Filesize
4B

MD5
0783baf50ed6f321064744ed3a14a11d

SHA1
522df759317d7636dedb4ca4f91b807a664cd304

SHA256
82675b48d1ae13558b5fd1f3ceeee6a5484cc289b6a8abb01211d0d004e7d708

SHA512
781c3c9db038487a934ca7aa8b1542d302384982e782247af3b5dab249eabfa09e7ec65ed97428a00983319667c9893b9117e2fdb1d139d71a0fbc42a74fc8f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQwMUUkE.bat

Filesize
4B

MD5
77c53ad7f4522b99d8171bc12368ef42

SHA1
e952186765edd91dd58994c2876eb409407b29cd

SHA256
42d867042b163db5b840830d43119dbf16bbcd841c4a5371e7489f132a8e8071

SHA512
eca2d40a567486fefc5a14bd89e705d979d67ce2e95864807d9f7b5e5cdee433677e6ec4505e32b79e3546f42a3284321944ed262ebc141dd6dae5189f2e17cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoMu.exe

Filesize
350KB

MD5
6c7e7f5f1bf066fc3879162b17893a1d

SHA1
4b26ca4661433ebda187eb29c36d04b546564190

SHA256
f596c75369c2dfe3430605a2cdd1c37516a348d1e1ed659b54d6ce0fbfc3055f

SHA512
6e0f2dc37fc3cd01757bddebda21d38835d5a42ff60dd38c14c17aaec4ef4f13d51ab3dda109e0558562c00ef11904e72a837f39ecffe61a7d86a0ceaf0b851e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAMA.exe

Filesize
159KB

MD5
cb7edf92dc30d3815022214e61a78d2d

SHA1
6883814c247d91dc6ca94a763485abc98ee22251

SHA256
25c96977aabf5b0406f184a9de713ead3c470c54c46f6d0139964f8fc45c1813

SHA512
1e77a8e6bdc061c45b6c765fef6b43f86428cf1271fc8e74f00f39b05abaf9cc0b148d75a5b4f4b6bf660d6ebf0015584de162713f36f72d348d66d11ae31a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ncwy.exe

Filesize
157KB

MD5
2f0465bf2e36d66ffaecc3ef6fb56027

SHA1
b6b94670e1f69f33fd280096739e71e1c45d8a8a

SHA256
2b9285fa7c748be22a7e8259f22bc4a01d7174549e67db3db9cbe3caf4e5821e

SHA512
1f422c92a92954b83df4d3b478b7222f59b3cf9e2e237c9d94f1e84588de52ead2e3f468e9699b0c3f5f2d8e6c62430aefb686406282d1a1f68ba4b574904572

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAIq.exe

Filesize
4.0MB

MD5
20604e1bf7a0041b4c536af6ad67c48f

SHA1
c20e779757a4b52db33f710802cba2b3d4fb8689

SHA256
8a2b5bd79fcb4bffccc8f2ae551f7bee73fc616093c4d2b370872d968e90fccd

SHA512
e80b06e29fce4f9d0d406c7507e0b90b10d18a193c15b5085596a78d6ae5527ce88af7d812489ceb7a617fe33878f297ecc83e14897b10cf2f6026e6054a3818

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwsC.exe

Filesize
158KB

MD5
861ec7052e17a3b8b5068584c7594063

SHA1
477ef1c2ea9a5bd9905ee52caabc489389eebf8c

SHA256
765a6222ba8d2964b1f5bee1d014b74344b356d4923ff4337ea2ac052d99b0e1

SHA512
a9d9b8b588595c1ee30b37fd3d4c8de8db4077b34fc411a1a1e2e704baeb430f897f3e1f0cb7fcd7b874276ebd8940b9559839bd378c1bde055521b232871aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\QaEAYYcM.bat

Filesize
4B

MD5
3bef440fa988347bd059550827646ca5

SHA1
eada2a0b570c5f6159a74d6f06ea4fc85cf077b4

SHA256
6913dbe01666f973cd75285b708e0bb791a9d29ca57a63c7024ed8309c451d29

SHA512
0d5bf3e969706a8ed0adc2d67b16b30ce8ef461368eb2f4c168ffea0a291569e40f8c1980167d96bd050d93a9a501a9c252a7a065ea600f36289ec1e5c7232c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcIi.exe

Filesize
158KB

MD5
7de7dd45d2cbc828f38d237aafaaddd4

SHA1
0aa55bd422e5848071b4cb85b97fcd54ad435148

SHA256
8710aee6fecc653f8b0d4b34eb91c9c8186ab7d9108c5bf2a9fdddf48fe83064

SHA512
613e64127a70b5a8886341c64875559f39334712185c6e9623e6d1132a5eade01409ca09a557b094402e2f341c55c5448f4e8b519e11fe31487fcb29359e9ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QccY.exe

Filesize
152KB

MD5
e1aefff50f245db2cfc286ee9df4cb43

SHA1
81b78aa73cdb87921d245211cac2f87a302e4174

SHA256
bfdd3f07991a307f095ffafb6f7d1b45ed1565bdc4519d91c5f15972cf869173

SHA512
c56030a5843b4c1c1633e1149bd0195ce39ab67fac4cb075db729eb698807fbd9dcfb805766e23f4c6c973cd10383d1508725dfb60c9027c10627710eaea0958

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkwC.exe

Filesize
159KB

MD5
3b40fd7ddff9b14288f057a11003ace8

SHA1
3321a9a60066f5a7937300d6e688b5bcd21f0c6f

SHA256
0ee4c86956926d87e1232c8ce1c7bc9702f001b561ef270829b2425905fc5d96

SHA512
8e1edb613c62f60f3a6a9edc8de9554e6065e5672b83d2d509197d9ddc0fcd0b67ee1d801fabbfb86a7d630e83caa01a150bd794fd5ac23322650caca2ba55b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoEK.exe

Filesize
139KB

MD5
4a329b59914e25194a5cafc5007dd948

SHA1
176de75618bbed292d717a724d7b11f70376fab7

SHA256
e4cef0cc7a0aa1ea5e4c6d1c6ff915c7083829b54571646192b6166993f15445

SHA512
74909523c21464837001d4b63cbfd1b7323b65d3576ad4e5e6f3265ac96278c3332f96bbac40b2608b12203bd39f1a4ab653b885aa2f03fd0be486f552f5b01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgUM.exe

Filesize
237KB

MD5
f95647f4eac799c898da6d02f86ed473

SHA1
1bd5d6de8374fc72764f2d50d1486209ac870049

SHA256
df67a7e9ff6efaa32aa09ac59a848646b15dcb571641be6d8e3d812d57b842f7

SHA512
04b3a19dddba9322c32c30faea5048281a18163e0a538c707f5356fc15b7f6efeaeb03ccd06d4139446350714d4609c874ccb9fa77b759cd458e79b12a1f9c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgsS.exe

Filesize
1.2MB

MD5
45ce3ca3754244503753a84c033075a4

SHA1
6ec76658e36bf42ffd51afd55d1a1d6204e4499c

SHA256
1d6b855ec29112f20c97c983341c010ba63f58a094ba675f43e740b3f4ccd284

SHA512
082da0c34cd33767288f81646ff5628543414032aca700f0b381dac0139d51e0283c1d4c46bbe0d69a8bce64d30553b704be33b250903a76ffc444337031d3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RsQM.exe

Filesize
157KB

MD5
70c231d737568631ee11a7525fa7eb61

SHA1
b6e49b4421587e59cb292b135a0fafa5935a8e33

SHA256
b206cff3c9448d0b64c08629665d7157935eaa48380c50b26ed966c9731ad7b1

SHA512
dc2e09c975f6461510e09f2e81a0f3c7ba86a5244322d089bee3b2ddbe1680f7730325071c1985a9b22601d61cc68bc1c106c6867e0b47b3f1e9b8e65fdda17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RsUm.exe

Filesize
744KB

MD5
70640e2aa7f4a118672501f1eba3323e

SHA1
70b73354e92a26f31368693fee8c34be86d27a5f

SHA256
44dcae269c81774293a125d8676ab059a2460d7a7a7039d6281ed6163e4d3d27

SHA512
6701739323c2ef209b9c108f4a1bc15ad29fa8adcb0c60959d13480095ba1ed66433a908dcbf18c9e599042a3bd9beeec730cf3b9cd32a90c68011de31870515

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMUe.exe

Filesize
158KB

MD5
019971f5fcb0ffecbd15cb8d11b6b0d8

SHA1
5d205e15d40a59455988abc8137705fb4d2cddb1

SHA256
ef748d309c1515f4ca100f4d5ad5dc93e8df54a9af6a20007b3121da5e51f367

SHA512
31f26a41dd70e0fd19993577fea0212b84bdd80ddc04ed28b7bdb5e251d4d40fc82fcd7aa6cef9638141ffbd51130378e425841f8cd489922c160d6338822781

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skoo.exe

Filesize
158KB

MD5
c505116ef3869494987d60f7f282625c

SHA1
6a9d30c110c4576a2de274997da6b238160d5996

SHA256
c5bf8927c63b12182275193b7363ac66ea33476a1499c2a5c0f263575be2e835

SHA512
69a94a176c30cbb6073f04e3e8bf2bdaad4d1f272703e612502741c101974acae056804492386db3f802124eef94b27b5e535afb48d99df5b68747231483d550

Download Submit
C:\Users\Admin\AppData\Local\Temp\SucQwwwo.bat

Filesize
4B

MD5
f032b9ab84beda6054ef0717ad7b1b12

SHA1
396a45d449b288e5e18dbce85217ea96e692edb3

SHA256
0923b1023615031a04561ccad0e588c2887f62089913c17d6ed38668917a0d80

SHA512
93270bcd778a61bd6f68c66c19fb440b62eb1d5760471be8d9866649d54d9506bbdad4490ea99088aa46a5c68ac0b1b4634608ec824d67ed328c4ede5908f3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQAY.exe

Filesize
134KB

MD5
e4647242cab3b93029a8100dd2fb84bd

SHA1
8ea0f0b5604092581d3ab455916737b7ba05b0cd

SHA256
0f2af7fd4bd00495037f5006f9d2bd7854e0585b9aab3f7d5eea91a3c4d54f59

SHA512
d6cc6d8b5a3736440f86b285ad311bd91345eba934351807576e0faf13fe51a2e253ec49f4897a04c5dd7086864b688aff299e0a83363c81f5e5db6da848bce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQoA.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUwO.exe

Filesize
158KB

MD5
fd97830b2ea7485e71d13427cf36cc44

SHA1
f58985886c601cfb4b0b24c2300bc461f0213c92

SHA256
04951e45496f661d0dc0482c06a7e4ee419a33b58068f234d947443614dfbf37

SHA512
b9e0098fea084c6c608b1b14eb4dd390dfb7b6d9a2439f80ce5d0bd138feb34678bc8004ad2e599fc3d161ba766658c85276527a9261c7f2f33696bb792f7b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\VgUe.exe

Filesize
160KB

MD5
44329442acef1d733ccd4e91d0f9b2e2

SHA1
61227253eb2226730ae91d25bcbd0134f906222d

SHA256
6a263296a5b3086a5ed6376df18408f2287a897d60b88e6ac9d3adab246bb39c

SHA512
dbf624b54e982334b732e618889e6cccb8203ee2da95ee51479c34f781b5df9a1bf0e0973783978e8d140621f8e584eea77cecf2e9dd631d7e0459499b563154

Download Submit
C:\Users\Admin\AppData\Local\Temp\VsEu.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAQg.exe

Filesize
157KB

MD5
68278709eba46a6cf762378e548ebba4

SHA1
bf4b34adf6502ae17ffd76bbe0e836a5255aa390

SHA256
9af4f886df11edad808b42894e3e2dc544b7d1ba9e4a0d7e2ef41f93da5e88a6

SHA512
974faf6511f8a767ae674c804859f381391970256d6d700b4ed9d66cc5418e473093008757ce608838cb23db287d8d99836acfe9d918dc21a0757989829fdbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEssQYEA.bat

Filesize
4B

MD5
2683e479ef5a3012476579d0a0d21b4e

SHA1
28df34f5bb5845e114bb5cda207f052b635a2b58

SHA256
375d405deb9fa5cf61653dd164b7a23e07d51ad4faeaad6bd654e4819b69e3ca

SHA512
699516c86c886f223b99804ff952aa049645b4b21fb4b3e14dad1d3bc91a35c8274e64306feb4ca0f6226b8251b4391d46f5a02b62ff0d8e2fcb4479c2f43991

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIgcUIsY.bat

Filesize
4B

MD5
d511767e10592f1e60f9340b4432a8e1

SHA1
0ab409e5c5e89a98764a251c58058a06ad79d1d6

SHA256
3bc33560cf4353b3940949a18e0dbef52467f2678c00d5b77fc5d1d91c1670f9

SHA512
930f2e17015ae1b3f9f33c336144b1705abef8e8f5c09391f12ed6db970f44b233dd7ced4e79ae4272df22c923ae9a69c5cf9dc892feaa203ca73b978b0a36c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMEi.exe

Filesize
157KB

MD5
3c169ead2e5af1504e6c38c256116f19

SHA1
9d3aa4100fbd78ad408f6b87f67eb1be4d4e4e25

SHA256
8d77f7b873c6b4b4e7063c07a50762a406e679b58fec62bc37832588f6ef8f12

SHA512
2179911c47c220fc355dbb3281b42490dc794992e182dfd1be87597d7b6278ffa7b469c92dc09cacf2a76b49b92c605705d6c06fbfcbe00e01d58fe7f2239dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgIW.exe

Filesize
154KB

MD5
fad5ae3c8655fb71d773e33cc14e32e8

SHA1
43139c5328cba25593304689c3a67048a066d430

SHA256
e778c2e38a1b763225b95a71ce37e3625e6c9c403b9a74f3837cbebfc38e5700

SHA512
d2b004f6bc0ca8b73f17feb098650b72b233e78a594a19fb24eebd3e3e0a03c4ca43603d934fbbd3608f318a44f97cf868b6016dbbd66c47658f76c167c89580

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkoA.exe

Filesize
158KB

MD5
5342d335550e2b4c182401c20f9875d5

SHA1
31bdd0d4473ea96d7d4e3876bdf6afe8652b7d26

SHA256
d47b0beadc16838510e9012b87c1eba38e58a00f1e54265f61ac043998fdb4e5

SHA512
83308d0b30105b1848841d5bf452d0f193a01095685c0751f0ed2d3d2b68311f0882438a6b96438c60ec67eebbae4ab9c9028f22b5680860b8344d9f0f04337a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoEq.exe

Filesize
354KB

MD5
4239db6cc5ced1ad0fcf2b3b9df56852

SHA1
2605a42ff9af7c04f1c6152d82c5e583a4a41c11

SHA256
8d9a4baf153793f498011ae5672001ea838d35ae2bd1dd205ce46e41f26d389d

SHA512
0c73cd0ad367949da05c669281e356b4ed91e2ab2fbfd11fa1cb09ad39227ff2ed46fdd06f49c70ba1860e608eb3664511ae4f4bf237637396cd2b00e3d6c732

Download Submit
C:\Users\Admin\AppData\Local\Temp\XSQsoEEM.bat

Filesize
4B

MD5
5bd894bc0db469dabcb79484bc307230

SHA1
fc30cc870451ecd4137b8ec019985d083378ee3e

SHA256
f59df3fd71cf81a0ce1aeb07ae06474a7b1ec5bdfc09f8e57dfde6a82b699597

SHA512
799a2f97cf2b19b087dc440ddca89fdb6e7928a9b71a8fecfbc2e7779f8a854b4796caf9eec1f6ca118f523f533ba8ef9d6aef41982c0709d801d8087696e1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\XeEoYIQQ.bat

Filesize
4B

MD5
1d287b4eee9fbd104c49e0c77c73e2d0

SHA1
9667d42e4c659b57b0087efd3c310b023d35d352

SHA256
22d4afbfb519f69518e0e5da8e191c958c395b60d49d41046683bf0422f988fc

SHA512
7dd3a30d3084182aab1701da8faab4ae924c4e3eb1664b92e89bbadac6ccd79be9a720c14640d9fae5476c56de1fd671eb56efd96990b82dc847fe3771f9d357

Download Submit
C:\Users\Admin\AppData\Local\Temp\XeIoMoAQ.bat

Filesize
4B

MD5
d92364a97522c0f6a3f2fad9e0338733

SHA1
1f887a8cbf5328f9d863a5a35f8cde7a9e129cb2

SHA256
1720f4d4e20a2963a939145e52155fb75402d24e8576638e2ca56a3391e6fef8

SHA512
2a89e82b9625b974e34443b85f8f979ac19b52c62e80207a7ac822e9b5b4cd03973005e2d2921d82c721d98feaee1fd2df278e175e5ea46f3ed990fb4936ab42

Download Submit
C:\Users\Admin\AppData\Local\Temp\XscEAsMI.bat

Filesize
4B

MD5
04be6a246f2dbade1cee5a9a94528fb2

SHA1
9943123df08d21db1dee7cd9b95dbe6abadc9f33

SHA256
cdb6befc3f22ac63883cfd2953e5aa96f7228e26b7407d945b13ba56046af65b

SHA512
56111957feb19ead776e721d31bb7933249a9b090c77f22f1300886858e834547cc88107c7c7d78cf9d89674da9ab53420ccc6fe93d3131c7b1baed8cfa6d55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEYsAQoU.bat

Filesize
4B

MD5
66cd988cd9d3106d5ceff116a4e339ba

SHA1
92667f48b22365402254a981ccfe2b3737826944

SHA256
26a0a21733bcbd24279d40af4b48b395f04d7b2c46cda14d17a0a3cf0ba7ed21

SHA512
5da9df4215608c3fa4a6a909d566d93fed9d6318f27a51e2e6cf001e04a012b136bf780842f7652ecfaea677720353bfa420c19eea36b11a58f02f2b5f752f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\YGYkcUkI.bat

Filesize
4B

MD5
9076da66638fe293fc00293361981f83

SHA1
8a0ad39eaa6b0d922d08664c13bdbca6a6e1efb8

SHA256
2786ec76f197d4aacd38859d50f2dc303cd573dd98a5567259feda483a4a991c

SHA512
7f017d3aaa8d705ab492c89234a795e333c694de0def4c3d2b6ebaa936bf19cbe929bd75742541daf9cb69edb26b775fee3a39d08952ea73db12f286285cce5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIMi.exe

Filesize
158KB

MD5
2c490a49bbd5eaefdff2945631277021

SHA1
0c0fc3aacfc08ed57cf25ab0f7de7aa5219fce59

SHA256
e74cb93fe087d23eac2e1ce2153b22b104c8714d437375792050298b70eff77c

SHA512
21cf28c1c4c9f41a6ddf8986eff962129011632ab5e0a9a89ec57471ac349c0157ddd85744256f085502cd41e34861573e08ee032da4f36dce3de796e4ffd8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZaIUckAM.bat

Filesize
4B

MD5
9df269e5c9127f09ca5c742c7691c3aa

SHA1
78eaf1ba73c9e9a656261a71084c75054bbeeb3a

SHA256
3293ae3ff802b945406c4d06892decab9a6cdd5dc26d49ded206330cba3717cd

SHA512
bcb2cbc2912389023a40adcea5a03dc7fedf953d1427e40a2ff98ad4b838e3ac7e3eb6c5a5a489ddbf0cc4194fe9d85d5672195044dd3458bbc8d7ea5ea45726

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZccK.exe

Filesize
160KB

MD5
8677527c9c8cf46a89b2523e2003ec8c

SHA1
0859b43a9857ee0918b6d5fd3f684673612cf49c

SHA256
97ede41efa2fc644d81a3e9db77139e67f3c112f7a0e0315f98886f4df86b5c8

SHA512
5920a0ecb05e3c4037b2f57b8f029669f0b83afa60d19e5136c9f47c9bd5ce6560feedc5722214f95e90ae837a8abd10225ffd2b332bf29523a68fa6e77a461f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZmcsksEM.bat

Filesize
4B

MD5
cc63510f19a1bc22fb91756df9a49ca4

SHA1
293b298080543ff40d1e81e6640c3890a5730d46

SHA256
479c983598900baf4f881246b3ac8270e32174b527e3384ffc5fdff0cd770a24

SHA512
99d37bb1c4497d2bdc37ab0fb968f65e2d78968de52107aad8068675caf5416a8b1580d5ab088b42cbcf81a1ab6fa94284bf3f4a05b3807ee96e810efcc26d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zocm.exe

Filesize
157KB

MD5
1427a33e7f544acf40ce338d7a9d2435

SHA1
68f325e4da6a6553dd308254263aaa5a46a1a4e2

SHA256
a9385253258a567803115d3db9201d9412804b777b2e16a86551093c82b558ed

SHA512
12a0403f6bc31e699b65192dbc234cb58cbf04863d8da24c234222d24b0ee8122cf4d46079636fb2b758f592116ff7c321553c021ba5a28ea084e0d06a5fc1be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZyYAwEEA.bat

Filesize
4B

MD5
0199de72961b22698d8bdcd2ba21c0b0

SHA1
aff64b6993c93ba844764129d534451538fb85b1

SHA256
66153f8cc9feecd236f281b9f10c8bc0a7a35aa444edbdcf2313d963bf0d8753

SHA512
331d73b963e245b08c891ccce677acd378059320865c8d0d5dad70b666975924a0441a823706ad740cb636c280c34188629a58334a32876c70bb63a8795ff360

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAgq.exe

Filesize
158KB

MD5
7a43cb3d336845957bc9ff9feb17af84

SHA1
7b9dbf54f70d998f87170ce983635251f2392422

SHA256
6d62816a653069cb68d95317413b7c162d5492f6c3d0acc932ec9afc6f2abab5

SHA512
6f6863e1f7cefa0d91ab08724e43a72f265c9bab189a7b57b9e94e049fdb9ee3c4551a21643c450d6adbfb0651c48326bd74d23e8f24acfcc58f8d2f6f2ec526

Download Submit
C:\Users\Admin\AppData\Local\Temp\bUUg.exe

Filesize
744KB

MD5
84029202954bca76596f2378289786dc

SHA1
8d131232fd2153c7b54f15ff80075c43bb03cf8f

SHA256
cd232da6faaeb8e70a0537892c41fd9e99788776fae203f5559f06e4f0940852

SHA512
9bf0bb2555d744324fabb831cd7645958ad0811719e77c73d815c9367f44df660e62c67ba5a5eab7541cbaf44b7322f9a4b3b3f4f1bb7d95b6364cbb3c4259c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\buAYkMkc.bat

Filesize
4B

MD5
9d5c3be92b01e52a3510b9000d562e26

SHA1
e54d525f607d0a1cd519c89676425961717a83c6

SHA256
8e42e5016cf3bdcd22e747f7e3eba01c7380541da0e87e39262f592ef8dfe86d

SHA512
3ad75e92b6d292cbe974310c603ee64170f9fbaa734606bd563f2ae20ed0a95ddf0d6a2a6350f704c3778f30ac75680fa156fad19eaccc89c5a7e3f8f305df12

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwcK.exe

Filesize
159KB

MD5
16e6afbcdf015ae41b75814d5efcde18

SHA1
4a66c7de34b2f315ff2fd83727c18fea47486991

SHA256
729003da4061926066df7ea2401e45d6f9e4e437a3aae2f9bbd06c35d5b571c1

SHA512
6d73fadbb627af86392e623494c7ee65db5d02c2bd33feaad8832d596322ed6127cf8030ec9e2c81339159578810d77c9faa77aa1ac12bf5d7330a5ee54b9a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUYoEgoo.bat

Filesize
4B

MD5
19da16142e5b0e3890e0053a0614d0aa

SHA1
b1a9fe95bec9790e479ca58538eb3e958c3c891c

SHA256
bf852141d22da567747b46ef50f67a5b0ca61c1ad166e327311ef54ce9e32521

SHA512
26317bbb62a4e29bbc72fe6b60c7879c35ad05bfc3409fb7d813be55c363a09d9a96b9367c9ad6c646d64cf49dcfc38e8e20dda5cf070d6791bb30aa272381cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYcQ.exe

Filesize
538KB

MD5
65d74edacb4560c11a5ca2dd0725a97a

SHA1
fd557281b174ad0721a9b664fa8799ccd532333c

SHA256
df8fbd028f60817c77b11b4d84800e13373586e7395fa164d5e6834d40e52875

SHA512
cc50efa03385f5adcc5312724ed9b672c48457eb6726b92a2184d81a5fa4f0437626184785e99b5d95a7184bd4cde4b4fb7d82782e772a354264a45b896ec26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAMe.exe

Filesize
158KB

MD5
85e9f957a82ca12d051332c5c9a2f601

SHA1
aaf183fae58d41d535af18a1bcc03d4a5ce66d13

SHA256
6492de467010cd47c3846b2f49b5b774cbbfa9be67a4ff48dc854d29ab8c07f2

SHA512
1fa3b4ef2ffa06b5027763f08522ef82713b5c9421333bbca7ae8ad8614e097448290d47026b4bb1b55762976dd8a1b66243119a2e8e76a56f238d7cd2ef8035

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAYc.exe

Filesize
693KB

MD5
1080f435274d30efb384f41f13bdd899

SHA1
a0f8ab2693c911579757db08f168731bd60c9ebe

SHA256
4b9e9d936050e610b17a4e5838662bf38547e5c7cfe5350db8fde0b58c04a120

SHA512
bb7e368da05a560b8d257a4be0f3e133117f2c86074e5d8c6aa1ba4b2cd4909ef8c9cf1cbcbc8ae895c0e0665ba303a67782ce4488a10f99ab5e45383f5ba86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\daMQMUMU.bat

Filesize
4B

MD5
468753dd4bdaa7e28ac496d08c8fe9cb

SHA1
e778457dff94a819c2ffe5dd52f8e73ffc478eb5

SHA256
191892866431152a8d6d1d549403dbdec2a355d8c0145865b22e1b16a975648d

SHA512
aa333997296739679ef2aedb532817b99cd5ab85217ca7ead388e6a23e119ea121b6eb50cd6f8c06a02260b5da23496dcf0a57d6aec2c19552d3ab405ab3314f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcEY.exe

Filesize
971KB

MD5
bf9a0cd20f6db75ff5d0841cb48eb3f2

SHA1
4c63ce7469bb2071300b6b70e076e5b396f91c09

SHA256
33dc247b0270077a4fb34913bd809392f10dfecca1ff1687bbcbc72dc08f80c8

SHA512
a825da0945943cbd0fc4da8cef756be336866134c1c2be42acaacfc0662aaa1a3c844d9b303e2c06fd577ff3969deb01e8bcdb369196d39648b745cf45a102a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgce.exe

Filesize
342KB

MD5
7976055b7b2d50691473cd08616ba771

SHA1
8304ad593d7939a9b90aa40073d4c3f931b00096

SHA256
3c3dfe2b52808f3fc70aef52a29baa6ede79581b5e664a4157212e7450178984

SHA512
6b9ab8695de3ee496db59c99209b1032006af53ed7f3d9d36a74ddcd2bc070d43bdc401ead183d76694725bb170b4237d0d799fc4fbab2c4c91ceee6c1a9a99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmkUosws.bat

Filesize
4B

MD5
f9cc3a62a197ccdde7f433b6d4f42357

SHA1
f3478ec5dc567817d2ab1db09268b444d97e2868

SHA256
688f2753da605a4ddc7488ed5eadf92305296a1dd2e32e83e65fc68bee3aed76

SHA512
6b25e68c0ac62868bc51cc2656b3f4bd574f6afb344496d3c578ddc5a4284f8d50fb1da9c940ee8da3f3b2a259c54ce18de6d48b956e67b82e4c2d763738b054

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAwkQgAI.bat

Filesize
4B

MD5
8450a0fdce6b4c1ad268a79d4d5d5ea2

SHA1
b1345e4fc64e24ade34e6570bb931dc2c47664fe

SHA256
2af974d14ee5bd098ab4c67ae25aa4db5a46640ff89c7da27b4a7b0d78645816

SHA512
20ce487f56a4c75d5d5c84fd6c996750f24c9494b7deed7c37ce0da7320a76801f2a36a45264cfe8e51c26470d23fa468e2a742be78a199c4d1324b2d4dbeaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQwscAAw.bat

Filesize
4B

MD5
1bf94058a15c57b50ba2db8a68166a8d

SHA1
0ba614ef12310a45a034e978f67112ae8126f3b1

SHA256
b04ffaca29edc1123c8b9b466fd4c72f77230e885ce4f8ccaaf9d46fb1e8b962

SHA512
543a2082b7f90d2c642cb7344e529cb406bd9052efaea890392a873b3f04da9e6f7f728a9f930e55e6d71bbefff47d7dceacbd03c3ed2df7a1497de826272863

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMEa.exe

Filesize
236KB

MD5
db790ef756dd4b1e737afdbdf0a827b5

SHA1
007287360680a4cd9e9e95224beaea2d5eaa99fa

SHA256
21a6cd00716aadd9079657a3945ee7965b401060a6938044646cd5b94a645bf1

SHA512
3983b5d3790f3ce105c4bfa48109839206bdeb10c0c9515894af58a01d72d7158d7ca79497dbb329bc7026b2b210becef23b106c12c9b0dd5b68676a073b3ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\faoYYQMY.bat

Filesize
4B

MD5
d5639f8e7137a251217b1c21345e9190

SHA1
e93bea341dc4c6e4809f1bfa42b0e78663f2493d

SHA256
89b40e705c10142f2d3fd3d559d43d5bcd96c36f1d331b0d2d4148a1eeda0909

SHA512
e9035e37e3b52759335153eda5b2e8be6531df311229b71c25aca497fe7588e6bcb6fd0114f55ce1269cdd84149bdfcc685adf353e5ede76d13207dfe7297df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgsS.exe

Filesize
159KB

MD5
31b67335beb55eb9db4fd40f54139edf

SHA1
8a7861b782894a39696a7f0e6c29b57de64a9637

SHA256
554fa05a90af9c3915fc99372a9fa3863ef4a174f317b53af86e454563beea72

SHA512
47310c27d281a9163638b8ab7fa6e03be1eccad826e6a4fd5f6369fb3213f53c92733ac5357a363ed256fbc6f077de90f09e6623a2e147c188f53ec339fbcf2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIwI.exe

Filesize
159KB

MD5
c78d63a8195d05164d6f4bcd6d33c0cb

SHA1
103c4fee564d73910266b5a2d0d07d7632ee7619

SHA256
0c110424a2c877201facaa3daf86e51be018aac869c1854a016da648b9e54d02

SHA512
6849a823a0e70f382292b0315a274cf7463f40a6d1ec89c959701003cb8ff179738669b166095cb80a021c139a630de8e60ba7e8185205a74adc0bf5f2e64a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkwi.exe

Filesize
160KB

MD5
aa9f7ccaef3176a32cd122400dea6a45

SHA1
49b1f07df70b78dffdbf911fdf721960c719b4ec

SHA256
8a63a08423917a4f37a9471a7b95dd1adf495c105d955441f520a171893035a8

SHA512
de457d399e11c59a7513df4e46c10753f5a131a59d247007d0722f30fd6bf15eb9fef28528a286070dab115890ede1c4bd10e08dcf6e47d0f543d4e1c7b9976c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAYg.exe

Filesize
158KB

MD5
fdfded3c1c3a7f5bf2603afac7690b4f

SHA1
5d7b4bbf3a81c09cef73838c2935cdd8de4427a4

SHA256
97eec357762ff600a14db5f541154bb4da58cdf46d6debc1c755b59ce0fd693c

SHA512
6662e33eb68132966ab418c6cb3abae6d182054eb3094267fd2f78a6855bf402e6458a6e24fddfd5302ebb196733c2f77bcf6368bf052ce3744ad549065930c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hEgK.exe

Filesize
873KB

MD5
2d28f52550853900fd5fa258719c01df

SHA1
48f3b66681631bd80d33d43333bb8e1c84a79014

SHA256
1cab6b75d59063176bee323deef9769578929b0dad9d693e7cb3c757e4fd8956

SHA512
b9e5b2a4577378d63ffb88102992a93c317e76cd4764f870788590c287f7dbf86d1a3d96a6b911b56231171208c8e08c19f1cb44ca65307097ba04c21adb146c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGwwkoEA.bat

Filesize
4B

MD5
70b12cf1999177c1fc00a415f6237717

SHA1
4854887298818629bec388f345a4507bea4eabcd

SHA256
36a33999bf636720e33751a0e9a46058b1da2363b79e93a7b79614fed66bfc5e

SHA512
fc931b47883293894000bcad43c7b2f4c00d0a77da82f87c96bc20f60da2df5fa6110746501498ece1e096e3d1c17a5b1182e7be7c1105bf5a3905d17ed9f229

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIwU.exe

Filesize
159KB

MD5
7b1f938d8fdd7612353d514a5b156be3

SHA1
a2b17ef91e6588c952d6683e9b253712bf8ce064

SHA256
e5db1061f743e54f0217c9d4945a14db0c05684212f96f67877622b0d8c47389

SHA512
e66f38b5cff6dade29f9430a22b70a86751d3add7a51e5c26912ae89cf352502983dd87bbf332a8fccf297d50aff5fefa65507f9497913c4e2ec204a11105ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hckQ.exe

Filesize
157KB

MD5
3e645a9da24ae60ee3218b9fb6b93c1b

SHA1
3acec9d4acc5dbac5994af1acee75b256f7a4e74

SHA256
b78cac60276f20ce6626d7530e01313c48377ad119e794a21d6b7f342b1317ca

SHA512
7789d1dd75934f1425f4c43ef7cd3ced98d193a4fb2ab08088a4b40c3e2041be1edd7d8bb974bf1fc25c689a49bcfd842d02be57a720816adb9f40e6f01d7d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgso.exe

Filesize
158KB

MD5
60a546d3f74f8f35dff67cb5ff4e32e4

SHA1
e5d1e4daffd8e16d1058b48eb2c6f898a1a5c93d

SHA256
670256a31a5918e9022d9b93a2c37642dcce5ae227f5dedcd949e0202e23b07e

SHA512
4546ea4381af12f6486fc6c8e8e72490438623f6cc65594c49becb6025957c895870be7e45a1329296327037c75c6941e9f3765bb672ea3c0df3029a97192420

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwEEEgEQ.bat

Filesize
4B

MD5
35a99271f67c3262a70e461e573d3462

SHA1
bbe93cb0237597cd83f1417be8815236f2aa3c1b

SHA256
82a8cf9a78a4081961ebbedcfe7c26dcb527e12ab96cb9b9db51a6a1f84560a4

SHA512
4ad3bc18b88928188c8b3e0b63f49d93b141d9cc9b575d3e7eb0fc479773e1492d5d542fde39c9ccbd19912a1cdb3dbd2f7180cc8c6945a3c60e450ad0475c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jQIK.exe

Filesize
159KB

MD5
540a43d678391762f6a6fb1cb96d4ef6

SHA1
cd2a1e00318ac9c9d8fb73f2072fff9ef17a7cd3

SHA256
124677c4afd391a8080acd0735c0e62f03b5ec169b6a9f333949ec49427b254d

SHA512
824ef74b9bbe054320209574f298f59a907d69afee6056ef8f6bf7776179059290790c575759aa5f31f65a62a2177b22473325927b2c940e641213d2b572e402

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYEC.exe

Filesize
149KB

MD5
a69aafbaf36ad4238e14029b0a849e61

SHA1
b0aee4b726ea59ad40a6b4c2d376fbdd38de44f4

SHA256
945109eb083f60540d628979edb938f5e7e3fb9af68de952f3b183ba2c4a7ea3

SHA512
e7c8c5f0bccecc8fad69b357c36955aa1b0c44196c82c7198884cb14c5a75b8eedf9c2cb5399dbd442adc640d5d5df8e57c64911e08bcfffda1c7ee7913de95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jigksAIg.bat

Filesize
4B

MD5
21a76baa3c06929a6838ff1b6713dd1c

SHA1
81e7b78fad5a61bcb37ecea73dd5b6050c33296f

SHA256
532fd6b0d23915cf53f9986d3d457347eae4ed4e3daace8478f10dbe84a79512

SHA512
72bb976fa54162f26fd0be3388c642eaad58ac158923adb890c41df3a1435f5579007aa1e165946fa8cf02d7469aad08e2e46f78bca9cd90d6da6447dcea98fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqIMMUgU.bat

Filesize
4B

MD5
9e9c96f55dce92c5cb81e1c172810969

SHA1
5a0f7e19bf922aea26d8ffdf4d3fde4d0fc0a2cd

SHA256
6653192cdd332704f9ddfe3b776b90160f43c92b16cf074c80b0c9bd6f80a205

SHA512
16ac8d7a73d32c56ecaae9e20a9854d2cb521065e46beaf184de8d3a727529a8ccc572abaabfbee6bce9652cf384ca0881f64a2f2d3ebb2503c4d0ff07a32c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsMgIcgk.bat

Filesize
4B

MD5
5428f461bc80049d107c4ae465fe0636

SHA1
09955efda5300144e790dc098f584e74d5b45c04

SHA256
728583e3f0a0f8ec50eedde4999f9d0eff6778d90b3b689ea0d555a2109d53f6

SHA512
6f240b1eab93b773c76040060e5816b8e000c03a76b84de8c32e681c3fbee606ab863a52fb0ad63621b564b20d3d6843233cf726677fc5ec719d386229ccb043

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMUY.exe

Filesize
159KB

MD5
00482dd5a8a61da4e48610936c641dd7

SHA1
2cf2d9626ef3b51a5958b7041ae620c5f475bb5a

SHA256
2371b22147046d8faf2d9325aa166bce861e1fb8a761a9a3bd4cd1288eee3d24

SHA512
f2bc4496f5d32f8baf40c285dfc38c3e2f081f0dff0309a313feb63331c1ea8af8c2d2168f2454dc78b8466cb7939662ce10e19183007d8167e2ef1960c0191f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMYo.exe

Filesize
158KB

MD5
5ecd6d26ab59cbdd9e88d54e217dfe7a

SHA1
9e99ead0056799075f9d0b2f55373ae5b02587f0

SHA256
4a1cf6e1e8cbdb5bf14cca7619bb1dad27c63fc6f939b353edeba3e99639011d

SHA512
f542574d27a4d07b0b1e517fef1b11a61b97d06842679ba380653ba71d6ae262fd1f57345fdaf0e48d6844b68cd632444ea312ea31ab4b4f8967952668903174

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMoe.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\koQw.exe

Filesize
159KB

MD5
e4892a90cbd96f957e1609a9441edfd8

SHA1
1f1635049357e8ab6b00f307e6e2cd193fe35bbd

SHA256
7a4be8ed26cc9597f49e630ba38759731581e53eee0d456b95d93fbf90b6833a

SHA512
ee35c82ac5091f7c45fae2e32b6d25527a5ae510f0277bd3859750ddc38149cad74375723a9c423662dd228edcd71039f01c1aa06e214e8adf17de668e989d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\kokI.exe

Filesize
1.1MB

MD5
e9da963a9b99b0bdcadaa8f338670d57

SHA1
ca139f467a36e3c3edbe1aa19ddc1496139bc9e5

SHA256
58cf4bc8fecf5d2218fbb4a2311b2e41398c363463640bd32f4e6fc1a713374c

SHA512
d47e5fc5e4b1f1cc50287c385dd5dac8827cf9d1a0eb75ed99610db750c9c61561d16fae65ca53d9536909be572001c24e10220cc26a3fe5be381c15b349949f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwsa.exe

Filesize
157KB

MD5
f62001233909b743a45447bc322cf711

SHA1
2e0c1b85a8fb62f33a2a7fa879e3b8f0ae83ac3e

SHA256
70410799e4f003d18d5d324721d84afddaae95ae250ff4e3f77f423c2cc96163

SHA512
7e2b43bd159e772b46db025eff997ac397ad86672e71c087677490c53d16894e2dd1799a597b1b9492e3f0a872cfe7763758dca2ea4b2ba14473d02bd9e79f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAEo.exe

Filesize
158KB

MD5
27f8461b52cf46be421d3820407e08b3

SHA1
e920b6c9995a51421e68a74232944b5416378180

SHA256
f832510f623f9b7dc1446932d4c4c6c2840ca73aedd847e3b009bee79b77de9c

SHA512
f1c8da03b1f75fd8cf4e886adb402b68189a490b22c6a7993dc9b811f85538988dc2eb74d3b2af35da3fd5a5f0d6ee92f92a6744b09e76eeb63826b533a5d232

Download Submit
C:\Users\Admin\AppData\Local\Temp\lMEY.exe

Filesize
159KB

MD5
5794f72b2743ef5ecd287d1c7a03a5d3

SHA1
85f8985370c4fe843c063b1212218b493a9606d9

SHA256
99a73be9d033e14e16c3bbbf4eefe2e2974ff38248e3602555b1c684192ca7ae

SHA512
80d486fab967c3cea2fd7575637e4a41721ac033a3144021f89fbc448d9f0871c9712513c9ac605b246aeb548420a939d11802ae477c3388a27b413e229e58b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQcU.exe

Filesize
868KB

MD5
84a633418650b0a0fd66bd1194f7235c

SHA1
4fb1664336500ac89566e337ed2bcb0f197bb026

SHA256
afa26b27dbbcf2f625e2107085f96229874203aad09c90aceefca20f0b30c315

SHA512
e3f94a173aa7fe7e3cfa2e53a2139adc7723dea784a7a0037d63b3a48bdf08eb00df90c597bb3986cc6542136808119e30874aba36964615d112ecbe1b091963

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUsU.exe

Filesize
156KB

MD5
29dbc0a39b8a424c7ab67d82ad4562e6

SHA1
3379c056ab4944ad5726541c1a61bff7a8cf7602

SHA256
8a04913f9df04c1471789d63d44b79d1763463e97c63d23f551c6cad13b3393c

SHA512
d41698cbcaf4ff1957d3c2065aca6251b8b972ec2384a82ed4eba98ce608ee73b020dca0fe96e8a82be568a346427bf3aa4d2e432fdb5596235f253fce33f12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mOcIoEsM.bat

Filesize
4B

MD5
dac670e389e99c65cab56ebc29b425e9

SHA1
3d46eaaa9053c6859d13531840033e02e2ec8bf2

SHA256
3eb1a279fb54c5f70a047ccadf1aa361d85fa51a94bc4aefc784e2294c5439a3

SHA512
a97d365b8b1fc6c97167634d4b4763a187112eecb6d47fdd0b4f7dc117b3702e44444b494132185e73792600cd7cbc2575755d855f37d3a9ec748d244add38d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\myEgkkgk.bat

Filesize
4B

MD5
7a1ed8fc7371e791287b7af787d50f0d

SHA1
9bf8124e844d85314086966f2047c30141c4745d

SHA256
eb0e8e414a02b4f3398ac079dc843ce3afc8f04897e459c3a537d25a85b92849

SHA512
ea22231185d64eaa88cea50f2c3961c3087d8c4b62f97f7e14d664fc07f65a3edc20d87480c4f1b51edc199c6faed45b58569c54205ab8c1632f8678ae7dc41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nUoA.exe

Filesize
237KB

MD5
d5c43401e04f8a4cfcddcb129ca63151

SHA1
d174dc11e35a48dfa40d1c5b900464c1e44e5905

SHA256
2b9bad84a4af9979fab959e02c495f20ef0f4c7c44ac47264a12644389d7b79c

SHA512
2af8c19602e55597fe1da1d95ccc879a6f15a803c2d19a9f6b501aa3be593a694b2e67b23bfc521dc2b7c03e986c2edd671f10440d799c6b2df1dd1869114c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskk.exe

Filesize
159KB

MD5
4f999255870f25565133b36232acf57b

SHA1
0c82a2278ec03f16d4a7ce3e68186ee02296c6da

SHA256
3cba80f64084ce60b03ab48efb7087715d6db71cb899b32b5f788781c1d6cf22

SHA512
1f882df7d59039d94a1bc31ae96053e6200ec7bc6592b9c61e1f73a68aceff283c9a934145c31c0cc0d8eb93bba45efc42fe75f5194347cdb5e5e8e7edc5e489

Download Submit
C:\Users\Admin\AppData\Local\Temp\nucowYgA.bat

Filesize
4B

MD5
6ca1ce7f328eeb265a2ebbe9bc58d385

SHA1
805fab3a56348ac56541c126acca089e821f2a74

SHA256
05564d60623e8852918c42f61c7ccb7725b5d474091125191bea61c42663c262

SHA512
d074f7fadca913fd5c6d6500b8f94efee1f1bc3f5984aede6f6986c77a43736c5bab1497adb7cea7952f6776b26d847e43572a5b53d63a742366690365c1ebe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAga.exe

Filesize
157KB

MD5
49e788fd1815d3491b735a7afaf77e3e

SHA1
bb0703e2030738cb577e617867fcea67d87b0d7b

SHA256
e58580389ef45204019c1e60ad96786a61bfbfa208ec0b5644693ed9343af028

SHA512
793838f416f14c6c747f7d38d7a790fdfd1bad1525ae0801607c9092429137ed1ee58a3bac527e44bfad5935413a2fe2e255ccee81c17cf0b02e20b03bb3e887

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooYK.exe

Filesize
158KB

MD5
c112a9c803393a9b6e436f7ab9384e49

SHA1
2851661fca86b4a6c1e8f5b4d1bc250eb4ee8aa2

SHA256
f732b6f20255c0b5e15fe6bce28fcf674fbb51dcef05115e56d7bd56dfffcc42

SHA512
4b20d79180c82783d77cac149ce661d549d637fb2924f6db4519ef56cf4486f887754a06ab73731149ed552cabac8cc6bcfa749fed280f85a6e6e052d747333d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oosi.exe

Filesize
157KB

MD5
e0e1eb2e0c8575c34a1a6004e425e597

SHA1
72310c1d73ba392326270baf9092da3632eb2153

SHA256
4d98586dc02143e309cffa9ce3beb7c39dbd79945597eeac0f0810848806599c

SHA512
f0ae683626f47dd8a8fa455444f26cf5f8bb89c994600bc99f7935c3ad9273c978f221008b62dc91e99f2e776c6f62da03061ecfbae9bfd262f88a779db72eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\osMW.exe

Filesize
158KB

MD5
ef660422142f07bced3ffb12a9448a50

SHA1
6e85f1c2c76c374e461b01a0f44b84ee50d815a3

SHA256
9f2112fa7885114418162df8c5891a8fc1cf725e66ef8c5731304abb73b087d9

SHA512
84ea601b626149400144ade2d36c9e35ac443b0c74bff48afa239fbb952ac5664b8f71b87a55fb7a4494d87df0f6438e8157782be185078b66514ca449f5f4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pIwA.exe

Filesize
159KB

MD5
50e4e5aa90242075ac89077ac6c2a764

SHA1
cc64099811cb72ee3b1759b4c255250c2a228355

SHA256
bf58ff97c87cb36e66a3839ff5fb7e559a6c40b37c8cf707d757c9446837ddb5

SHA512
5052ba9f0bbed5f8a4882a084daa634f02cb10ebd829543a0a7ba2af332ac204caa53d92ab5dd9787aec5023fe993ca793fd636e3a563119c7c54ca7d206bdbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkQC.exe

Filesize
8.1MB

MD5
9b0e69d5ec30e72e261e3e777112fa2a

SHA1
58a7aff4c558f6a7e0dd13b9a2d9139ac199f1fc

SHA256
db8e3cd67cbbfbfa5fe4e00eb68ff0b658d0cf7560afdbfa5aa14f51d954b91e

SHA512
57a953ae2ae8119bc58ff12b9728f00a4d23481c8b998714fc44ee7b528573aac4212fe4c7e5e1f1137824ee65a1dcba241b15ae09bec47355f7c75307493b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEMk.exe

Filesize
138KB

MD5
987edafcb31c1bb23438aee329eefefb

SHA1
0246546bcc8a2e9c42b8b6ebf2fdc987ced89e93

SHA256
a6a0163740a7d22f2a37a1e93badfccf9f6e81f1d7d312ad64bda3abd45504a7

SHA512
b0ddfcf8f27ed8c1b7c2e81260d0016ae564582de0c91b64d12775bdd7c49c31dd34758c7e189444a7574be29ac20942cb87e13295f4d2ada0fc2d92453d48ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQUkYIYo.bat

Filesize
4B

MD5
55cf6c03c79d2c609a6b246dcba724b4

SHA1
8c789031aca253b93ffe49773f7ccb8f485d4b59

SHA256
8a3b8f93bcf53306d4fb6e3125e47188c4369bbadd9fae2e16fbf45ebfab0278

SHA512
561da5cf94329bb8877f3e1b1077c52ccf69b84ec5dcf093175fb1eecf9e4fd7933fd7d383ce8616dca812d0146b4dfeaa7d085b5c5995757b7a73cbc7e72e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUQQIcoM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYQu.exe

Filesize
658KB

MD5
e5ff39d562ebd622b8ed97fc5974967b

SHA1
e661b5679b5a04f9b1d249c0a52658251ae8c9c4

SHA256
61e6608eaf0fe00099d91d6a71e5139161925b568a93350c54f01feb39132aec

SHA512
3764c749ac42bd17383228439a18be038e8182a9072848506ba6ee78e5d14ece75b300bf63bd648d69aed1fe2d353f27304faf7adec13746589dd2f5511ed9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAgUAoMM.bat

Filesize
4B

MD5
f2db3580cf0d7705d5c0ea6b1b3768a2

SHA1
066132409ee6a970abfc3bc7747df3e683df9925

SHA256
50f65b93961567ccb322f687da640e237f98669e2447a37a825fd5aba05deb00

SHA512
1f4e44793ac1a07a7918962896a7b2ebb19b5c67df56074366e0fbd1038b6a6ecb3c438e01b39ce4416d0d2745bd4b9961c5d237afcfd8156ae4f4bcc699122b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rUQI.exe

Filesize
157KB

MD5
d67f56313d645c7b98b6dd5779072b02

SHA1
5e444708475639f34023ddb835a024329913021b

SHA256
5fac83869567bdc54845bec30eb5cfaea32d2f6d496b16ea7471ea861df6b4da

SHA512
ebd4a96e83bb3caab01f1f0b03c33e8416813720be27ad25a9b67145b121947e1ad46ff6b922f870f0a7a6faf392d06b3c657cdc01ad92aca27fc8dddad20018

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcEu.exe

Filesize
158KB

MD5
73c99059c900849232ff1da0a8d239e9

SHA1
098601610513660c153d77f4f427f96d5a15e907

SHA256
669994d527f2dd7954d3cc8d7aad0ec6100411290e0d7b8223e9298e75254f57

SHA512
530ae2dd8daa691ca881ea2ebc9bd8da9e80644f30b99171522bb79037fa38d1a72bc44dde4ffa3eca3474eefb79db5a94c485e1019c917e3a488a4f8659e920

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkAy.exe

Filesize
158KB

MD5
ed60253083a7c55fb06c014ae1b45d13

SHA1
ca3ce31cb707b44282e911c49f61671d84cdc07b

SHA256
b079ceeee30dabc0cb438dffdac11e5ed197242d4eb72efe09f7ea2b3b5b80a4

SHA512
80e3f0f73e437cb21f481ac48e2f7ca6be8a4bfbe5221628594b6a52354162b868e955c693dad4f29fa0c72ddeae5d448bbc60d4abcef57abf690c39211a7419

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQsy.exe

Filesize
158KB

MD5
5f897cfb8e58088c01b862b73a509ec3

SHA1
a23673bd446925565df34d66613881e4028b3c76

SHA256
22e5f4a4167e9aec0f088b9b6d1a9d4ede6fb1f95bfbc466789dfd1b7fe13651

SHA512
2d9e04cf1b31f323c9bb6374a1e8009c5dbc1eef9f0d2f82975094f44f354c265979508832a411985017d4f4f981113c8d4be8ceac73285b2350593a30775a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYQYYUMc.bat

Filesize
4B

MD5
1117c3aee678241215e606b1be2f3a32

SHA1
5a72797332ef14e85adc67da0db5497ae26839f4

SHA256
60eed02ba622cad139583ca5ef39e8442b57bca57ab52ecf1ebd3e99c36954da

SHA512
aae47494e93ad33908c28630a4da5e71705efcea3e8699ac01a518c963da5c6b302d3e1949940fd3cf40a7ebd21357a562732fc51989a749f8eac2cbf336e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgEu.exe

Filesize
568KB

MD5
cbea17e69f0074b336fee13506bcdfef

SHA1
c3f4571f6335dcc8912f06e828a98665afc83149

SHA256
fb89c8db3e219dfc27d73797cf15366e6ed36fbd24705c65f852544adc3a6113

SHA512
2ad0d2d5b27338b7ed9d92a0b3e076cfce3a50c255c3ad8123a8654352f28836b3827372e220bd9fda4c11c4d0928e976d91b4c98a397aacc8af080db777ac44

Download Submit
C:\Users\Admin\AppData\Local\Temp\skcs.exe

Filesize
148KB

MD5
e248d6c555ec3d0403d6bb9939c7da95

SHA1
0766a285961c44b1d41d24fda60074bcb2b94805

SHA256
3efb3f8079d5be8af8a5e2a8883e9401a4a35221a6149d33482305f7c200ba91

SHA512
0f9a849d4297ef6a5979df3ce17affecd5198c969b0dbbc461e8a48632398bf0ef54d1f0dce36f0210b407c265e6543445a3d835fe679a6db00c5859862f2d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\smwEkcsQ.bat

Filesize
4B

MD5
8388f42e764c04cdad24baa29127c38c

SHA1
b76cdf99b0d41a11ff75fb8326047d1c3ce6a658

SHA256
a09819bb68e5224a4235646cba9bf2242916be50e3945f688b054a8cff863bae

SHA512
837395f6b00370dc25a37eb093420f9eea7023598c9540eb26c2c265fd3bdbc5d96a2e5bb0297c39f3fc75a3d68261b4f4796c9cd57e0be979c590a9e74730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tCEkwgwQ.bat

Filesize
4B

MD5
d0377514b5286c7db7af9f7f1d626ed1

SHA1
de7a78868f759d307905b8280c3f3c715c10b1c6

SHA256
46b3a68abb89be3c04e0feec65b17f5b3d0ed84cfbe2387780d8e2542223fb3e

SHA512
e14d152e4e2ff4d33445412d9c70b04b5e2f4e99b0fecbf3735dfefb74afe4cf4f5c7e831effd5a4390b9f50c3ef8368c06e273df31daea5c793f2943bba7255

Download Submit
C:\Users\Admin\AppData\Local\Temp\tQQsIYIY.bat

Filesize
4B

MD5
8cd94d582139c3541b9623371aec3689

SHA1
ee52208a1e47b60f8a37c39019b36beaacdd6e0f

SHA256
988164f14aade43cb23cf8087032cffa8d9151bc33cfd80ddeaf1defd39f7f7f

SHA512
dc4fee895ea536808d5b3f2b35c25b44b2cc4e1d437a84f05c61d3810ca3fb7f5583d35234301adeebdc9e4bbac7c15199a81ed052ac243515f17585602f062b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tSoQEIkw.bat

Filesize
4B

MD5
39b2ec72d7fc4bc4b957562c50e010f9

SHA1
6bbff972d3e2512fa285c834c50a7f617b80f9eb

SHA256
577ab2146c6bb61a9abced76aa05db28494c12c6c8e1cb3245fc8c48235b26d9

SHA512
8bd5fea15269c21f168760f7758da671ace9b24b1a844683eaadfc141c60c50a2cec8a944df8f473130ca1e61779893ae5c89183a5470d3e96064b73012ff7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUIO.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\uCwksYkU.bat

Filesize
4B

MD5
a8e0533ce25e9e78c1850f38c79b733c

SHA1
6bcb7538dab81c5c8e44d23c2c7541e026587ccd

SHA256
22d3dd30522c5c22dd273600b2ebe42f49d007bd2bf43c4a0e547e59e8180d19

SHA512
e881d6f2570575e4a051463a8eaaf5f9aa5493db05cfa9f8a0896db32255ea80ad32dcd5a4d6cc660344e88fadebbafbaa82fd02b20b8e77bd95401f04d7b68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uOAMUEYo.bat

Filesize
4B

MD5
b47dba5352dba72c058dcb9c26a92322

SHA1
deb226fc1029a94199adf4dfc2fbcfa4b60b8895

SHA256
19feb686778e3e755d64a0a3c74d7b40fa68e4aaf10b1469035a3be4a0f8358e

SHA512
6bace6f6fce27556821d51970b0fd45b3d495637b46b41d6641b9360ec1b9b867a89c640e24e9e7706efb48767401ac9367150240504b3556f27bf420959c945

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUIU.exe

Filesize
159KB

MD5
23fae4055f342af8340bac735a1edfd2

SHA1
ba914ec130cec5f7749004741b40861f880fb32c

SHA256
af63615b5359e885be8bef023a658ce4b803e12e7b67446e2c1442085116e5cd

SHA512
36f95cdb33bb569cef737cd596361846deab78008a437713c97d4789457cf1c615f7385ee4d719ef559d9fbfabd0796839e20b954f3057e5cd1043a983da4c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukcksUIg.bat

Filesize
4B

MD5
d1eb7ec3fc0363e0850769250db428e0

SHA1
1ca15dd2e0d777e8204e9bf9fb663af0fb77fc7a

SHA256
11500f87fa19edf056406407cd3189908ec94bfc16405398d555e2d5367fbee8

SHA512
5e59b15a6ecca4d3898e4afa4a7f911a84386dd941ff2e24f354f09ada8b9e5215846123e39c11c052269521725637458fb0bce37182f74833a2dd7c9c51a4ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\uowoYkQs.bat

Filesize
4B

MD5
34cd042f0369d1b2e5f4a2bff71e6309

SHA1
e63ebda4c4e2fcc056c924c7da7858c692905ba4

SHA256
34f30fe71c5deda7d2bdb27795610a3510a916baf5e68ae1f262bd40d2e15386

SHA512
d10e8d6dc4f872a913c7169726dd751034ae4addc86af768665bca5273523336b0172a9d0e88525fbdbd9a0e88b911173f8ccc696d8edbbdd113f6d672eab880

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwUM.exe

Filesize
139KB

MD5
dc9d728a61c62e845c4ffb51ea445900

SHA1
ccef5942e59128d28d173bb5a5b41716200a6d67

SHA256
8ee42db10f440785c8deb402ee13a6536ad1e7675c11dab9a3a3e951e5b5d6c0

SHA512
7cc9fe4ee66cb63ce50777d56442d2ad4b063d675b0aaaffe3e82bbbad8dd4242e7e2018e1b7efaf68d2dbeee492cdab2f1078e10eca351ff489e4f8462b426f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUcG.exe

Filesize
693KB

MD5
fbd4f2725a0937e827eafa79c84c027a

SHA1
71b03278827f774f0e749cd82a16cac35a6dde18

SHA256
0e0a81ffdcaed323ae4b87ca5e1cda275126e7e5c8db8d69184910aa7e475e2a

SHA512
442a4d56f413075db14d1ec99a5ae1a888d4a5eb29c02df9c74bee6ddf8de39f93cfc5f7fcafea39b87c84324fbf162cfd88a3d4ff14711ab6eeb78ba58bebcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUsK.exe

Filesize
236KB

MD5
66d5197bb8458ff776b77ca9f80a044b

SHA1
d9e5e3737ff3a8faec65af81f3de6ea2a76e9d86

SHA256
00897bd8d73397af9e0ce7cf73142b57e3ac8833c0397238b22c083968568c9e

SHA512
510b3c325a755e289973ee67f0d31f668f42ce8d7aef7e74f8096a47fcae5f5d5f3b60ba97ae72405561a0f18087c1744066548a53a15f2a4e3dbdf2dc83580b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYcsgsIs.bat

Filesize
4B

MD5
d47b110423073021261d66c109b88a34

SHA1
949df3530ae26adaa8b7552074c6115ec155362d

SHA256
1982b3844a385dad378290f69e7d6a63fbd0c746cade0469e6c400bd1f79b458

SHA512
a916a36495e0fcb3edfda7128a5ceff87294237ed1f38fbbe7bd288740921de3358abb5d0fbf11694539b6b8edccd01f1916f463136bf01c6478cb7935597415

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcMG.exe

Filesize
157KB

MD5
4b4955d639f559dfbe43b2e5863a6e1c

SHA1
ca9035a5f15f6cf24771ef64f0f5c019197f120e

SHA256
804aa76bbf3fbfb995418818fd3b3f935acdd30d76c2ebeb401afc838a4c99b2

SHA512
329fdc693749697c95425cc2c3b866390b38cadfbeff3daa5a86a649520a9c756070859db21af444b83c4c5bb8f8b0c03116183ab1533cd30b7002de31d8ef1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vssgwkYA.bat

Filesize
4B

MD5
6230fac6e3e17d7e27ee7e874ddf4ba9

SHA1
32f57b580a44f2b9bc1d292ecaee85c09f8fcf34

SHA256
5518225238a50084e8c3d5edc442c67e660a800ba63cda9767f11999ca684c9a

SHA512
a41f4eb576cfe949a542f8a28cbdcef49aaf20285828103123146500b66db3712c52196f100ad862830d724b07b79ce014017738f5ebbbb6b3631932dd65182c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUQg.exe

Filesize
556KB

MD5
39fd0b33866c4b389d0eae016c36eeb9

SHA1
2268e3d9f6de422c8194122d85b6ea10dd80800a

SHA256
e14bd8d0edc67a0cbc8ffa7b603d305ae5ad3f8987fd00a40d9b8e5f66fc9c2f

SHA512
5b22c7fa3313015351ac620225384547dd1a27aac812cea447e69037028e01c1992293fbad3b18be339a9820b89844858efece179bb91cbfac744b60041efd3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wawAsowI.bat

Filesize
4B

MD5
e0387f8c1fdb788d05995f622b8fea49

SHA1
517c1e279d7a2e43376e97d40d59aac96b917002

SHA256
0905917425b1b431590087757ceb256ae409b0732ea6ffcc0bb3547e0a184f89

SHA512
f6d865506f0bf565d58cd26c2172e1ebcd59f87dc13a5bd3c39ebbf17296ee43c42c30e7824eec43fda2913d53966395a793262fde84dc1f159145bbdeb6e866

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcES.exe

Filesize
387KB

MD5
5432ae93eab7700e464e8c956798c58c

SHA1
afc5a28c1c49d8d3987388bee7c74d1f4812d275

SHA256
4a75b04d606b9d33e59440e82fefe76867d954528d4c89921823887a278837d1

SHA512
17cd01c76d1c817097346977252449dda113a928d329f3b1510db84456d5857f0744e626b1bc627b03bb93eaa4c5147739c402d9a0bf55116be012c57f156435

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsga.exe

Filesize
157KB

MD5
8bf8f06d5eb34c59f1d0488d65b39a5b

SHA1
84388571de2075b84b158790b248f3ad5b5921ae

SHA256
06a21129d53bfc421dae050bd727c1594ce50cdc09e4b6fd22d666f2bae9fd9e

SHA512
e2539fe75e37497cd7f37679e408b00122ed11b587ac4b39c4d4cb53c1559fdd3f1c4f353ad4e74cfa2a904e041bce1e823cb692875aa4eba59f23f439711eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\wugkAkQg.bat

Filesize
4B

MD5
98f67e92fa7217335b8b529807ec4e2a

SHA1
2324e0566fbed3016673f875becfdbc72e7b99cf

SHA256
2ee95b83365185f2d709ea4556c95b2d21cab2854c239128ee7426e9d073266e

SHA512
fa1077cebb6ed0f9e3bc9f58f120cb5149f0b07447056b669ea9ad6a480a37194f196efc8eb0032f3d743940ad9a14eb9efe4d4554dfd13746866659d56f2138

Download Submit
C:\Users\Admin\AppData\Local\Temp\xowe.exe

Filesize
158KB

MD5
33d82bcf4096c5dd791a356dee56ab4f

SHA1
d781a3fac7c6512a9543f8cf68643c6b58e4b1d7

SHA256
26c109516ee80b6b184bd241f2d2de42e046b09f3ad001fe2b0d5b70b41d55b2

SHA512
85ec13f94843f956496512e417416587f438d26704031c8931959383d434a3119ee76bcf3bafe7e35f33ce8b4dd18f602919ba2145a9630f4803f7cc7db31cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwEC.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygQS.exe

Filesize
158KB

MD5
c39c377d522773bcb6e0b154dbe63287

SHA1
c2a5897909816c15d1c506ecd790d40e0811d599

SHA256
ec07b81bec37d24e1b6402a9656db84e543c81ac9d5dd950c98eeb77787ba277

SHA512
794d39229885e2c47963dbd1ac703a871433814729ceb1d0ca032f73e5e58bce78a2cdce247d54210d13f6a215db2d20e538395c9a475ac31517eb04848bee03

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAUA.exe

Filesize
936KB

MD5
0ad541f2e19277c27047bdf475c84e8f

SHA1
176bcb3e7bb64b29106903ca39772a18743dfbe2

SHA256
8644d8a77721631aadedf15dec546bdfae4629745b24049acf0483a1048e07cd

SHA512
4f2ba684a85f00b701873a02b61e4d04406ee2eeffae2124046f0bfff2ca92fe62cfdd520f78e9d1f8d1b5603de425c499a49b71538fc584fb429788a49f6e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEge.exe

Filesize
159KB

MD5
ee3edaa24ff59274e05b7fc20e6a2607

SHA1
129114afcc28b15af2705fff85b96bf337243601

SHA256
2a26d509dfd5dfea8b272ff8bb627ffd5e30287f2c6693c807690914b8c709f0

SHA512
24aa4f180bf05269a2686fb4a0e5f8af32061e82b06d2da844a395c4e601ff599be4ef4b0b8889df37f85f9065badf6ed47df3344fa9b46381cce1372dbbfe42

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgYe.exe

Filesize
555KB

MD5
8b2347de54966d16f22b875a7567ef6d

SHA1
3faf986a5ae509c3d3e063849b714b940e07bfbc

SHA256
048303051fb0ed7c3430c605f8bcdf62e7497bb60b3b0313e48605d5ca015554

SHA512
453f9e9fec511b6602c91530128d9bd1e8afb343f74cd93843a480c0051b7e0384c3cbceb825414b515e6df80b7a0a874bfd5fb70d2bba8f883c21fe24432357

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwwY.exe

Filesize
157KB

MD5
cd2f537afa83896bc96053d3348382fd

SHA1
2a9925006a0e0a594d2dc468822ef04aa3178dbc

SHA256
410e2fb7c53185900563721019b8c68243005674d4c02478a302f97758548e69

SHA512
d3dc28a719307e8cad7ba14eff9ba0d9e67f5057de38c3bb6e736345a05c64a33cc716b21855b628011f3900f13504ed2b5ab52872adc5976023377ef609c410

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\Users\Admin\GeoIQEEA\dOUEIcwQ.exe

Filesize
109KB

MD5
9611adf4cce24aece48bf1ac11cc74db

SHA1
b031caf97dd15031ab3654acaa147cd8b9973010

SHA256
dedb978a4a39124d736356e78f4840c5dde7e7ddac4300954e9b3b3ecd6f4b4a

SHA512
2945de50a1f77aa6c27800f6db3dc608779428d29389114eab8ffa574537b2b2b52517642171358f36449c03705eca8c4aeabac0b80af707e6affc3df4c777b4

Download Submit
memory/556-79-0x0000000000370000-0x000000000038E000-memory.dmp

Filesize
120KB

Download
memory/556-80-0x0000000000370000-0x000000000038E000-memory.dmp

Filesize
120KB

Download
memory/572-104-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/572-136-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/736-113-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/736-82-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1044-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1148-135-0x0000000000140000-0x000000000015E000-memory.dmp

Filesize
120KB

Download
memory/1148-126-0x0000000000140000-0x000000000015E000-memory.dmp

Filesize
120KB

Download
memory/1280-219-0x0000000000140000-0x000000000015E000-memory.dmp

Filesize
120KB

Download
memory/1480-300-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1480-323-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1636-339-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1636-368-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1740-391-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1740-369-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1964-162-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download
memory/1964-160-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download
memory/2216-430-0x00000000001A0000-0x00000000001BE000-memory.dmp

Filesize
120KB

Download
memory/2216-431-0x00000000001A0000-0x00000000001BE000-memory.dmp

Filesize
120KB

Download
memory/2244-299-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2244-269-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2252-291-0x00000000002F0000-0x000000000030E000-memory.dmp

Filesize
120KB

Download
memory/2268-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2268-229-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2268-197-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2268-36-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2292-181-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2292-161-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2296-267-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/2296-266-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/2360-5-0x0000000000310000-0x000000000032D000-memory.dmp

Filesize
116KB

Download
memory/2360-44-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2360-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2360-31-0x0000000000310000-0x000000000032D000-memory.dmp

Filesize
116KB

Download
memory/2360-12-0x0000000000310000-0x000000000032D000-memory.dmp

Filesize
116KB

Download
memory/2360-28-0x0000000000310000-0x000000000032D000-memory.dmp

Filesize
116KB

Download
memory/2432-336-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/2432-337-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/2492-370-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/2496-182-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2496-206-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2532-196-0x0000000000160000-0x000000000017E000-memory.dmp

Filesize
120KB

Download
memory/2560-32-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2580-313-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download
memory/2628-183-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2752-56-0x0000000000160000-0x000000000017E000-memory.dmp

Filesize
120KB

Download
memory/2752-57-0x0000000000160000-0x000000000017E000-memory.dmp

Filesize
120KB

Download
memory/2792-90-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2792-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2812-35-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2812-33-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2896-432-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2904-277-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2904-243-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2932-242-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/2932-245-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/2944-103-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2948-253-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2948-220-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2972-16-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3060-429-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3068-314-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3068-347-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download