40cabae518946bc901a841461bb17db9c616d70a0478db64a2862094ed559a17

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
Size

162KB
MD5

262448a316a87d4cd3b4ea7e85aa99d8
SHA1

ae5d091ccbd3035154d31c6dffb68637d8f28c4b
SHA256

40cabae518946bc901a841461bb17db9c616d70a0478db64a2862094ed559a17
SHA512

bde88a718290ea9c0ed4dd1ae113397cbde66f565cf9f85baaa712e8ea898cbf925c33484042a34aa06e6f2a4dad9a580271b1dde2647974aad5d1481b1977e9
SSDEEP

3072:vqdolkw0toO5xXSuc/qm/iD7EsLZBkDu2j8wsuqC8UQ7pRT3ch8XhlZ0Ev2IG/+o:plBUZcoEsLzkDZ79qzUYNcqhlZdeIc8I

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation	GyswIsIg.exe

Deletes itself 1 IoCs

pid	Process
2464	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1200	GyswIsIg.exe
2740	XmkMUwMk.exe

Loads dropped DLL 20 IoCs

pid	Process
2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XmkMUwMk.exe = "C:\\ProgramData\\uYYgosks\\XmkMUwMk.exe"	XmkMUwMk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\GyswIsIg.exe = "C:\\Users\\Admin\\lMEAccwI\\GyswIsIg.exe"	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XmkMUwMk.exe = "C:\\ProgramData\\uYYgosks\\XmkMUwMk.exe"	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\GyswIsIg.exe = "C:\\Users\\Admin\\lMEAccwI\\GyswIsIg.exe"	GyswIsIg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	GyswIsIg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
988	reg.exe
2348	reg.exe
1800	reg.exe
2096	reg.exe
2616	reg.exe
2708	reg.exe
1460	reg.exe
2824	reg.exe
2376	reg.exe
1196	reg.exe
1224	reg.exe
2352	reg.exe
1336	reg.exe
2416	reg.exe
2804	reg.exe
1856	reg.exe
1048	reg.exe
2096	reg.exe
1788	reg.exe
2792	reg.exe
1612	reg.exe
2592	reg.exe
2964	reg.exe
564	reg.exe
1692	reg.exe
2784	reg.exe
560	reg.exe
1952	reg.exe
2700	reg.exe
1440	reg.exe
1648	reg.exe
276	reg.exe
2832	reg.exe
2172	reg.exe
2984	reg.exe
2808	reg.exe
1868	reg.exe
2192	reg.exe
1500	reg.exe
1260	reg.exe
2348	reg.exe
2904	reg.exe
2108	reg.exe
3044	reg.exe
1876	reg.exe
2500	reg.exe
2484	reg.exe
1988	reg.exe
1016	reg.exe
2136	reg.exe
2104	reg.exe
1132	reg.exe
2816	reg.exe
2904	reg.exe
2612	reg.exe
1840	reg.exe
1792	reg.exe
2660	reg.exe
2136	reg.exe
2988	reg.exe
668	reg.exe
2304	reg.exe
2064	reg.exe
2468	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2436	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2436	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1052	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1052	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2128	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2128	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2168	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2168	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1964	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1964	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2656	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2656	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2680	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2680	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2220	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2220	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
876	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
876	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1004	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1004	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
564	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
564	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1624	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1624	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2900	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2900	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1956	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1956	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
596	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
596	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1876	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1876	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2072	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2072	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2836	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2836	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2688	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2688	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2520	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2520	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1940	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1940	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2620	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2620	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1952	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1952	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2676	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2676	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2012	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2012	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1792	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1792	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2644	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2644	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2572	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
2572	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1864	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1864	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1936	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
1936	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1200	GyswIsIg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe
1200	GyswIsIg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 1200	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	28
PID 2120 wrote to memory of 1200	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	28
PID 2120 wrote to memory of 1200	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	28
PID 2120 wrote to memory of 1200	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	28
PID 2120 wrote to memory of 2740	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	29
PID 2120 wrote to memory of 2740	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	29
PID 2120 wrote to memory of 2740	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	29
PID 2120 wrote to memory of 2740	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	29
PID 2120 wrote to memory of 2660	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	30
PID 2120 wrote to memory of 2660	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	30
PID 2120 wrote to memory of 2660	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	30
PID 2120 wrote to memory of 2660	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	30
PID 2660 wrote to memory of 2584	2660	cmd.exe	32
PID 2660 wrote to memory of 2584	2660	cmd.exe	32
PID 2660 wrote to memory of 2584	2660	cmd.exe	32
PID 2660 wrote to memory of 2584	2660	cmd.exe	32
PID 2120 wrote to memory of 2468	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	33
PID 2120 wrote to memory of 2468	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	33
PID 2120 wrote to memory of 2468	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	33
PID 2120 wrote to memory of 2468	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	33
PID 2120 wrote to memory of 2824	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	34
PID 2120 wrote to memory of 2824	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	34
PID 2120 wrote to memory of 2824	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	34
PID 2120 wrote to memory of 2824	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	34
PID 2120 wrote to memory of 2620	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	36
PID 2120 wrote to memory of 2620	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	36
PID 2120 wrote to memory of 2620	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	36
PID 2120 wrote to memory of 2620	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	36
PID 2120 wrote to memory of 2572	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	39
PID 2120 wrote to memory of 2572	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	39
PID 2120 wrote to memory of 2572	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	39
PID 2120 wrote to memory of 2572	2120	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	39
PID 2572 wrote to memory of 2492	2572	cmd.exe	41
PID 2572 wrote to memory of 2492	2572	cmd.exe	41
PID 2572 wrote to memory of 2492	2572	cmd.exe	41
PID 2572 wrote to memory of 2492	2572	cmd.exe	41
PID 2584 wrote to memory of 1956	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	42
PID 2584 wrote to memory of 1956	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	42
PID 2584 wrote to memory of 1956	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	42
PID 2584 wrote to memory of 1956	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	42
PID 1956 wrote to memory of 2436	1956	cmd.exe	44
PID 1956 wrote to memory of 2436	1956	cmd.exe	44
PID 1956 wrote to memory of 2436	1956	cmd.exe	44
PID 1956 wrote to memory of 2436	1956	cmd.exe	44
PID 2584 wrote to memory of 2764	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	45
PID 2584 wrote to memory of 2764	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	45
PID 2584 wrote to memory of 2764	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	45
PID 2584 wrote to memory of 2764	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	45
PID 2584 wrote to memory of 2780	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	46
PID 2584 wrote to memory of 2780	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	46
PID 2584 wrote to memory of 2780	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	46
PID 2584 wrote to memory of 2780	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	46
PID 2584 wrote to memory of 2744	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	47
PID 2584 wrote to memory of 2744	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	47
PID 2584 wrote to memory of 2744	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	47
PID 2584 wrote to memory of 2744	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	47
PID 2584 wrote to memory of 2720	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	48
PID 2584 wrote to memory of 2720	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	48
PID 2584 wrote to memory of 2720	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	48
PID 2584 wrote to memory of 2720	2584	2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe	48
PID 2720 wrote to memory of 1980	2720	cmd.exe	53
PID 2720 wrote to memory of 1980	2720	cmd.exe	53
PID 2720 wrote to memory of 1980	2720	cmd.exe	53
PID 2720 wrote to memory of 1980	2720	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\lMEAccwI\GyswIsIg.exe
  "C:\Users\Admin\lMEAccwI\GyswIsIg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1200
- C:\ProgramData\uYYgosks\XmkMUwMk.exe
  "C:\ProgramData\uYYgosks\XmkMUwMk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2436
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        6⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        8⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        10⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        12⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        14⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        16⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        18⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        20⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        22⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        24⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        26⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        28⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        30⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        32⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        34⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        36⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        38⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        40⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        42⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        44⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        46⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        48⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        50⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        52⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        54⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        56⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        58⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        60⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        62⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        64⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        65⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        66⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        67⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        68⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        69⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        70⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        71⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        72⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        73⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        74⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        75⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        76⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        77⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        78⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        79⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        80⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        81⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        82⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        83⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        84⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        85⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        86⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        87⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        88⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        89⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        90⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        91⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        92⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        93⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        94⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        95⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        96⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        97⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        98⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        99⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        100⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        101⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        102⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        103⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        104⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        105⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        106⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        107⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        108⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        109⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        110⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        111⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        112⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        113⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        114⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        115⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        116⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        117⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        118⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        119⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        120⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        121⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        122⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        123⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        124⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        125⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        126⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        127⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock"
        128⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock
        129⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FQwkoQUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        128⤵
        Deletes itself
        
        PID:2464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nQMYwggI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        126⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DggckMQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        124⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VakEksIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        122⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fQckMwwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        120⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uAscIsUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        118⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies registry key
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AacMQkMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        116⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iGUwIwAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        114⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SEYEEgYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        112⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XkcMIAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        110⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lsYwUQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        108⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NoYIQkcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        106⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OGcoUQAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        104⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cYYcAQEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        102⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iaYwIIMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        100⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GgkEIEIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        98⤵
        
        PID:280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pgwkQIkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        96⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DwUQUQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        94⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zSEMUgUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        92⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BSYgEoIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        90⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BucIAwsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        88⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KScYoEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        86⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gAAwkIAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        84⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\skcAUAgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        82⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\akQcQggo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        80⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bgEYsAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        78⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PksIIQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        76⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DMQIQEcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        74⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LMIIgkwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        72⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\akMYwkME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        70⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YEYwAQkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        68⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SuwEcswA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        66⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MIUEcckY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        64⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bMEUgwgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        62⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIMMsYUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        60⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PQMocoko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        58⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dIwQocsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        56⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\roQQEcEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        54⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UOwggQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        52⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kSkkkcoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        50⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EmIUEwoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        48⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QSMAwQAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        46⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\piggwgIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        44⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tQQwEgsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        42⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fAIMEMcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        40⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lIkgAAIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        38⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PMMYsoso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        36⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EwUcoEEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        34⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sEocQIEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        32⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gMcsgQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        30⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iOcYAQQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        28⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\amkwoEYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        26⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XUAYoogQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        24⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BMkYsIIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        22⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZQcswAAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        20⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FqQwsYAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        18⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GyMoEEcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        16⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uCUcoskI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        14⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OIcQIoYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        12⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QcYwMcMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        10⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\riEYMgUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        8⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1824
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:828
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1440
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1960
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xaIsUUgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
        6⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2300
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2764
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2780
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\jaQAcsUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1980
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2468
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2824
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\PmEIUMsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

Filesize
157KB

MD5
515f9661d7de34fdaf1e79131145e508

SHA1
c36e83653e16d1e946b9090d43743f55175909e3

SHA256
42eebe3385c4f6c0f4d632b6c8c762d14dea36338eb29137251e2aa4c0d97e68

SHA512
ef3672c031fd30e0a9512a8a6f9c934145e2f93ba6f202a297cf73d521d33896cbb555be56829f11a2828cd38a80d30c1a524a5a3c051327f271483f63fffe0e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

Filesize
158KB

MD5
80b343317bba49d41d66c938727d18a5

SHA1
0ba3ce1a5125591420e555d85dfdbd612ededb26

SHA256
9243deae3da8096f8b3c9c235d7435cb5b433d597722bdafdfd51d4fc2042ed0

SHA512
cac5b5b17316496588951e8080aeefe7c115ddf86a97845f26f45079d20b78e69079675e218448b4838fa375b1dd9b294f10c77b827bf98359e85ff2dc07a388

Download Submit
C:\ProgramData\uYYgosks\XmkMUwMk.exe

Filesize
109KB

MD5
68f0711ab9740d18cb951fb1aa8992cc

SHA1
ae67758cc05b303aaecfbed395b07aa097b379fb

SHA256
e0f9d0c06dd887fc42fa9b9dd323826a1879554dde5705954d72c436b95f1433

SHA512
6937168d63e07773da016053d62b2fadbfc19b410e79f56cd00dd3e74797711992f2f52daddef614e4b8b3de72ab24af09d078bc16e2424ee33e478fbf1933fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-18_262448a316a87d4cd3b4ea7e85aa99d8_virlock

Filesize
48KB

MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAIE.exe

Filesize
158KB

MD5
c6676751292dbba4eb71d505d6bcac28

SHA1
8fe6f912fb2d1ad2ad3cddf9ca93ee0ae3b9f345

SHA256
b7ec51ea6367140abaec10b7dc1ef03b5c67db149a5338a446038dfe13080068

SHA512
46cbe4f6d924686bfc7803c391f40b3b76db27dffd94b935945c47608daa4f5f12bb39543eeb8d25dae1dc9bbca922e5063b1ccf0b461b727f0348dcd11873c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AikwAQcs.bat

Filesize
4B

MD5
d4e87eedd4d6b4f2b7215619e5e4c5a6

SHA1
6c8713de0056dab5e2337c50bbace2a7d2cb19f7

SHA256
7549e8de413dfb131f824d09eee63d026f3826026646243db4afd77950b6583a

SHA512
3be69c4fb20d4c9e4cf1f2e1431bd76c6c0bc332223287e82f9a14d17e2e79244917ec49d9175ba8ffd432512f021d7839892d5f078fd6b5b8c186444ea37000

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkgK.exe

Filesize
158KB

MD5
ce54b8b8cf8a6f6d3fce8d36d7cf4f56

SHA1
e46fa794cf4438bcf78230dc1b02397db81a2c53

SHA256
831753fc55a2ce1f55efda4521fe2cc7f2fd10f4e7cff0b1995c741d8dc6e4ed

SHA512
533a4d25b883173769dca217fa1d2f5c5f124dbe2fc4c8968af1a0de0c9475973b906d0ec20546a9b11cf5e30b1c76fb79ce9b57bb8083a96980a8be378cb32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwsG.exe

Filesize
238KB

MD5
3228d77339719cf026814ad892ce9c71

SHA1
e9718a5b127596e85a74b085ecaeb2ea0ca8a6a0

SHA256
f222e864f71ded6a9d92d7a2a17c4189151d421d3c043c4df1458652c0dbc299

SHA512
ba323eee6bc6cb3b827db7f435dd6a596d093633716c44b7e353031cb2f66f97122bc315bf94bb2d40fd7372d97e0b90afac50f24ed5b71dce7de83f0bbdfd55

Download Submit
C:\Users\Admin\AppData\Local\Temp\BiEcUcwM.bat

Filesize
4B

MD5
932d5e41dad8c62ddd917e015ff7e0df

SHA1
63c302e8b8154afb2dbdda8fbbc2929fd5f01266

SHA256
4a5da484d646b71905bdfd5d58f55f36a8f32634b04d2fc7e59f25ce243950f8

SHA512
c63c81419165800d33ca16b42fed433a8223696d8edeacf6d8842c06224769b3437da2d0622e7f0875a72b58098dafd3c73eb3cf66aae7e46b9ad1e72426e06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BoEcgEIE.bat

Filesize
4B

MD5
2a07ba481e8c4024f6b32737192bed2f

SHA1
286a2a95eaee6a2ccd870709b073369cc5224726

SHA256
14eb0c405ee0df6835f5116cbda8cd3d167ef9be606957d7ff704e2f4f58e0c8

SHA512
f0b011b1a62a786c0013dc37a28d4f18f092243ac3c8e5acaa291a4f6b18a6ca6c2897622e0640df5c4f75c026cadc8b01845bef1c27b6d33245351031905e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAMS.exe

Filesize
159KB

MD5
046fa2bfa98d33a6a7ab57c9ee31b41c

SHA1
604c8c8053bbb01d7abd99ab91239d125710e71b

SHA256
9f0dce83719f6203299d969167b7b7ae8d524b71da824e7e0e30bc9e14111f5c

SHA512
520690dfa50bea0289c0e6d004e55b591f83ea80107c04f110d7d360b4ec1a7565abbc98747409e97cb3da19d66f27060d380082ca690260483f42c49daa7e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAoO.exe

Filesize
444KB

MD5
e381a3138aca0d149d16bbf539202af1

SHA1
8139673f982d3e7366d88d8c673c42c499a65aa4

SHA256
c4968bbb566fbd43da083553d770ab33100888cb2c25183f0820d0249da6b190

SHA512
c9b38db82b60fd94bbde8cf2b82244844bb1acdf891d0b4fe7c64486b40f5f0f67ea4e422f948520ebe4f61be7ba4cef8659057c418b8b2d4eb72d9363599687

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEEo.exe

Filesize
138KB

MD5
58a89c3d050007324088199be9fb3730

SHA1
66c51b8e105b0575240d3caac76ef46558694e3a

SHA256
aa346164a44abcb96a3504e69b10b039f58b9cb2fc463a3309ce13c72d4a0ad6

SHA512
7362293be8593716ea8af9fce5ce91daaa8e7cd95fe0be1a7f5c5ee9751a0b789290220e0fd1f6010cf94d4c5ea27f006b47b59368503f9559e16d4e6d302f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUIkwEss.bat

Filesize
4B

MD5
0d752224e16d0c50a260cc9e55820c34

SHA1
c3d7ba7f8443e991894cbf7b21635203e2e0e6cb

SHA256
b8aaa1d66140375bc208e36068f33faeb4b52c4d640971a75cffab2145fa0733

SHA512
f71944c17a27f3ac0ac58a6991e3ca72f19df886b8cf30386e6ca4404ddff62245b1d6e0344f0bd3da50b114bd1938b97cb2e5caa7bb8373f14667cc0cfaac7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcMQ.exe

Filesize
970KB

MD5
5fc7892d0a05ebd1c33a1aea43d7d04d

SHA1
bfc65a5e146edb98a2e7c8920adb81954ddf2931

SHA256
37543a3bc66a243e9248c69def1f3f0e2006024f51aaadb6fc15337603e73a38

SHA512
b53e7031d7ff513cc96f009cac3f82ce881c65253071b4e76590a520d8729b44b443a7b055b0d59e7705ea44fb2ae58b8bee9a2add6791775448ad79f9bd2d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcwS.exe

Filesize
158KB

MD5
a2108defbd244d08a9e00f9c1cda52be

SHA1
99c0ae869219ba190b004b28d4074da29c1a9eae

SHA256
09c300b9e636cf128d6beddbbeb490380f6b81e3dcfb3ef09676861467ce8bde

SHA512
b6e86c9d72e07cffc6c2844a45dc9c321cb1f140f5a849924d74c1579bac1c048ee23890142359661c49bde4a3504d9038889f5bd0d9110f1f0891005823621c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsQu.exe

Filesize
158KB

MD5
25deeab11bd3e78049a9da88cb22f93f

SHA1
218977ab4b10dce876bd06f0366dc9068a2590a8

SHA256
6c669267caf4f0ce8b65542652bc155f9556760d55b23957082057ccdfc9f9b7

SHA512
b297ddbf59b63bbac551c0819ff72d062511f71e182c7d4b196f29c7c27ba395c62773d0c2a331708375cd90ae2c1ff45585700e763a0d694ab9197e780d6bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cwsq.exe

Filesize
160KB

MD5
a56d022ed4c4fa6e10f0fd484f350f9a

SHA1
86857b157de5f302a623e84f5913bf009369f007

SHA256
bfedf198fb91047d9aba305909dff82d0607496c7320983e97af276613bcfb37

SHA512
55f4ad2c402df9363eec9c7c3826179782fc98f88ede6dfbcaf241a45869f71a4f3916fe039d95ca8b1301ac566025af0d52d0a1b3757148aec995751026bbb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEQIMYgI.bat

Filesize
4B

MD5
e866c3bed21ef7e05ffd657db111c1f4

SHA1
13943fc515c088eec68378219b355bf73b9cfbe4

SHA256
c3eddb3c330b00c97d505f2ac98610303bf0d51f870f5c574e9df4942c7862db

SHA512
c3571dec8675d522c7dbe80ff64b75949e5417bb06a84915d688359e91aaadcf62e290e2194a54b8658d0d2c16e576cd94bd2a0afd0688e041a69ec354b67003

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOIcoccY.bat

Filesize
4B

MD5
d3ae77bab27f460e287b5c1c7a454ee2

SHA1
bc792654d98b512dd0dfdfa80a0703fb6f943eda

SHA256
46fb1a559ae0d241a082e5476c9ccd48af5b77f38754420b4644061c0d8dca01

SHA512
53653b4e9fcccbfba086ad584b217aa2625a7f08786d4847972ce9c5ae1f5e955bca70c5c6c77e7f00d1ce3c2082848e6e997f7ebc511e989d620d90ef0f6e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQcMIUAI.bat

Filesize
4B

MD5
02c6ad340a50b89fb737752608624275

SHA1
5c9ccc1f251dee52f918c57d438da72bc553f52f

SHA256
6fd1ab39ffd302110d6ebdabcdbb7254a6dfcf5b88e84cb7db0fb9f0d42ef056

SHA512
4f07be2214b47f914336d127d9c44c503dd826b54784b70a2cde93e057c8ff6fdf9545c1169629ee42cde4ba08c5e4125cf3e8deed84da9df43740b0c6b9dafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DWUwYgMg.bat

Filesize
4B

MD5
db9b1f2b0a4ad388f682e15f2c44d878

SHA1
0abe180f43bf7a9ab0ec6ffafc670b8b1a76fdf6

SHA256
e5a64b6712b78cb7d1c0d480aad84adfb8e75dc0b04147dcb7d3c4dd3764b40d

SHA512
85f5d9fd8b8efdc13175b4dc2d4a7d3e95c3977bcfbe47fadbd9e8ec559329c4d745121045dc1cbc0d93baac2179353afb8705f90b39d37eb7d834ad946dad96

Download Submit
C:\Users\Admin\AppData\Local\Temp\DesgYgEk.bat

Filesize
4B

MD5
f4e724e93ba48e4c1e799bc606b9681d

SHA1
ba53d3e6cf94ff2e422c177422eb7df374321908

SHA256
5fafbd5814f079982661309d9964582ff839eb1895da1ae2dce56652a0e0a7aa

SHA512
8c87f57a30441a2c4f298bac1ed250eeca415d974aeeecc106a0c3a177b375c71572bc01d184dea5629463a4475e9901cf2e757e09ef25a7ba45c80d0db7fd6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DogYMQwA.bat

Filesize
4B

MD5
39cdc2f3249e4ec70c4fafab57000bb2

SHA1
5ef2b5916d7b802b0325a861ee61bfb10bdd9ec4

SHA256
e6eeb1b523034132b5948df7b49c779a702f99af19540107fec23278009dd2c2

SHA512
30c7e7b3d89023b8c177e0d7f8a4cac76bcf8627fca2df2547623b3978a0f0cf6f7813412e9b0021f5f3987f5e365f0ab40632209aed5a9e98ce8400d39692b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIwy.exe

Filesize
137KB

MD5
3bd9d027f5b8870762db01a63e457950

SHA1
0d8dedd529e1fe6926ad53623961bcfcd3610362

SHA256
9aa2f6add7062e65bd3be421ad4f6e827d80776046aec39b86e1ea9de611872c

SHA512
b95964a64c9176d602d5c0ebdef4b62cf2fd2df0fc34f524cea881ff481b68883a15670ad3f647766be1742c96e65c5be2e848e881b81a4d662e4b209f55932c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQIO.exe

Filesize
157KB

MD5
efcd6185f0850843593f5d2ab41ca1a3

SHA1
61735a3351d090a7b8e7d030d95dbbfc9015860e

SHA256
fa84f9ae328105d0d4f52e9549efd84444eeb0dd540c2d7536a740117bfb4f71

SHA512
e34d15a59a9f7b40815e9c3ed2ef7db92313a274ff4da148326746e882cb0b07542b17ba7ca7c6e694a5b562891ff74745666fc9f64e7d3059ec16e396ffeae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESwcgwMI.bat

Filesize
4B

MD5
c4c1fd90d1a0fd50aed91e5714862565

SHA1
f83714cb5fd658df69a89492df4dab13ff5ef3bf

SHA256
72579dc7aeb0cfd94979cc196bc95cfbe5f674a70ccc5ae9557d5f51221739ee

SHA512
ede75ac09409666a5fd655d033aaf6f603974c47d1100b839ec077ef031d751bd44aa52b258bda9c999d5bd48182eb8850acd484b650cd4a366b21df56fc3238

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgAo.exe

Filesize
235KB

MD5
6d7ae5cc6c3ced99c384b5a827e938e6

SHA1
ecc9c92d83d64e4595eb872930dfcbefc6a68bc8

SHA256
60dc3d6d6ae18ca1cde97c654d8e8db5dcd45c2f4bc9140a4fc48317634d56d5

SHA512
83ce0b39ebe5851cabbbd777831d011698a9311b6479ecb8e95ce9fff82c73ca2c148dcba8656ad41a861090c2eb5c78e41fba1207e72262a9d1ba40126ad974

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkAA.exe

Filesize
157KB

MD5
8e3a794d044e17b16a639a9b5b090b0e

SHA1
60f2e1869c5000888c327cfb0794a08277c268bd

SHA256
8d64e15d100fb9299b6d0f1b68217b93166725df1cba222397ec2c301a434574

SHA512
b8577a5103c70087a666d82aef631eb67fbe98a3b60b990b68ef9f6fdeee0e4650db5c2c7559fec78fb476fe453248b2294411f6a18d6b0efba2c7c77c52beff

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkQM.exe

Filesize
153KB

MD5
8dd7bd2ce8abb214ed56d143bc0cce9d

SHA1
5f09b39c5455cbe555a4d8792bc1041899151ce0

SHA256
71cd1aa7bfb5dade8678156839e432b3afe3f2e7feda8aa4b1f9a578c97cac77

SHA512
d07c07f764e0e800edb7792e00b75ba3abadf9adced862dde2234aa092aa1db461e9a9f9f438a65ab44551f9a5e3bbabcad3090b44cad33e6e70833775ca6d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCMkoMUc.bat

Filesize
4B

MD5
303f8372ce7f027e007dd025cba17a25

SHA1
6d051ccdb5bcb6c18fc8ba9941b6d33c7ea76a95

SHA256
017f8ea6fd605a32d433f3a8f28170c94623fb79e03b9498c7eea02e97a36308

SHA512
21124ae616e4075ff87b8c92988eda0e9b6f4ffe9520af8db1eaec6386da830375b490583bcf9885a42116a21e572d93ed6ee618d44c6a2eaf44769066b1a016

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMsW.exe

Filesize
564KB

MD5
ad8750417537dcf8fa361b183172c680

SHA1
a8a1fbd4e05e1e90831caf45c49497ea3db24918

SHA256
57390bafb71b4a74dafce318c9414fafd121be32c2fe736ef74d5c6297bba851

SHA512
cdf0e1ff0820d976b7c3f4f2a28bb906cfee94a5dabd0572d710a852acc124d0488480661161cfb93758e2993c21ad87005afba2b77365263bd57928f10f6883

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQcm.exe

Filesize
467KB

MD5
f1a401cfd704838064f74ae3b9a405d6

SHA1
ea47d6dfeccbadc52bc4451e2d0a33146718a3ab

SHA256
6d34d93a22c12bb4fec54ce53405665c7890536639cb407e07cb3f6601be5dd5

SHA512
4f49a0f78891e16b7d2418b5629aa4c4efffc8d717ee762f1a43d197dc5cc567afd34967822df4cb1df701959c7ffd80551cfe826056eed970dcb4dc6e10fbfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQsY.exe

Filesize
1.1MB

MD5
da0c608437de5d5852099a3c195dd361

SHA1
54d344731fb076ceef7cf40ba3bd147a2a19a9d8

SHA256
1764ae6179d2b6b7c950e9e8254f5d90539248881d04e715ed70ad2ec873b07f

SHA512
96d449e65de01b1f331d3d5f08f0c3e5346e8cc2840d15eb1321a4ba658c13d319a8093f5205912eb526e4702998bad9f94a4f11aeeafd665141fc1b28d336db

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgMu.exe

Filesize
692KB

MD5
6758005fd90fbdbf243e9eded36f7a55

SHA1
921d4da1980972b2679daa89c4aecd48243f5159

SHA256
d5a6f3c5c311b37d8f0280df7a7b56a101acfcb14aa744e622f831a6b81eb527

SHA512
d38247b2d52361e82744cb3f369a38c625cdeb53876a99d15bde83690ee54bd5134f8430048f302c00e50c8945e81820140be90979bb803b8bea8e5aa26734b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gokq.exe

Filesize
744KB

MD5
e916e3b0411681b7190ec7fef56b9d5e

SHA1
601c5a8d460d22b9755726f8738f354eaa604a19

SHA256
6c4b2cd6773cdf15b933434dca4c7e14b78e8e83ca42335c8f55b0c0341a9664

SHA512
8b08c764ed80ebe16e68e7fb04e1fe07c34390e632a8bec77ee69ffffe2b07dea2721a6cf32b2e2e9f89d6987941e82e1e82bac5fa86429a4b9d90ca0ba2df4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GqIIMAwk.bat

Filesize
4B

MD5
0f2878d62bd3bafc078c73e92891543e

SHA1
ce16b421f6bd83ad890bcc7c104060510a81828f

SHA256
ad61d2714cee22a0045c7cd9101f86bfa4d2d7981fc5767565a1e7d82b841b2d

SHA512
339ba42c564e25d4cd80828330b9515575771653f6b51cf12cd0da6f33d7cf52d81a50695cdb835dc4e8ecd44cd8e031446b2f62c4faeb956d634a38e5bb1f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMck.exe

Filesize
160KB

MD5
4f96f51665d8f124b92f0e5fd82ffee3

SHA1
6f5432a61427c883ed97ca652a02e5607d781aa8

SHA256
cb5cca4890a3c7c9782feaaeb429bf533751289aa5f51b6bc6eba4009a0ec098

SHA512
dd007f108db8abcebd0817896066890a1091e96124123c6a142b4a7502efad20ab1afde69d0ab284370aedaaf910670f517becca7aad74ac68d8bfee1854e22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYwO.exe

Filesize
156KB

MD5
5d805845f0d13f77e740f7fe9d36814b

SHA1
76d50bcb7199cdaef2db78303837e7c6b64bf1b7

SHA256
6802d6e7ffb0bf15257df16dff78734c8d4322c3fdbc294c103bd7cefcb6aa34

SHA512
2ed1bfddd8f9587c2222355fe0f275dc07c3420b2fc0b4f2ab29a1d637a93561ed375d41118238699fb1e3fe5cd65283b4f1430e3f546a47f9a0fd77feb2dec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcAq.exe

Filesize
159KB

MD5
22c4daead68e74daab5a7d39e4d6c50e

SHA1
e590c5b5bdbfbaf8d1e7d24a93b22238fc9e73fd

SHA256
8f96d11be5c9452e8c0e91763bd5cce9d492e82c2e51f0022a17e27a5a4546e2

SHA512
55390ff7c58adb6174c30183c92329f9e8420ef636d6646684b38fd81a4284e05d2b813f9c538eb7519c04e4bb37b0e05025c007ed544ad89dacedfc22e29389

Download Submit
C:\Users\Admin\AppData\Local\Temp\IksG.exe

Filesize
158KB

MD5
5c5dcb7f5bf9d9967bb26648c98596bb

SHA1
3257d700a6a3d424630cff1ae7e9bea5555409d2

SHA256
f6c8dd079a0de39c164cf15406f59b54664521ae3adf8afc10da276a80d37e68

SHA512
5248e8ce933684a4c986481a9358ba7ae9cefd5eff03c47ffe0929c4a0771ef82d8be84a384a0feda739a088ca496dfad5e3708fea38de426cdb697e52984e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IqUkkMYg.bat

Filesize
4B

MD5
367c286dbcd6a64130199a689ed0c269

SHA1
a488c5ccb3b839c09a9abfd94403994b04e2736a

SHA256
576a57490521933476d6f03fcc246eb9a1f2bba17db6090f06546fbff97bb163

SHA512
0b55f0efbae7c223d15a16645e48dfa4cfad6abc91ae97ee8784a2591687b5be73cf4f039f9becceedff7f4d05b8bf1db401e832eec64a2baae1edd418a26140

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwcK.exe

Filesize
158KB

MD5
098b5a3cec6f998b46369c3dcbb37c43

SHA1
fe1d91d70446e52ae92158c449f6a1b361d860f9

SHA256
8b3135a79da6ba7a85f223469fd697d640a97e3b2165aa263c6fbb1270ba8cf0

SHA512
96460b97f84b7630422e1670f7ffa2deb761e6aea0543a7154d3ba0bb828cb86b7a1889885096643e1af2a8ea54531e12aec2a82b558465f5bbce50411fd8f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAkk.exe

Filesize
157KB

MD5
150f86bf9716788003c18ec258fa9dfa

SHA1
36323a6fd3100821c6afa511f8c0f52fafbdf84d

SHA256
86dcb7576d92ceeb0683c3f8efc7ea28e91f6f5dd0f4365501c0c6eacaa235f3

SHA512
0890c5118e8a270067685424b6dbdeccb41d39e84dc8eb30ed01cd002cb032296495d5db147087ad8a86aebbcaf7c8e2cacb4e98b6f3a2e7a4b120caa461f9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAwU.exe

Filesize
149KB

MD5
30c89cf4d94584293167b52845287fc4

SHA1
90f5a7d0391b1ab3024d43d6e613e7149189a03e

SHA256
5badb004c8283cbabe955a481cf371b8328d929ab55b60d6976acff025ec50a9

SHA512
742d87c43ed1af3bcfd2eb3bfab19fd473795b795730b2ee04b20ff3fba5e74a6cbc551edc24435b3fd0ca304ba03965cd0f090d63eed7f9bd55130ba042379c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEAM.exe

Filesize
157KB

MD5
befb8cb5a4822fff578102d04b8d4f25

SHA1
6d1928afcbcd7a6f51ee05650ca7f72929da22e1

SHA256
a92041b3663e4c10dc81f808c60e0bc48df851fd466f84e9b29e9736e5edaa9e

SHA512
660f985fad66124389f14deec6d57b0301ba34d8aae2350101d93aa09c5ca268c52193af929628c1cb74e160fb6b05eeb3353f8d7f9d142d8fb712602bf4e76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIEG.exe

Filesize
683KB

MD5
fdaab657e64158c7ab5de970179915d9

SHA1
966574cf16aa7f5464330c07ff4c72934b666b50

SHA256
7a95bb038940d6ed7d7eabf3cc1b6854a3f677bbac07ae1024fea2d611d77fe6

SHA512
8edb2b946e0b3a5947fb149c59cc98a11b60463d3782f5229a7853da8f768c412d64a2b47635b230f67bc3f3eb7deced0fa11a2d0e49be21ad5be8ae79d443d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIkW.exe

Filesize
642KB

MD5
acefb5796d3643eec0aa853e6f1341e8

SHA1
9f18cf130a06cbbd2e6f7c533b6ef7bb8abc3e31

SHA256
1df6950a6362e563feb006790e567c11d81da560793b8366045c8d928e494a07

SHA512
9f0ad47e27567043098a9baf9082d1ab07c4178c03e3478e4527c03bf2732c077a17cefc172ca9c5358726294698ead0b4ed132e48f82d2091867ff3ce93a1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUcogwkc.bat

Filesize
4B

MD5
8bc1965a4c816760fd8e42c3aa044ed7

SHA1
3409e3e9c82baf75cd53656536222168a4fb6683

SHA256
83c3ee5fd4410b5b0fd2c4101dca7528bc7a3d723890a279f2704e4abd230deb

SHA512
a74c4ce654967b37ac5abb29d327d17ad2ed4e0203922dbbf6d7c78d7e26ed3f9ea374d2b056dca3432fe25ddc7f958de77ec65fb51b9d0ab5c57993c4f03302

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYUg.exe

Filesize
157KB

MD5
aa7d2abc9146bd13ba48f40ecaf500ee

SHA1
6ec6ef05778c37866d9d1ae9e2a2d0e68d642deb

SHA256
e30bdfa61cc45304569dc49683e1df63b5d88c876eea528743d813cb823ae67a

SHA512
c0b34584633e570d31346ee031f25fa2b547e69e8231dbf1cd8803508343994c55775d373c5438646e6585c4a6914933d2e8268b17a233f014b3414ac50c8f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcUm.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kocg.exe

Filesize
159KB

MD5
7f526eb5881d2041400523f5e25d1640

SHA1
d3dcea693bac2eba3e8e50ca1035ebd320e071ec

SHA256
48e3b8c40ae3a8e7f428a55736035050cf4337797016ccc715005feb64518c98

SHA512
60e93a98aef456749fa5a4896359c40d9fbd70a615417b5347b5fb397e1321158b6391929b5410e43aad78fce95eee5df88e8707c0ff9f04057998b4ce1d2416

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwQK.exe

Filesize
158KB

MD5
0560076c74832a31908951f8d0b3fef4

SHA1
3c1525daf39ed957d06517a9d197825a8596969c

SHA256
b3225cbc41fac9729455b33c8c1db5b4304b0e833b782f9c1305d66e7f7e26fc

SHA512
f0f0f03fefcb74080aa0d6bf22a0e3c294a45679289e8d95e7312909defe8269dadfac82b99f7859d95b592dac1ee78e1fc92c24431ec16bee7d3139306152ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAIE.exe

Filesize
874KB

MD5
140d80e8578035f3c317e65f05cde2e3

SHA1
26779a42461cafae73c367c5a4f051de49ba516c

SHA256
c4e087b000b420af99b1d1e2dd81d4b4f132308e4afa6d0245e06a826e87b65a

SHA512
22aa2be872e4fd9d07551b79e0f37f3ebc982f50c14d864841f5aee7b9662d4adb1a9a093960230f8b83d8dcdc4a38eb7bad5319c7f038e8139cbaba4f6e5418

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAkYEMcY.bat

Filesize
4B

MD5
103a2ed9d4758ca2af0025e678acff0a

SHA1
ca149faee2c07421dec780be57a8cf9766935f88

SHA256
6eaa460f17c6c26292739a1e3ed66d91a3b55dc6b065c3ef29026e2f948a359f

SHA512
c7dfede6d098e680cae1da033da10325fb7a7d5f017adf30da9f060a1c234c25db00e41744a83ba19511bf286a42c904628b91a6022ebf158d2768ced2290cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MOUQQAAA.bat

Filesize
4B

MD5
fe8055b34560daae49f7242291716f3b

SHA1
e323ef4edcd816fbdc32a0945acac460d89a08b1

SHA256
e746a1a3df5667b6af5bac086e9374770c47151cee5949312d643600606d6625

SHA512
78b648871203462f694a5514dcbe34b199e49557a0b4ee5741b3d4be83a14ae4de1fbb559b0fc59fe68879ee9a04015eba2b576b497b7527558b72caeed48818

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQgQ.exe

Filesize
159KB

MD5
d80ac466fd780d25d5157f2e0fc6fcd6

SHA1
01a0b285cc2640eab7dca3cddc163bf263a6727f

SHA256
ec6976b9b11c165984a77eed95f52a3edd2502527c81c9fdc21f8c12801afb22

SHA512
5d3f7a4553c74e5fa515a190fce63c7ea1694ee7e6d2369124eee6023548509c6ab70d3948b5cddd5abf81b06e54e92d6d9b781f8c2d03d23dbfd17bc15dbaf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYQY.exe

Filesize
133KB

MD5
85a80167fb5b33258128ceede145d1db

SHA1
e76c44204e20dd5ded0fb5ccb84854eb25b6815c

SHA256
7e3d173797c58301301a8eee6733370dd35785bbab31b561f5f9f6c550dea1e2

SHA512
3a1a4a85a907666cd959a0d26f370160797a8abd31f84a1225542277bae0520baf48ff14be8c7951b51219125391f4e5d084960700b55ad3a1fc06a9bcd2006d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkEkIswY.bat

Filesize
4B

MD5
6000ae5689d5a5452271df1e49f4898b

SHA1
910e0d29477da07168a118c52c19de9c954be4b7

SHA256
56222e5b166e3a021ff02028052a6ed1ca6be8e8825a2bdb0e6c0806179b7725

SHA512
ab4b8177c4a1e5d566467b2eb933eaa91be5a1497759666b6de13ad2c9f7e81f30e4f63a8c7dc15aeac557c1ba310fa4a040794d0dbb5a20a69f0ecb7a8306f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwoK.exe

Filesize
553KB

MD5
34d5f2efcc5cfbe2f770e8940a9b44b7

SHA1
ff0d8d20edf8c8faa16aa04e5792d69ac0ed6878

SHA256
cf86abe4a93e25855e07ea27a0a9c3eab25893e3474e4a9e6eb4cae41ffd95b8

SHA512
42fd080922151699f0292b72a5c18531fc16f6920fb92c52bc6f2da791e3554af7fffa467240217feda747f2f904d5935083b329aec8e1e19590661bd51cac7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NCwkgcsc.bat

Filesize
4B

MD5
fd4d1020209dcf7b8f8ff208c128047a

SHA1
6428c4c1fd9e5e1c29805e50fb3e53fb3751e870

SHA256
6c58a242779968b0aae8f18737f9fa7efda505ddffde87d47b41c2a35e7f247f

SHA512
1b80c17df4ddd4002a9b681326bab0792ee19ac53d6485d80038bcedfab67d37059955fd3683fd6e0a67d2e0001ad759969b3264c6f8140cf8a7975c3ff799bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIIK.exe

Filesize
159KB

MD5
f5d0cb3986a7ac5f9f2312688aec16ac

SHA1
801c0275cf04b2dc67198b04285f014b041a5133

SHA256
84a7f7c721ee60ed38d9bfcce1deee55cb27d740f70b7fc7e119ed530f3b337c

SHA512
d93f1697ea17c586f06906a45fd7468cc5da70af47e7c25d0d172fdba8658b41861f40784943918ecd94d942271b238ef04ac9174062f121af521217d95af41f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwQEEsIk.bat

Filesize
4B

MD5
ca45e64c1759a7992468e2db65595423

SHA1
754398d32c4fc87666248af1e694a0226bf34b29

SHA256
257a069980cf248641fbddea5b66971000a7906ffb7f4507f0eff90c1f384b31

SHA512
8bc02a4ae8af4d348420a8fa0de12ee90b89920a9353dcef87a7f19fab80d0121b0ce8ee361e6ee9d4780b2be7765ad61368342ddfd5766eb07f275ea83421f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PKMAsUwE.bat

Filesize
4B

MD5
ce87a21fe74f4eda48de9481f57acdc2

SHA1
9761d3601fc18dac898b495f79e5792b76a67de2

SHA256
153ea1392083f13a8d5fe6fe17f3e2be768723ce8321ad2dcacef48e78da1717

SHA512
48b3915d29e71adb124d9c2be5c6a1cfcfcdd9e94c6e0a118dff56f50edd4e85fb88b43ca88e0bb9a96e19077beb9160fdfaddf94905026f5ac1ab851b66d7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\PmEIUMsw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PoQskMww.bat

Filesize
4B

MD5
d77922daa62b45a1684d5a7c24a272e1

SHA1
2cbb957281cb05813dc1187d532e27ab8801ff8b

SHA256
ccdbb45fe9ab7b81ac99cbd27e83d57f341335a7008c1e8f7045cd4c890eda59

SHA512
2dc63105d672224fab113d7b19d01be954092b89df2be2dbb1a669d4c26e0b2a79ec590e8c8154e8a3ca585fc6dec4b88b4ec82ebf58e185ff51180506846546

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIYM.exe

Filesize
558KB

MD5
d8ae03af9f59bf5273b5961ee9dd82b9

SHA1
de03ae12ab259c0cf0a119ddb4ed2162fbb421ac

SHA256
f54409184c81aac8c59456e79e01f30f22f827439359f6ce0f387cadc40579cf

SHA512
a2024d4c3f658045a865f1330e5c73c824c6a6a251ca21d2ff96768d48959e32b1669800bc17226af9dd914ff100fc6d1f1034fd13899b281bb5fbc55ce25e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMcg.exe

Filesize
159KB

MD5
ff85fb44cc46022d1769f39038d0d4a2

SHA1
014899f4eb7f9b6841017b73acf85fef9fe528fb

SHA256
9f92866cea28f2c6a21e6aad0ec3fe55acb346dfe2bbb09c263f95243bdbcfbe

SHA512
b9f6a54f6bcd0d10e9acc6e5c58888ffe7a4fcd42597ae712e853caf831e2f595eefbf785f6e508838b945cfbbbe305ac5311820be51fe3cfad2b840815342b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOQUoQUs.bat

Filesize
4B

MD5
0544b42dcd50f0481a19e13d3b60a01d

SHA1
4df19e6810052b76934b7ab02740f24f2cfbba46

SHA256
e1fc9b79524f8c228dfe3e6faf0fb8c6f02d6b6a9805645f55f95965670a54fb

SHA512
f759bff3399f55be7e7a231055c7bc8e85a8c2663f170a1a0085690832906c783d6c8349ef89acc6c81a595d76994b0833a8c141b11c49447fb164a0b8846f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQgU.exe

Filesize
158KB

MD5
cddb18ca5c485dd778d2ddeee8fa33df

SHA1
dcfa773ec3323e459a4e20281599965effde4231

SHA256
22c35f707c4096806aa70df0cd94207117db7f1c92f96bab8066a1499e9147de

SHA512
738e0fa90dd144ed5a61b68c318083f2b8146382d6b145f1fd5970e470148bda9768eedac71970dc4a33acd0c84edb3b34f5ae6da47344f515e9ecbca283be4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYYe.exe

Filesize
159KB

MD5
a02d76726a1e902e19537a4abdf901fc

SHA1
a203dc0540ea331915c5ee7d7a8cf8cf070f1462

SHA256
02f10fd796f5bd2a026c373cb8414b837a00804e7cb06ad55f7ff69b6077e7f6

SHA512
8b9690e37641fd2af39468af1b882e8af5f9e33bae920caec543fe18edde02b6a36e78306a9e16cdfd8e440efd44bae553c20e9ef319dceb247b0fcbf1704482

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYsa.exe

Filesize
160KB

MD5
dff16d1be4b5bd42f8ef2972198a967c

SHA1
72d55e3c9c8eaaf10673554d8678304dcdc75ca6

SHA256
74aa542be5075261dd6c9772db8241656263da69143f4fc5426e83854304827d

SHA512
7510a4b3d8aea39a395653ec834e15ca611918084dcf2cca1aa7f111751b090cd8ed474dbe5421e21a168bd5e80b33f23ae6832617fd85cfd5dc521a87b7e2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcoYIUMs.bat

Filesize
4B

MD5
ea14a5b381e1447569f3b40b3e2f82e9

SHA1
4e6a3ab46b4a2604ccbd21bba32c7d644955e60d

SHA256
ea987f29e559cc4b3a41876b093268ee541ff9169cfa9ab220189c1e7e6b1e9c

SHA512
23343785f39a300aec62140974ca5eeb83c323c5a138996ed195c48c792d8a70ff3c022fd47555a3a1186bcf165cd305cfcb20181f9c5b72c2c146413e2117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qcog.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcwY.exe

Filesize
157KB

MD5
af3df40089be641de92b4a6a0a8a96cd

SHA1
fb25860c8bf0db8ea6efb66d29b79bca3b2d4cfc

SHA256
b87753d58d945ffceac452ed9f06db49780c21a4fe711459598d29f81f8969eb

SHA512
1982252d920ee9674da9bca92a54121980f44ff1edd2d716624e67d01e4169164d009ec85c69ff04759e4cae45cf9470e4b8e0efcd8b48e7f6f17eb645723ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwQIkooM.bat

Filesize
4B

MD5
569206482896045e8c7a305429cc0d5a

SHA1
2c0826e3123949048c582cdb20da59415ddd9802

SHA256
2c6cea5ea93e85b0a356b37809a422b98ace6d1777f8ec7ce0d53db0899fd417

SHA512
6159c81767c90a893747ea5e0c235bca829cbf0fee6917a2482831d85c75797c541b13ab9674da5faadb1141269b0aa4d088329e3f1128a876557bfe989d1967

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKkkYQMY.bat

Filesize
4B

MD5
ca79d59c0dde96ccd907137c24bc2929

SHA1
ba922c42f215554678ea125e4a843818a8da02d2

SHA256
6145e988ddf8647161ace87d89eee6e9fab2f1071f5bd425a815f72ce8858a69

SHA512
5dff79fbc73e709e388972d03e36be51ca8cc5794d735cb072c32c6caeff2fc9dd0ff75a06d59bd62955d1c9175755ccac000bf8b52cf822b4d4e31147553b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEAc.exe

Filesize
157KB

MD5
c4653ffc34fbcde8531f25d0a519fd55

SHA1
9eb11288d2069f1ee36a895db09ac089cb9a38d5

SHA256
81e42a043449ddb0cae3bda982c4f1c88d223f261f3f785a80d35ec73fbf5747

SHA512
95277a6a0a189e762175496579cee86734b4403d93bd2dc00b5ed9617d21bbb1588a2bbbf92c0c995ef99486e9d88fa3f1de85cdd26a1d1b2e25d530948c1b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIke.ico

Filesize
4KB

MD5
97ff638c39767356fc81ae9ba75057e8

SHA1
92e201c9a4dc807643402f646cbb7e4433b7d713

SHA256
9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093

SHA512
167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMYi.exe

Filesize
160KB

MD5
bdd5ecac7e1eeb1a848b509718baad2c

SHA1
9ae3b64833d4f46d7c38ef5d42948abcac6f28a5

SHA256
667c1a38c2e01075e58edb363e71a3255b0c57fddc330d9eb71815102c1faebc

SHA512
0fc05bb51924cb6d79aef8373c1bcb0862158c42fade5fd36aec2ab0efea903441293d37c62a73cf79125aa8688cbf8d5c73804e333e417302a101d66db9cb52

Download Submit
C:\Users\Admin\AppData\Local\Temp\SikYcMQk.bat

Filesize
4B

MD5
662a1175be4ad92b91848fea0de5205c

SHA1
06d31a3a3dfda35ee455c188c69cd8ff3422015b

SHA256
c2561d13155f5e01c107ea8749a863a4186249015c2c8e1739458f9f36b6c34b

SHA512
7e1a7476e9e5f70b1bb84bb1dfae785650f90d846c9b9a1be4007da943b6df4fcd21af8027df29bbd41c389e3a359cd3c6d4ca63bedb1db4ad1161cc01ef6ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SscQ.exe

Filesize
158KB

MD5
9bfdc3f0f8438c7ae55487c020401094

SHA1
041a9b9733e32db82396b483db4f86e8472b30c7

SHA256
03b786945b1f462c02d13fe809cef7f452f188cce4a425c5a80067a473ad3126

SHA512
5dbf873c655b7274572939c18d4ea36e7f9459c4aa73501595b2616cff98eef2c78ab4560bd709ecf9e96c550800e911f9db292a10e050282e667865b2778fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSAIgcQk.bat

Filesize
4B

MD5
c74aa7b43d675d57c7d35cbbe27fb708

SHA1
37a3a5b754b3132e716ec07d51ec50db167d4688

SHA256
0288616885a47fb9fa5219c0265e658bb1ef747eca76f12ebd8beec74af92f1f

SHA512
a280ecdbf89f9330cb62d6a2f56992f335b5d8e38e3cee76dd6bc088a4585214fa6b7326a2f0dd06e1dd0ced52eb33bfb58af11b7f9a13008d72b0c32231f19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TukMswQY.bat

Filesize
4B

MD5
c72e3f4a95941b94d12ccd89ca31c867

SHA1
fe45528188652bb13b82edf7f0e370f6e443ad92

SHA256
2df3ab968d536a20fa8bf49a26db35226904395ca79d3c98de24965b38db2dc6

SHA512
3df525096cfa899c3386c35ebfb826536ecdd02a939ee9d876c04ed3d96b576079a8224c3329a837c98e7fd831c1070e80271d1ea0e9d623cac54caf096385e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAoU.exe

Filesize
157KB

MD5
b03a01f0c4ad47ca0bed31eb880e72a0

SHA1
0cb5fa47ca38a76c12c750d99edad597dd433c65

SHA256
fcfbaf91d906b847b9fa7e31411bc13d4cdb4c29522275f69f3bc1586958b87d

SHA512
e6bfc487d31685d8bf94e7bd0ffc67702cfa4098a4155a75a718ade64695934da5005cb63586b1abde2823ecfdc3f25dfb843b4a2ff8c59720fbd3a9c1765d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UggE.exe

Filesize
160KB

MD5
07f6f54e5e9cda6077a73dca118ed72e

SHA1
0be63d9666b305261dc0aa3fcddff22c6066e2eb

SHA256
5782517a2ebbb3ae31e8809d5bc35bbf99393ae1180339d8de62d3c739f810d6

SHA512
3dce4cc969d17db148285eb20a2cbe29f5b358deab2f50e5083a8f2584271a8f7be1e99f4058310740275eaefb338463a7943140fd9b6a6fa528ba4e7e37626e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIAggUQQ.bat

Filesize
4B

MD5
dd5f3b76654fdded39d2687a600e71ed

SHA1
00ad6026396231a7db47b51403b3923e4ccc88a6

SHA256
882b1a9ae5b693ef22d73b9e6da9f1d9f2b1e778b2b995376f07f31413b0a144

SHA512
b84b6803577816751e9baa545ff12d15ed8484cd4828a2481a1262fc759f28db0b9df623f09509d07d1b203cbbec30ead61456e11be495cf796f334ab7640873

Download Submit
C:\Users\Admin\AppData\Local\Temp\VugEgAcU.bat

Filesize
4B

MD5
281a0ef634f3879632afe836c4d875f4

SHA1
b637ef5af7ae67b1d0d328bdde0df8c3e0922a53

SHA256
2f31735861ff10e4b6603adccf03d4408cfd36fb9f7b6e616bc72ad92a34fca9

SHA512
84bdfdf6aa1cc25a965dc7b80a890ff6dd72f9453e344e999a3fd8482629fa1514e217a0cadb082eae5f03e383cb07458a544ce7f80bed53d254afde1dc8995d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAEU.exe

Filesize
782KB

MD5
b00924913db0fb89b394890ed03f66c1

SHA1
0f7f4f914aded095a9e646aa2ca39e23b26a093a

SHA256
4941666673bf2251b4398634809671fe23f2bfdd7f4c043324d4271c1b24a816

SHA512
c809f2f37a4ef17684caa73c4ebadea71f253cd957c32bf20540e4cd5e20b1d952b6a1d1ac4d0a469348d8b3fc89c6737e79ae600e4fc0ab9566a52c9fefb16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCAggkcs.bat

Filesize
4B

MD5
34defb4f1c3af71bbb2081e26fd575b9

SHA1
803ceb73b5b6987de34d5b1e56ea385e233055cc

SHA256
691f50ceae7a8c06b30b7b3f3903df5471f99cf0c33c40db2d0df2e3e6ebfb22

SHA512
1b96cda0d1fc5e37167ce40f1b7ee8af38d2282a0afbaaa332d36b87c680d5e754fb37e2d5a88300188622f644f245810c76194bea57d719be459ea0375a65ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQok.exe

Filesize
159KB

MD5
5963b502622e32f53a7f2c87460dcee1

SHA1
ac881c0e9a1750a6c728860872887ae3f6af71d0

SHA256
dd53a48cbdc19e27053de28e8b5dc4c130c16f9dcb832312ba57ab11e7a90cfe

SHA512
332eadd307578c6026601c1e886cb6f8e8a85adbbfe6037ca91f2b515df6d7ef685df10893c0d0acbd5fd8c69342f6a1075450b708b96b53eed6a81bd00a5cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgQo.exe

Filesize
158KB

MD5
94960cd695f4aab5986daad0c8266fb4

SHA1
652794348c129fb66382e54405590d01f36317fe

SHA256
b1001627a0f8a3f6cc349e967c379487507dd0b827edddce382e084c755235dc

SHA512
9e0258f9a30268d38d620b1deb9d621cce68a1c3f3152c578e3cbdc29015df442942a8ba250431a7bd93aaf64a9af6473240e55d18d5d088b1127976a639f0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkQy.exe

Filesize
237KB

MD5
9816374a7638174b5c23dd3419862c4c

SHA1
3628a492b43e04ba8a0e36e0bffd6e33d944f01a

SHA256
03058f89a36ace12f282d4da7d69a2c2f04b07638ae4f8b436a3befd399a17cd

SHA512
49f781d85e117584491de4e412aca43c90cf4eafb1d1fc7ef9e3282f6231f33c3ba5723fd128e4b4eb561d0a8d0f45c9af5f57ebf2b0b8805cd519d7444c4b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wwci.exe

Filesize
159KB

MD5
2561c4d7c1eb0c00f6c4dfa0a32cb902

SHA1
1a7185fab34d39776e9799dbe9594a0626de87f0

SHA256
e727099b6caf3797779ac571e22106eb964121de85b988308ad7110dbb36fee8

SHA512
099db092c1568513940dc6305511fdbb337f6641876a822d498e3bb7bba5898e26c23aa0f0851fc80add2d8b49f5b8f322cbc2d212193230e18165fb51da9f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAUe.exe

Filesize
160KB

MD5
308ef172dba37df6ddbb24be23e81e9c

SHA1
16b3d5a3be689b8e44f5b35efc4bfbd3516334af

SHA256
47cff28680eea28fb6a56e153a9423ac7d4a5b20183ba8e51b42d133c3d3f03b

SHA512
c3be5e90576b04c9a2f4802662d2dd882663b02cb6080637e7421340f93bf7528e160ef5cb1d49b8be2fa8ae3d4a5e3c5fb6353ee21e0a9f6bbf9ab6d77e8d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEES.exe

Filesize
159KB

MD5
2d0725711a35086c2f4e9a63229d1f5b

SHA1
05a99636a7292223b70a7bf98f2ac31eaa4d7da9

SHA256
0c3088aba41f03a49f83ca8a06dc4dc6bb9916d4fb4148e5bc2179a51b07aed9

SHA512
e586cdf8a404717f85b5fee212dbf17a702bbb18de6cbe8231bd020e31d57431aeda1fd8c84e5a512ccb8c88ebf8204239252f05a1a924d59bc3dfa3800e9eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEIy.exe

Filesize
657KB

MD5
66b9cf220ccf019c42f0443623b8b57c

SHA1
a0bffd1ec5e6fa82e0d47d7d2211178b6fe656b9

SHA256
03376f5bbc9a52501e8b1d5103d85ce5aaf1691901f8c44fc75ae8e285648e9f

SHA512
6685daa9e59910786690fe0deeb1a0cbb8cae17e477faa731eac824e35322ed24b23bea562cf765c47ad4bef9b48b88741dcc4a5446f50056e0f2253a946a5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEMg.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoUA.exe

Filesize
158KB

MD5
eb0d763dc926282244699eccdad44a73

SHA1
4c298210999ea416f0d5f6e557226a38fb88bce5

SHA256
0da8374e4e40180155c8e4ebaa5959dce5bf233bf325109a073f94ed35b09952

SHA512
1fb38438f739ddad93e3edbb0a37c1b592f0ceda96b7616adf871e318d55a77f67556c79bf7e1f1030c11f3f0c89a885335e6539f8c3cb7d1065de2a7d50fb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZqUwoYUU.bat

Filesize
4B

MD5
dc2a21b0f40143d3e5d95877aa73f1b6

SHA1
a833463f37e988ca651c483b8a27e60e475b165e

SHA256
57a65d16fbef0205f8973b8342cfe66bb6974c38e94e3db00a8c8198f8554509

SHA512
1941660485f6e8f67b001958adb6db8b3c0a741a4d2ccee43fc2defa4fb3267636bc87f71b62ba3ac43fc160ebe7074f3ea39a3c7feb52ac39698ea6b5af7349

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUgu.exe

Filesize
161KB

MD5
5bc3859eb2a66378052f07f00e89204f

SHA1
090665b142d4890c3170abf3471f8e65104acb1c

SHA256
fad332792a079d24a0eec6ce73160d80cf3ce0e0ae8bea6ab90e157a430cd17e

SHA512
c963d882d24f299c55d9fccad390825d1e998e1a4205ef483aa211bb255c47af76c8dd9aaf338faf4bf72a9d8616428aab48d7b18caaede7077d1cb51d20108b

Download Submit
C:\Users\Admin\AppData\Local\Temp\acwM.exe

Filesize
159KB

MD5
09e160731143fa1e74b151ade05f62a8

SHA1
8ec7551ed65ab0e33114482a50ce05b0d816c353

SHA256
92eb9bdb106717dd25c799eadf29e6e228626524a649323ebc9cbdd49405b0ca

SHA512
81fd713bee347103814ae6fb06f332148b284c5ee0ed2a329f4c11dffb6db1ec5d5df496ff4ada33d8e8ffa6c7306fad39150f98bfb0b13f9384745618b2a110

Download Submit
C:\Users\Admin\AppData\Local\Temp\akwg.exe

Filesize
8.1MB

MD5
f561040d0ca46e723f71829f6f2f22f1

SHA1
3b832477fb3f12dc6b6bef691061bb9f361b259f

SHA256
f8e5add1fa17bc552e28f568e385a2ef12ebef5201276e359e6f7cfc83109478

SHA512
bc67aee562c7197b452355d14617d6ffd141637248eb7a8ee2f9d1566941dac0f6b8e26809bff4babf27ad78449eae42951f1ce9fd5fff365bddc22614bdd59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAq.exe

Filesize
154KB

MD5
9a19db39e8e63d3d4a9024943bdf57b2

SHA1
d0a82ad7b784615d9ed21d7d19f38554723063ec

SHA256
820fcdb3b62a2b6b99c2c66ede84889c861f6153381fbfa93de587ce9b3a1750

SHA512
44f04bf1cb07c59065e31bf1632d62ef6b1d90c0e81dee45bef27e73a1250accfa06fc766581967c8f2e4fea88b8e8842f079c5fe7c2d8b1edec78def29af9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGAEoMos.bat

Filesize
4B

MD5
7bea7a2282e687f354ebf71dfe1a5b6d

SHA1
ce516b6a7e52e99e31e639fc8dca1035f4fcdbfd

SHA256
0826eb2337f90a630a962c7cdc103645ec5c827dfcca6efed1fc94c35fb3cb3d

SHA512
b780b309bcd9155ae8947be59e74c2ca0a26401a01469a21d8468900dc3b4b8aa78ee57136bf6e39d5ef44b697e9298bd8663c49ea840e923c33ebab274f84be

Download Submit
C:\Users\Admin\AppData\Local\Temp\bWoAEEAk.bat

Filesize
4B

MD5
a665ae3c153b6e879ffb6bb11b14cbbc

SHA1
5ed2866e49efa777212dd3fc0a840c684d70fa59

SHA256
bb51a1d473cb3dacf76f43d2492fb9e853d68830bfab1320aa5d3e37bad4aded

SHA512
40ed6ccc6da8db6f33e3b7925307b8ecdc796982952ec9951c23dceb7bf377c6ab417accdb3148342bce9fb7d5c44f52af608d2684a8e59eb142ccc025ec22a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcMAksEI.bat

Filesize
4B

MD5
e92d5c6219551f581c1be833a9e84746

SHA1
74826799271c1881195a112d7394bea2c053c777

SHA256
84ad74f83e176028265847c9baf0de3d2bc622bd73150621dbb54dffaf4b3501

SHA512
4610141b9f10bf44cdafc42f614ba05b49bd9b88b1c4875e28e7d2a337381e9ab830f7fe3881ed94df00b4e1422b4ddca83726aa683865814fdb0a5d1a5f0c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEcEcsgs.bat

Filesize
4B

MD5
065b8ff64fea5273ce9c5f44da0970c8

SHA1
4a1b47f0ca54c97942e5a0d2153c43726ba2cc5c

SHA256
fa4063bfe888bef0adcb8533bb8a9d18255677782a11c09692b664bc3c19fd0d

SHA512
c5aa9bbd05e213a2c3e95ea65e62c32d8d2dd7690cbfaa92ee2d6c448d0535b1445b64fcb24fe1beea4689a3075fdf374e52ff05f216523aaedfd6f8a8aab2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgUwgcgU.bat

Filesize
4B

MD5
5d3f918d41461c4c94cd0cc26ab1b18d

SHA1
cdbec446844656597a7e1763c5f5391efa058ed3

SHA256
abdd25c1e603746dbe89877df7777af39753f5fe69f017092bcc8f61242062f3

SHA512
8ab54b61e0710fb348e7decf5013e063063f3aa64cee09a29d38e26a6464c4d2c0ba486bdfb0820063ccf6f2ee71925b071c8579c89b38c901e2bf58904ef32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cooQ.exe

Filesize
236KB

MD5
39d1264fdb264bee8fdbf5d1b0dab23a

SHA1
f1662b4aed0d16a253b2d6ad9b231d5322002640

SHA256
1378b5068aab79be93a389ed98941d48ba42201e0727094d1c63d6928d512852

SHA512
8435042c09f316180c3020036187e2aec84ce4ef7878d2c73ff2eb9c14b753a87a0e5624f3b69afee8b8d3a7f08b530c2a09ea79c8b4763a35c6465a70fcee80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecAs.exe

Filesize
157KB

MD5
b6fe4cd81c319c63b97da333acea0237

SHA1
0ed59df35d3bb78e508234394baf87304ed7f1f8

SHA256
0e9915cd805e6dbc14b0cc6c1809566b76d6e59c2ddbe6dbac332fa2942dd1c1

SHA512
5e80aaad3161360925c5684b2c492dc3e25b7e5207f45d0785549382ef3fe4d6fdead8b1844537aca1a25a2de9e0975e5d53a4aa5d9f02ae044a48bb40473e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\egca.exe

Filesize
159KB

MD5
15a46b55e67836ff82eecebe875f3588

SHA1
85acaa54598c482f65854d416b3a2e20059505c7

SHA256
896da40a29c50b253048e5a377cd8129a3a23f05448c67f301841e95f33ecb75

SHA512
b18f5ad06de0e16b507e323430677e34c2f96119144a648e3074a2589b8a42773215f3b8a6c9f13b74dcfaa2a6ed5b399bf53947be319595c43c3e3e816097ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\fEwkIYgA.bat

Filesize
4B

MD5
c25b7e44f2debc4e0e4d0868f1d8d8aa

SHA1
678ec5e86c6728ff0a1c3282530f055588b38eb2

SHA256
6c214c6a3a4ef84e55af091aa633bede3ee43ab889a0adcde91cb0030a86c4de

SHA512
01bccdae38f2db4daaf63e0e98074219ff2ce9aebcd508240b9103f95c61066b186124617421db4e204cb0471326efac2dbdbf60ff6f4591600469b9ecaa55a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fIoQQsgQ.bat

Filesize
4B

MD5
2c02580d321beaf10ad08188f2be8e5d

SHA1
27b9f07acbf59f9ffaca088d5a314c282daea06b

SHA256
4d6be6e78403c616d6afbd4ddd7bec7d138686962d5f7e7c227f40522d6bc4d9

SHA512
76626c9dbba6d982d35a336bfca784cc43b9e298add61f1e39c84ca0de5f2f624079b8e131c924c60aa213bbd8b8d5103fc8ab557f467e0fe16fa9712964ce58

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsEIMMUE.bat

Filesize
4B

MD5
8d04222a6f196ab71077daaef646600f

SHA1
e1618f9373349b63e2be19855f4d1b8189e0ef7a

SHA256
06dcd966121164e33d1fdecb435d7305ea0b5824b57cc40a18950c41077eb8ba

SHA512
4f7a14d127b1a59ebb90448270be66db8d99c9729234e31cbb019edaff4aa25a361f0467d449f750863a5320b57a888428b934a440d73712f7e1e764cacbcccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcMc.exe

Filesize
157KB

MD5
8dfbf1a2776c162fc812dff22b73ac67

SHA1
9346edf61e5830daecfa10059fda4590d2692376

SHA256
94632f7bd16e097ce5562e8d8a65c5aea7579ff1d5159bd9597d83f7c90a3fbb

SHA512
529a941381b1c1797556fb709eb8538ef2101d5829c94b6bb553033edeb14e86ca0657f54eb2b7aa4205e6fda45c488f7c7dc34f223500e5721004e279c0ef1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gegYcMoE.bat

Filesize
4B

MD5
1ed5a300c6b6d3e5a4c697d69b78b50a

SHA1
a3bdc10476c0fff648870016d855715b758b8abd

SHA256
f5efafa4781ea1c0c8c8235cc404f6456a11444d46cc27695e13ed05b2df2f6d

SHA512
1d29a41784ecf1ac7ae77aaec533df71f8b947eb35941865c99fd623d1eb011b8db8d2316a90a6fc42b26198a64e6c94aed766d17f3777d5fa4a05b4de120c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkcq.exe

Filesize
870KB

MD5
b398ee73847a934ec88f156a3922071b

SHA1
e6663480f30a4b61a931b6538b168826be166b05

SHA256
e6bf1893835362fa148960796608e9596218516d9051a0ed41382a026200ab1c

SHA512
dcc861c1b17b26459b551e23dfe0f382744d5e23ee3ec0451d6fb95870495cbbc72e3a4349cd336750458a66fcea57ed3d2b1eb2b4631c3238120bcaa76855fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsAo.exe

Filesize
159KB

MD5
4f9fff982601f5dc6dc63a0b4d635f06

SHA1
cfa89f5611723d259d336a6c2f991020c41c382f

SHA256
b1394788c52a660828a01fd4962c21bd5e8079888e2b4c099fe3b8ddb60ead5c

SHA512
762ad883e832d55417327dc91634279bb2f6a9ce99c3e15947cf8461c845942c3459c3df047eb4a2e014904f1d90a1c8f4637da254cd6c827d137815cc7e22a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gssm.exe

Filesize
139KB

MD5
3835cc85fa968fb82d75855a0400e30a

SHA1
bbf49f36080c05da2b469afea6bebe080c6321ab

SHA256
af1c3813fe93ad0fe2b809fd52a6d9d04b1d0e3f02f16550aa10984c3628bad1

SHA512
3270fb2f5357387d312545b425173e8e6013ece0a0c1c08eea06022574b26f3789f5b5ad4bc3ebde4687eb7031d7ae8d9f6d08b17982b4137988ed938983a60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hCckYEQo.bat

Filesize
4B

MD5
8e595742cf5886383bc5c7229b3533db

SHA1
00094d15730cc1504c7e3f5d8b85770afca6438e

SHA256
a2c374eb8a1634a3b19639c34835629515063649cd528ac4a3e2eabbb1ff57f0

SHA512
5c56bd68b00642a030eccf95811a6477088429c3add943503898b9deab303484089ed8b725e857470f8b682516f0373c8d13936ff9d0ff43cb4b50ea8a68f387

Download Submit
C:\Users\Admin\AppData\Local\Temp\hSYEEkUA.bat

Filesize
4B

MD5
6b7211a168b17642189eee480778cd0f

SHA1
4679edb26d3e7d2b235d3785df690b5889b85b36

SHA256
33b0c71f18efa4107edfb1dcadab7330328e8cafcaea91c83e5ee94abe43ecb2

SHA512
805b5b0d2ff4c43541a592296776189b66a05ac4fccb1d2d5eed735789588804188dfe9dfc1c318ab413061c058d8b881395ad8f00d616a1607ff479c7d1b412

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEME.exe

Filesize
566KB

MD5
a8e1ce16b26ffcac51395d8f38f44043

SHA1
89943ddd13dd984a38187231e90b5084ddd6537a

SHA256
5adc787d466277b2621323770f4702a9fd0ef57d9e6c3d26959f4b73b8134517

SHA512
bc92d22ec6afbf9154186e90aa73bcd9bc14665e3207e2600ddce1d07ec3aa1c5bc22a0b4ce12b0a087f2f80627a8e6010d325c0806b4f6c8bff7a9be502f849

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEsu.exe

Filesize
466KB

MD5
760bd06bc109960ad19fe3fd2184fdcc

SHA1
8a316facc5d6e7b7c903f84fc4692e26940134a7

SHA256
241ccf7153cec77e02f8af631e6442cec317cb2df7b2d49b48a417f3fa68bc8f

SHA512
ce6b15ed6c6c8992377c527897ddb1fcf0ca05e2ab3c07fc2586ffce452d961d9b0810df9201c2b2a8fc74637e631bb4f11e1bfe898ec7b484bdd78aa70bff2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMMA.exe

Filesize
158KB

MD5
5eed334bb910dfdeeb2b8deddca7fbd0

SHA1
9c45cd70f59f0767b271d35e9e2bca0e7c781027

SHA256
c6cff045d8947f38316d59e19e5fc0a7a8b127cb0db75b21e31f16e9f9102e28

SHA512
ebedef25a20430eb89fca6a6217a538a257d247ed0d1228b2bc5cc5561df5dfbc308f4c07c46bd428183b3f5fee604661e6ce128bf24867834c777c3b0480cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMYs.exe

Filesize
744KB

MD5
7df768c6f8641d2b867b7bc0d8957bc2

SHA1
b016eedecc67bb029bfcbe5170bf21258e4489eb

SHA256
a93e070711cb828622cd93730e6b21184bdbd1b502f43edcdff068c8befec838

SHA512
e8572392efe41b2ddc4a3eb34dc3253b9b82bab4d6578d6cb9369826d5c021a9236f1027ad51273a85680a8a2e944dff99e7e4a47cff0dbe85f3f410593aa926

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQAw.exe

Filesize
158KB

MD5
6ab72a5defedfbe9651c4c872e511a3b

SHA1
5ea802abb92c404c9c5236e717d144f1dc91c4a3

SHA256
172b23f25eefdb84efa8ec0cf8e9b7a7b1499b90c55cbcd9953816128cda9245

SHA512
c01272ed9886217e90822da06c3b0e50d14c503c97581c6462dca6f952721825131d0a5eb9324a736289d30717be68426498c8086ea773c0cedcf0859cb10dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQow.exe

Filesize
159KB

MD5
bdf585aad9428200bb350ca19292f63b

SHA1
546c411233ce2b977e9938a6ae90f07cded0bc5b

SHA256
7c50c3675921a34b57d213f3b874e5ec3ef03a43cc1b1b1c494da38851da4b5f

SHA512
86d0ffab511c9e6b92ccb7ad4e73f009a6ec9d7e2d94c71d99a03b40415378a519fe87b9c6fd9a4a0cec648c9aa630be0d8e25277cf3ba330c79ebfb6bbf198d

Download Submit
C:\Users\Admin\AppData\Local\Temp\igsO.exe

Filesize
867KB

MD5
f6a464d345428d7c908ab61c72755574

SHA1
9fd359517063b337438c474d4059c8ed49f788aa

SHA256
4856aace8385350bf9f8b3dc3fe80293f654a0f5dfa24126735b8e4063f6f1a3

SHA512
24029912d449881f584bddff5289723dbf2ce8714cacb9a6c7e93b5cd191674732ee473c8acf81e4c11b16b69ecffd8b6c52c4d7dff33ca35dfcdcd3eb811581

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyEYAgcM.bat

Filesize
4B

MD5
0eb7c8634aaeb5e64731d4023d7e741f

SHA1
f45f7817cb10439430aa0dda4cc7c2da222395db

SHA256
ffc2622f2869c82259e0a75d132b7da282e23a34dc17aeafffbf8ccb7a973e4a

SHA512
14a74c2ae48053c2e31ea94f2dbc9152bb3f24ea895800bb24f991af109f15e3eb92fd3691d1a113859c192fc3b115c152523e8c5f81cefa6e5b9c0ed8599614

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmwQQkQc.bat

Filesize
4B

MD5
212c08e0797b040ebe27665bcb9ad005

SHA1
5587fa53ff7965de89de896448b12e4f31a7c0e9

SHA256
72eade09446fd5e61fd744c7197ebdc6417d7f97cc3ec8a30893d97a320b5a8d

SHA512
fee267d84563fbec9935ea9e95f9461978865046a7dcf54bfb4346de42ebe2945aa46d70865ab29123077f5e70a622b5289af2b1f93d2bb57d251f9e65f64b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAQi.exe

Filesize
159KB

MD5
833a613c5b102c47d8acc775b820fd8a

SHA1
8ce90afc4b274b22f71e23db85db805023e3419c

SHA256
ad8bc25ffa93ec7c97cb169d8d71d3ec6108e2ad63f2477a14d327e33a19f3ba

SHA512
0fee4b18000c4863032d09e2afc6a05b2d6e2f9ea5b7c7b200bd9af5bfcba6875809015e4750971806434e44f3c98e3c21ccb8f668b47ba513a3cfc2f36402ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEca.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIQa.exe

Filesize
159KB

MD5
348319194e215703a18bc05a0201e2b8

SHA1
cd64687955d4603ab9ce46fb8bfede7fc2218599

SHA256
45af407ad5d805e8fadca6fc63e04802ce32204261a23c6e89c6b6f437383480

SHA512
1fe93876969141efd9c25c3022bc037f35b345fce4e92bc989169facb273bd855e855187e66707e888a0d8363d40d2d603f16c6046198ece3922823f92f08ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIko.exe

Filesize
159KB

MD5
ad4a1f8291497f418db43c9d90d87161

SHA1
08b6c504064de0c79bc7b3b74656abff8413f7b9

SHA256
7d68d25f3943670a9eecc33b0f3114890236914c1d49db6cd27a0e6e82a749c9

SHA512
1157ce0e4d7c135e75e7954e246c16066dcedd5918c35e138be28c436297456d993d557f1901e00c6805cae7d1afd57d1ee544d25b0d1b175a56f33b22235dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMwQ.exe

Filesize
158KB

MD5
439acc8e85e1574fe4f77a60837ebeeb

SHA1
779590e19395355fcc378306e414cc8a5cf68f56

SHA256
1ef92c56dac3d08a6513704cf662656786742a96a2dcbbfe2f5468eb1f9e9b42

SHA512
df326ed891ea67a524c3acc4e8e5c2e68373a89ed425eee4e00f10ec097b6f01bde8c494bebe2258fb04dc0f80d341fff6b69602fb1564d09b97c123b42485ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\kiMMEAIo.bat

Filesize
4B

MD5
853dae9e56ec444e99701e744dcb3009

SHA1
b29cfc1c52da55483a1aa552128eba7e1addda73

SHA256
dec971c53fc8b7a63ef3b838e5627886eae6eee9ca20e34cd08b9d9c7484ec44

SHA512
6e1e918e461f74e306afaaee086061fa1982ff7f87eac2c57bfbc1f7990dfd593068fc8a32430a4815fd994beb3d0e27f15820c47a8c6eba63e570284c1b077d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkIe.exe

Filesize
157KB

MD5
69d3c95ced8e514356cf3a456c051628

SHA1
76603bee8e4706dd64a76d3ab5c2a897b12efceb

SHA256
87320445e26980e3bfa879cb8faab81ae9d727af355983d4951368b1bb8ebd2f

SHA512
460205dccf1ea93df894988d84c45f81d1f31b865d5d28b77670e04083e50e7a2f591cbac16e510d61811c7660ae1d4d3718e5303cf0eabbe0a6a2953b44d16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAQA.exe

Filesize
159KB

MD5
e5b3dc2afc1675f9738df49788213563

SHA1
1aaab6fa4ac73515f27984e2039f5915406a6f29

SHA256
4bee737d173a0e5961e137169c39e2a87bddc79019d78083b0b4654c7fe48007

SHA512
c7a8c4ef345f09e7b47def797a4d1b4e0f65aedcb8b2fe505df11f6ac6a34ca63cb337d402d5a5f419e6691e4aced9447f860d51a3d66331aeb9ac6e2d621463

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMwi.exe

Filesize
160KB

MD5
e478ea8969bdb2ef365e2254baff0451

SHA1
b9f7b0acb8b83fb478d1322ae8043c18104927a1

SHA256
cb54ddfabfec6753a357b4a7d4109d25411714f7ceb60125b0a1d2179e304473

SHA512
41a4059d6114ff1e76010d8988366188bb391aeaf09cdf25dc23b402ec99418ca479f196392795017dfafe0e13ca3f2bc9e47e00cffa98a2fc60c12a4e3f1ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQUMIIgM.bat

Filesize
4B

MD5
aee560d8e91fdb57ec067e3af6754fce

SHA1
c831e1335512a08bcdd3780be00267df06e90bb2

SHA256
88a7b6559faccfb7c83dab7b3dbcb31c93031b984416e52e6b248927071aed50

SHA512
0ffb06df8cab9729d02baab2304bc752acab08526d8d0ee7d4c7261afdbf46948b822ca0380c5d6f63b0a2ed2fabe63e259438c1f04aa788584ea2242a55e48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgoe.exe

Filesize
158KB

MD5
c6e7f792ac73b38eeafc5d9533bdeadd

SHA1
20c46fd0e057a7b8e87e699078a36de66764e6cc

SHA256
8f475b2fc206ec0f2f563b292026649b27d224c57b7d33ff6412b2b7e914ed4a

SHA512
6704c61224e478d13b77ee9e96fd21abbf1098a23c00bb4ed678c1b7aebbc474a46ec2370f2daad4e1971bfea1fef8d3ea4c90ea1d01391cd0f93223cebb871d

Download Submit
C:\Users\Admin\AppData\Local\Temp\naEoUgUg.bat

Filesize
4B

MD5
414696eee105913864adcb2e3b0ff664

SHA1
f207d39985999b37c1d5f49686fec21131079aa9

SHA256
c6dbe90d1f2aa5a7ae6a245866f53cf1eb0861fbbb671d9f0cd1b9aeed9777a8

SHA512
013576b1fbbe40136497889b6fbb3caaa17e426a29dd226b3314661375101adb56868c9d64d0979fa317045bd636f3378609643601c362a9819f6510e4093f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\oSIcossw.bat

Filesize
4B

MD5
2bc6f7d2cff8e7dfdde4a2c0e0bad087

SHA1
0581a965897c6a9246f9c48cbfcbce8761dc6b6c

SHA256
585967c8d5e09cce9c90224272e8ed0c33b77cd7e6e858ef066d3f3fe5cde722

SHA512
99b73dee38346ebc25f17adfb95b92cc19a4d71b098f753a43fc0af61a4d470e1b2b1cc36f479f91407f75cf78e452666394e94f43a3a5a0df2c174bb3dfa4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUUs.exe

Filesize
160KB

MD5
fe22b5d8963e99c8886b27a3ecfa908a

SHA1
02c7f73e5268bf0ea4d4fdd63b66ff493e4141ad

SHA256
4a1eb0217efef303ddc7777af9dec9a786298a9c5e05ce5e89a057ee6f229eec

SHA512
4ffb3db06c579645b98ae104a0f11b2d53c618ac0d24f0fa4156ad6df76b212bb9f0c72fc8c2998af82177ece29aaf5b44be34f53a2544a0bf71475cdf227e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocEc.exe

Filesize
159KB

MD5
06eba1905affc1d2b1275dfea9f807b7

SHA1
7431df3d39b7f806948939ffd44b7c1cf415e8bf

SHA256
73e61c9d275c4f89a86b88273d3dc89268018d4b845226aa72235eb3b0edde50

SHA512
0fd695bf67d291175f73bf4df24ee0153eb739cff57872c252ebeb2d01bc06bf47a03b72bb0d35d317ec6f30617f342cc0b90030017d57827581bdfbc576c093

Download Submit
C:\Users\Admin\AppData\Local\Temp\osMi.exe

Filesize
158KB

MD5
1c17cf379ed2565df0a1e7300e7b4bcb

SHA1
f833c705c5c0ed7667b429acbb8e9a4375640cad

SHA256
e36dc74dfce3b1a457a2f87ecab5f56460e729c52c4dc96170ca6f9cbd72651c

SHA512
2ade8d347f0b2bc2a25f4ce030c6e4174b65bcded55de1184997bd88696cd14c0aef74bf88d1cb9020480be04ba9f910168a966cb58c79e267af104e6e75a87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\owMY.exe

Filesize
158KB

MD5
372dbfa92d69c50c5f148be2cbbd3d01

SHA1
735c6b46321c150459e8c7c2ffe25f1590a44564

SHA256
5d2cf35761ff5ac1fe20b16a94ac20ed9dfcf737e4fd5b2abb830ab0aab6c638

SHA512
d5dccc52902d1e35011184e73f2f2f86a08ce12bb5ad26c1054084fd10871f79e9e316db06bbe817e8bb737c993fe1f9b18ace2bc6018f5c6c4e916e4fc74ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYYkssII.bat

Filesize
4B

MD5
ef4bc7cab4b8d4081e2b497ba60b576a

SHA1
92e5d9797a61ebf3f951d5a797208f0cbd555629

SHA256
06b2aba7c2b09201b2f12174095d773a5b9c2ed07f43eb88a6385a7162a0a040

SHA512
2f8f445f6a592825aa1190fe0a57e9015977492777d9f09b1ca48bbe05b8bab583c73f7d6780bf744e36dd5911bd6d5cc85660dee1e9b994927d7b07aac49f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\poUccgoA.bat

Filesize
4B

MD5
9af89a8ed08d918d6142b6da19593ccd

SHA1
74949132900151c50ff513b5ead5ca763a6c6d67

SHA256
bbd23cc26b943452c844e64507c3114685b0cb2a0b02f17f0169578f09b5c12c

SHA512
7e8c65c60c425d701c7af34ea2e37ad5f7424b411f710004f05b9fd49951babb7e90c0623eebc804dae5f0754acd29f30243f5c4e471912b4dbeb38f1ca0531c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqAUMgQw.bat

Filesize
4B

MD5
a9704ca45b2c0b8bfc35a30b793bb081

SHA1
ed459cb85b7bf904ee36234e7c109c3ba12e94b0

SHA256
b14ac758efb0c26fdf5fde557821420202a42b9ce6f0b4a1ac079c8d0f09cedb

SHA512
6cc98a3e7d2de04eaf3629a5a0b1ebae3a2b843230bd6152e1e8705147762fd80f13eb48c477627e48b3143ccb1d8b31ef00fd0a9de13407b5acc7ca49c38904

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAcq.exe

Filesize
4.7MB

MD5
9c068494fa65543ade8aba8813c1b552

SHA1
bcc8df45ed66faa61b805dd73ce2567397a445ae

SHA256
89c4366a3dc8b70f619a03905b9bef7f7242bb99cf6946937f296d93f4d1e56b

SHA512
b3f7a7fc2abc48f204536099a312a2a90a0ad6350399605ef1179ef2b5e3eb7249a05b904589c685546ffc682434e0d463aea2b40594a913f1024c16bc21c915

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMoA.exe

Filesize
715KB

MD5
78dbb8044ffea202b171bd4e562ee1d7

SHA1
ccea7cd09635b76502ff208c429ef557d66ce6ad

SHA256
5a7f82bfe00aef07792fb34c867b5467814041abd2928a71d4cf3e753fa72375

SHA512
58db6c56f06f1146fdad5f0f23708902c25cc9f67e3723c26994775eabbc6e16093aa53b185d4eb1d122333ee06db7436e4eb80a72f094c58732db34b0a1aa8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYEy.exe

Filesize
158KB

MD5
b3744eb87878bd6894d48ad8e034cd93

SHA1
e99603e7ec5fc4f1230e2ca806599478078ece62

SHA256
dce185d9bed8bdce8f45ec82ca5c6a249e5bad82597b74c0de9f194fa5d51873

SHA512
140f55128b492f85e546947374929fc9942df89c5c60f82190c268bacfae2cd024e820fd210990b57ed5fe1f5a71c6f8309d6253edb83760e2d972d224d65c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYoI.exe

Filesize
158KB

MD5
11449fe292c8117e09b11695940f6c01

SHA1
4ea2467538157594fd4f034ac7daed11d8f7c41a

SHA256
cc0eb51325b225d11d973494990a5dee69572ac233302717417b5e75b67f179f

SHA512
77593192ae07d25df66622e2341e1afb7ed09a1dfcbddf2027be4bc2e3980bbeea8cb9dec39cc2b3d052031768d295593e9ec849ea6c9d2359b046ef9cc7ce99

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgsG.exe

Filesize
158KB

MD5
0558322cbd2347fcd3f97395361f8161

SHA1
61b3204e22a593ae1d67af02e0d0585448db7102

SHA256
ab8647a1cc999d7bbb043a4f05f048630592eb9b8430b1a0763713a2a2647c6c

SHA512
9e5bde80027cf6fb8ff371acf0eb2d5a97df1fb30c25c9b6bf69d300d940a29701997d14113e592704dc011810498227b158ea61136e77593d7a7dcd1009ee28

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkAU.exe

Filesize
138KB

MD5
307a391f7c83998a12914d95c7fd0b18

SHA1
68c21bb1a00d8e64a0f618744c504a2b7fec53c4

SHA256
a98f0ef1ee7fb1171acb429677aa9e5189e6fc4141b3bb652f18777be5385824

SHA512
e28692db8a6d9e33fcb47b1651ac8a818294ec9cae8675751de5c4909fd533866b0906c400ad192ec0a007884e6aa0cb9fdfa36112ad548caaa8f272fa343902

Download Submit
C:\Users\Admin\AppData\Local\Temp\rEkQMAoc.bat

Filesize
4B

MD5
20c09dee447f2dd26f8c1e8b2ca30882

SHA1
e4ccc19f01f786691882c0ffed03e9ce383e5829

SHA256
99bebb9a7085a3c431440b6a56157590ed2f5ab435acd89eeb65842ef5fde9b7

SHA512
70de63f29fa433d5afff7b8797aef407f692334cce7940b4714f552623edf0ff51076ba517f9c1daebcb1de07fd157c3bf4301c20ac612086ebdc6ea34cac9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rKEoQIEk.bat

Filesize
4B

MD5
f92d70975ef8dc57b8e3a97e4a14f2f3

SHA1
e8acfe334491e7571540f10661d489221c343d4c

SHA256
257935dc84877fd8dbe5570547769294759287ce8eec174f2fbbd0c3b0846ff4

SHA512
db5a30f85a01c28a3b5a9120c611b2a33870b81407eca22933ec648d8ebfa507fc4ac9e2e50eb57dc0f2359bd2cec20262a6227b292a59d7357542910ce7a8d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rMAoAwMw.bat

Filesize
4B

MD5
c12a0667e2e0b916eab0f64c41d21d27

SHA1
4da37a9eac411bd92e0bf4c7de493fd0eabf9f11

SHA256
854d855faaf8fb701bca9319f544bc4ec9a8f12172f7823f9662a7ebd66b6594

SHA512
21974ee8d2d8481514595712129b58f4420c17ccf907eca6de63345784e5a34299c2ef885a57532ba514c90b51d1ef7df424053627900e045303322d07538dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQwK.exe

Filesize
157KB

MD5
f3e095d4966876f4e6e1f20f8f96c371

SHA1
0840f34263261f685ffc5c9e181de79162e295ad

SHA256
057f56cf76cb070cda4264b965f4dc63d89955182eefcd9dfd2907357f9ffd69

SHA512
32520127f7502b3a03419eae0dbc902b2cf66dc0e4a5543dd30d5a3d93318a2318021f5cd6ea0ac11ba239ef7c8f303de3d3c6cbcd17fcedc7e7906fcf54a305

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWccAMEw.bat

Filesize
4B

MD5
dcf5433316f0b8faee48cb7561c915fa

SHA1
b095d24e7d39ec17477dce1b174dd50c72452c5a

SHA256
918be0b3ea607bfaebe2e71c420671cd2fbe7684b073e51f6837b7982723c5ca

SHA512
b8af12aee32a5d92073adbf379e3a47482af07741ca6e3dc504325ad33f38cd72705dc766a3a48c1c3b8ffbe883415b369b1f6fb741024d4be7c5f2a579e7121

Download Submit
C:\Users\Admin\AppData\Local\Temp\skoe.exe

Filesize
937KB

MD5
13f3a9868a10abcb98d9edcfe54e674c

SHA1
d9e300b4c177f6020cf1e47057645f51c0f85429

SHA256
a55638df584846855a8a64d3517546926f3da439602340a78b5fb08fc04f8b7c

SHA512
d5ea8555a89f60367b4689ecff9548bd79dd4b8232ebddd28ae64c9306739fde607f0e5200f06ddf183e6d7da68c1bf4008b7d5938f7ad432354f5faa5f668d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssEw.exe

Filesize
158KB

MD5
435d4fd2548f308e9dbaafda9165d2c3

SHA1
eeef529f5516d79c0a03a74a8acc1dd334222e7c

SHA256
c7f02f43866971711a368bba716b60fe9babf5bbe168f9842a046139a3e89d1b

SHA512
169294631119bb5f4002ffc07d12f7b3d832d3d9322988d29f14436344fbc73ce9d7bd3a9ae4d858e6dff4d3088e5f7b0bf9f05a12501d9d141a3eb4f1bdf902

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYQAEgoY.bat

Filesize
4B

MD5
ffe80f93350364198d9f882f5e3af98d

SHA1
be0a18e4c10efa8ee3328c6ad66b5583806da383

SHA256
4c3764ffcf03645b4f19c765e35a5cbc0a726b0d0fd5dc613f3b22135eacc396

SHA512
236e012d65a57d5d00dc3269d6ed93531b1d60bfe978299672c07d92d020e3d72487d3abc25222d5c36d0b5285ada11be14098daa263ae88fc3d9c7d27007ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAsU.exe

Filesize
157KB

MD5
6131e6b91a05ea2e19549df3e7ada00a

SHA1
b5fcfffc60c59e3801e3027600537c0f13fee7db

SHA256
9b08d83a0e65bfcf8fa47b1be12f8f6ca47c13650ad3b63176b6fb773963fa66

SHA512
68bf3b6eafc52decaaaf7c859d3fdaa3d8bfecc88ef12c3b2608178ef0d5bade2c668d7615a3c1ffd98f00dfa0dd3ff9aebf2924bd89df0d0f68e27e8a3d4733

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYwC.exe

Filesize
160KB

MD5
7d301dbb03d35c248d89b1bc92c89fc4

SHA1
6a33d3e578e0eff423bc345f7112675751b4b97c

SHA256
1ea7cb1a39c57c8df22a5049fb32d982dff6ce2430ddf2a2fdeb7698e3c706b6

SHA512
0ef982cad26151924dc621a6553a16947b0111a784205e0970ce90540501b8fc952b2bb9b02d80dad9ba62128464c7ebf69163307236f61b7bbf20985729f961

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucIk.exe

Filesize
150KB

MD5
6bb0ae9cff522af2c3caab4b7b1d2bc6

SHA1
7f35667c657b5e20f7ffb8e780a7fcf9cc31b432

SHA256
7781c0215226797b16bb9c01cdfabc829a06c44bf4b80cbe17db145e7ac9741e

SHA512
e508b3fb87d74962497548f1e8ece90682292621032ca2fb1e630e7962324fa0ac9d19aee1dffe13d3c059ea7ede639042649fe9e03af649d0e452c88bd50629

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEUskMAc.bat

Filesize
4B

MD5
c23c7372581d295a353797604ebd83d2

SHA1
b8dc1e04fede5ff05c06d6a861f43e6ce73ebbd1

SHA256
eacd0abfeb423fc94cff01d7a3183119071ec355ffa2f520634917a8e61734eb

SHA512
a96e675f1eb155946f53b65033f7392f7ae3f487565241914237f8859337ce14417b7bfb09cec089f86798f206c7ec3c00cbda6e0e5cae9b5c0f2e3eabbd1a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\vaogssgM.bat

Filesize
4B

MD5
216df0ab3a74104e38b6879c26759a7d

SHA1
301c187817c74973f0131bce06009419ad431c58

SHA256
41456caac73511b37bc1a1f67413e9ddd436c7e86608bb93c3e22141ee52e6ee

SHA512
d2fa1087dad7e87139a0ff05dfb2239eb434b9fd8888c4ce9e51931889edc61a4200e45f933492e71c500c224ba9288bed891d5f521eade6341b29d05028a4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIUC.exe

Filesize
4.0MB

MD5
3aff1f163db89999f89bad48b39e73e2

SHA1
192e600670ded58944001e85275b66078fef1545

SHA256
fed7a1ef0bdb2cfad84b2c43eac75026ae6c730d9d3b4a09a0fd3dba96ccdb4e

SHA512
ccbd8a251a035efa141c83aaa73eb3a9e8d52e7735e95e9f45db3525bbfebea6b7314ff879b1acdc0dc3f64168928d035c5561e78b5eb6a7df683eb9e3333064

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQMi.exe

Filesize
157KB

MD5
f399f232273e8d036d4f4ed53a6614ad

SHA1
76f5dcd989f79cb0b2db73222780bb9c3df70b48

SHA256
c669ffe5f12b45c5f102d2b2c016f53500ba1bdcead34203495a0127132f2e69

SHA512
1390f9bb9f4edcbdec6148bf2e21eb14d22fa5a430436f12b884dceb2116cc2397fd6b4a6a3bc6ad39089c8f98c0b20258e33a8f35596ccd338bf0b908ab5fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQck.exe

Filesize
352KB

MD5
0db3bfaa97376e0c513a80eef4fc6893

SHA1
809850f7bd57582ec62611458621a33ada3ee826

SHA256
7617d03ce1ccc743fe9ab297ac5d817f9b623e78a5d82af386e76092bf8471a3

SHA512
3baa2ebd493dd8a6e9861eeb8d1cea1a69080cab13f05951177e846860a1177c9ba22b2c4960eacc8a80a1716c10aed5116a070a34279d1e8d137924bb896437

Download Submit
C:\Users\Admin\AppData\Local\Temp\waEYIcMA.bat

Filesize
4B

MD5
a410eda3738fc93d6ac6e9f873efda7e

SHA1
207ea6603ba548eee9d46465bdba5ca77ac7fcc5

SHA256
ca1e50f6cc90b801adf2e72fc760ff67ecdb9610b070441c72f3d134fcd2f655

SHA512
ed2588a3be16a91b466cbc65129910446a640d1a794085365e95ba6865e0354645cf69c518330ed143961acc1f4705d112314ea8309506c73b7e06e9befdcb9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAEo.exe

Filesize
158KB

MD5
c5be9706b826e7b4e49b4c197aebae12

SHA1
74eb1822c0c2de9e7a1c2dd020c44a5b8f254f4f

SHA256
83ab2c72bebfe4057dbbd7150f9fed3cc623969e0cf4fa5272c07bdcf9f7b66f

SHA512
d7c47743c7e89515045670309a92d27d18fae9ff9f00988b5ff0233b27b94b2a7b9dfc75ab26b617fef043d57d4522e4b00a27db2c8b733efac9d73e47df7524

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAoAYYgM.bat

Filesize
4B

MD5
b212a68fd164553ef0579dd4ab062bb7

SHA1
4ce7ceca5affe1009353844ac6c3f88cd00911f0

SHA256
f8953cc327b7fbeee99a33650e9b2dd78b6e9d8ea2f01bd46d35a17a780ff16a

SHA512
65af449526b815f37460c6453e6a148ec8780911b90f482636086a486fc2ce14bd5690ca93cb4acd30e4431ca2ceae4d030e1dfb5bda1e2e7b90158d600b3cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEUi.exe

Filesize
1.2MB

MD5
a06964a5d6df1a7ef35c6d872df00ae1

SHA1
68645e0e9b67a156214d77dccb5bd1dfbab1585d

SHA256
956fea05807a2b5d91180440fae495c0f70b53d63f983fb8c236212d9b2e9d3b

SHA512
4dfeb80c3dacd587be2979f9b9a7eccdb87ed3b1da13d40c802b5b50cfc5ce8ef4e36758735d98230be0cc59f93866d8e1865671a355c0e92a531e717730b2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMAs.exe

Filesize
414KB

MD5
24386b21788eb435db288ae892809b91

SHA1
2cbe07d506d8c07918408d0031885cd87bc42f5a

SHA256
d9a7c35208f24c149ac4c83179707e9572b1a4396f389da501b7e97a9c5a1a34

SHA512
00bc74fe3064ee6370f963ec40e3db7ec824440a510268b1d6a67d3d46931d0646825086f0f9d0d1baa649cb78bdc9c8cfddec208be54ff7c56c70f0539f80d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMYa.exe

Filesize
158KB

MD5
85b46b90e61a6c48d0d2f563dad200f6

SHA1
34848a559f9826ec735a56eae01d287aa091ad19

SHA256
8f5e5c7a433a4d6ea5a1e7307ad49d183aa286958cf12ec96aa85ed49f7436a0

SHA512
461855c2f333e8b8a64de756a2523bec87c06269e9225153a7d33caa3b6a851f61af167047709262dd72d0ce36fa205f5c14f8c3682f748d800c546b2ce34ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYEYsUkI.bat

Filesize
4B

MD5
cc93fe6d7cf8d84eb3425024d0636a0d

SHA1
c35db868870a7adbbdfed63f76aa9d9cd2ab5ca1

SHA256
f3e1a83b812f57d97535b8082b3598400aba864ebb382ccefdb33027c3a1648b

SHA512
baba7e4275e763366f5453a7aac3e4e5d16c22349c45b68c206e0272e150fd64e3188b43a564b8fe7fb1e45326fc1f7efa7eaadde7fe7018ce5b2fedfe1f9967

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYcAIYQA.bat

Filesize
4B

MD5
0f72f2d9f7955ce05bd20f8f0382744c

SHA1
b6f10ca46d889f8ec8a639e0dfb13b4fe9f8ba3a

SHA256
caf7d94e07b39417e5fe488a79e7b80061588f02539668f40504050408eb7080

SHA512
7c3c226a84a5541de9f75839b51144bbad1776b5f790be4efc532a70c3144dc7d1ff14d931359ba18856aa36f32978d9deb8f21aae787bcefd14400382d7c696

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykQi.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysEE.exe

Filesize
159KB

MD5
8c7e965f181a1acb88924dcc7672ba7a

SHA1
c677e147580afd77928a2f2a81f8287f2e3fe531

SHA256
f929a51786f1f8ef8ab16ddcd34f422f9786852be55b64e79f6793e2ee9f17c4

SHA512
3f72e688d15504430b7b754d0e9ac9bffae4b618beb64efee1e0a9ae9172ebdef53ff15824fd93143f077a5588d04a7ad0085283225c691909362ca0154a7f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywMu.exe

Filesize
157KB

MD5
d2cf30afb084c61abe235b084255f9a6

SHA1
8233ed9e5c20cd4f10109eef018feed4e74252ec

SHA256
4c018ddbd0015064ab80dba17f3b0c6bab5695fcfbe37f26df4a1e174bd87029

SHA512
0e8417bbef281efc9b135dadf070901d63aac666f3c9b4c39c4badae379d5e262d8082b25c766799cabfec7e357cff47489615bcc45ba063e773be56a39b2f10

Download Submit
C:\Users\Admin\Pictures\OutPop.bmp.exe

Filesize
956KB

MD5
58598942506db886470cd06ff138b740

SHA1
618102af5f08c2019593324f220bf58470d94226

SHA256
4c1ad840d5da93218c5ff57397316748a75b1b47298f5eb01ed976d36c041853

SHA512
1796d85c024263c002cb9627433d549892e1bdb226c957323b5823ce2949bea00b0852cfae857d6a5776c3a786598da672e6da241e2bed307fa90089d167ba28

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\lMEAccwI\GyswIsIg.exe

Filesize
108KB

MD5
209146f707b70e754b43bc2d8a8543b3

SHA1
ce82b76a25bd892ca2428bc38a99f61599652686

SHA256
da1d2150df77013cb15c4aafb0b21c0976e13208ac24358010fd061aa5520cda

SHA512
618d7d5c1ae303afd2c3e93e0d3cff88853ee4e1f27f31e469a0d0bdd58751d93257e0d936a4656bead04c94aa6e95c591e256e99fc7fe0e77794bc45a97ff5f

Download Submit
memory/404-369-0x0000000000160000-0x000000000018B000-memory.dmp

Filesize
172KB

Download
memory/404-370-0x0000000000160000-0x000000000018B000-memory.dmp

Filesize
172KB

Download
memory/564-294-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/564-329-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/876-279-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/876-246-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1004-270-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1004-303-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1052-114-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1052-82-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1056-81-0x00000000004E0000-0x000000000050B000-memory.dmp

Filesize
172KB

Download
memory/1200-29-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1624-331-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1624-356-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1660-292-0x0000000000150000-0x000000000017B000-memory.dmp

Filesize
172KB

Download
memory/1660-293-0x0000000000150000-0x000000000017B000-memory.dmp

Filesize
172KB

Download
memory/1708-244-0x00000000002E0000-0x000000000030B000-memory.dmp

Filesize
172KB

Download
memory/1708-245-0x00000000002E0000-0x000000000030B000-memory.dmp

Filesize
172KB

Download
memory/1908-127-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1956-58-0x0000000000180000-0x00000000001AB000-memory.dmp

Filesize
172KB

Download
memory/1956-371-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1956-57-0x0000000000180000-0x00000000001AB000-memory.dmp

Filesize
172KB

Download
memory/1964-151-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1964-183-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2052-268-0x00000000001C0000-0x00000000001EB000-memory.dmp

Filesize
172KB

Download
memory/2052-269-0x00000000001C0000-0x00000000001EB000-memory.dmp

Filesize
172KB

Download
memory/2116-150-0x0000000000310000-0x000000000033B000-memory.dmp

Filesize
172KB

Download
memory/2120-44-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2120-30-0x00000000003A0000-0x00000000003BD000-memory.dmp

Filesize
116KB

Download
memory/2120-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2120-19-0x00000000003A0000-0x00000000003BC000-memory.dmp

Filesize
112KB

Download
memory/2120-31-0x00000000003A0000-0x00000000003BD000-memory.dmp

Filesize
116KB

Download
memory/2120-5-0x00000000003A0000-0x00000000003BC000-memory.dmp

Filesize
112KB

Download
memory/2128-137-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2128-105-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2144-104-0x0000000000160000-0x000000000018B000-memory.dmp

Filesize
172KB

Download
memory/2168-128-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2168-160-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2220-255-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2220-222-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2348-221-0x0000000000140000-0x000000000016B000-memory.dmp

Filesize
172KB

Download
memory/2348-220-0x0000000000140000-0x000000000016B000-memory.dmp

Filesize
172KB

Download
memory/2436-68-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2436-91-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2552-173-0x0000000000260000-0x000000000028B000-memory.dmp

Filesize
172KB

Download
memory/2584-67-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2584-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2656-174-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2656-346-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2656-345-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2656-207-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2660-35-0x0000000000160000-0x000000000018B000-memory.dmp

Filesize
172KB

Download
memory/2660-33-0x0000000000160000-0x000000000018B000-memory.dmp

Filesize
172KB

Download
memory/2672-330-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2672-318-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2680-231-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2680-198-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2740-32-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2804-393-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2804-394-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2900-347-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2900-380-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2956-197-0x0000000000180000-0x00000000001AB000-memory.dmp

Filesize
172KB

Download
memory/2956-196-0x0000000000180000-0x00000000001AB000-memory.dmp

Filesize
172KB

Download